oss-security - paratrooper-pingdom-1.0.0 ruby gem exposes API login credentials

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Message-id: <C8480EAF-453C-4417-8099-D73E11016A46@me.com>
Date: Tue, 07 Jan 2014 19:57:03 -0500
From: "Larry W. Cashdollar" <larry0@...com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: paratrooper-pingdom-1.0.0 ruby gem exposes API login credentials

Title: paratrooper-pingdom-1.0.0 ruby gem exposes API login credentials

Author: Larry W. Cashdollar, @_larry0

Date: 12/26/2013

CVE: Please assign.

Download: http://rubygems.org/gems/paratrooper-pingdom 

Description: "Send deploy notifications to Pingdom service when deploying with Paratrooper"
Vulnerable Code:

From: paratrooper-pingdom-1.0.0/lib/paratrooper-pingdom.rb

 24       def setup(options = {})
 25         %x[curl 
https://api.pingdom.com/api/2.0/checks -X PUT -d "paused=tru    e" -H "App-Key: {app_key}" -u "
{username}:#{password}"]
 26       end
 27 
 28       def teardown(options = {})
 29         %x[curl 
https://api.pingdom.com/api/2.0/checks -X PUT -d "paused=fal    se" -H "App-Key: {app_key}" -u "
{username}:#{password}"]
 30       end

A malicious user could monitor the process tree to steal the API key, username and password for the API login.

http://www.vapid.dhs.org/advisories/paratrooper-api-key-pingdom.html

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.