| Title: Square Hoptoad Notifier v2.4.8 Ruby Gem API Key exposure |
| Author: Larry W. Cashdollar, @_larry0 |
| Date: 2014-04-15 |
| CVE-ID:[CVE-none] |
| CWE: |
| Download Site: http://rubygems.org/gems/square-hoptoad_notifier |
| Vendor: thoughtbot, inc |
| Vendor Notified: 2014-04-15 |
| Vendor Contact: github@squareup.com |
| Advisory: http://www.vapid.dhs.org/advisories/hotpad-notifier-api.html |
| Description: Send your application errors to our hosted service and reclaim your inbox. |
| Vulnerability: Line 23 exposes thei Heroku API key to the process table via the heroku command being passed to the shell.
In square-hoptoad_notifier-2.4.8/lib/hoptoad_notifier/shared_tasks.rb: 22
23 command = %Q(heroku addons:add deployhooks:http url="http://hoptoadapp.com/deploys.txt?deploy[rails_env]={heroku_rails_env}&api_key={heroku_api_key}")
24
25 puts "\nRunning:\n{command}\n"
26 puts `{command}` |
| Export: JSON TEXT XML |
| Exploit Code: |
| Screen Shots: |
| Notes: |
Larry W. Cashdollar
Larry Cashdollar
Larry W. Cashdollar vulnerability
Larry Cashdollar advisory