Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-id: <bbd87774-5049-49a4-a9ce-b59d329bb1a6@me.com>
Date: Thu, 10 Jul 2014 18:50:09 +0000 (GMT)
From: "Larry W. Cashdollar" <larry0@...com>
To: Open Source Security <oss-security@...ts.openwall.com>
Subject: Vulnerabilities in Ruby Gem brbackup-0.1.1

Title: Vulnerabilities in Ruby Gem brbackup-0.1.1
Date: 7/1/2014
Advisory Author: Larry W. Cashdollar, @_larry0
Gem Author: Tung Nguyen tongueroo[at]gmail.com
OSVDB: 108899,108900,108901
CVEID: N/A

Download: http://rubygems.org/gems/brbackup
Vulnerability: The following code exposes the database password to the command line, if this gem is used in the context of a rails application command injection can be achived by placing shell metacharacters like ; in the user supplied input for variable dbuser. I suspect the other variables are injectable by playing with " and '.
Also line 313 is vulnerable to SQL injection via the '#{name}' variable.
From: brbackup-0.1.1/lib/brbackup.rb

311-
312-    def db_has_myisam?(name)
313-      query = "SELECT 1 FROM information_schema.tables WHERE table_schema='#{name}' AND engine='MyISAM' LIMIT 1;"
314:      %x{mysql -u #{dbuser} {password_option} -N -e"{query}"}.strip == '1'
315-    end
316-
317-    def restore_database(name, io)
Where password_option will expose the password to the process table if the password is not nil or empty.
338-  def password_option
339     dbpass.nil? || dbpass.empty? ? "" : "-p'#{dbpass}'"
Gem Author Contacted: 7/8/2014, WONTFIX.

Advisory: http://www.vapid.dhs.org/advisories/brbackup-0.1.1.html
Content of type "text/html" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.