Title: Command Injection in Ruby Gem Sounder 1.0.1 |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2013-08-10 |
CVE-ID:[CVE-2013-5647] |
CWE: CWE-94 Code Injection |
Download Site: https://rubygems.org/gems/sounder |
Vendor: Adam Zaninovich |
Vendor Notified: 2013-08-10 |
Vendor Contact: adam.zaninovich@gmail.com |
Advisory: http://www.vapid.dhs.org/advisories/sounder-ruby-gem-cmd-inj.html |
Description: Sounder is a ruby gem API for Mac OSX's afplay command. |
Vulnerability: From lib/sounder/sound.rb:
def play
system %{/usr/bin/afplay "#{@file}" &}
end |
Export: JSON TEXT XML |
Exploit Code: |
Screen Shots: |
Notes: 96278 |
Larry W. Cashdollar
Larry Cashdollar
Larry W. Cashdollar vulnerability
Larry Cashdollar advisory