Title: xaviershay-dm-rails v0.10.3.8 mysql credential exposure |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2015-02-17 |
CVE-ID:[CVE-2015-2179] |
CWE: |
Download Site: https://rubygems.org/gems/xaviershay-dm-rails |
Vendor: Martin Gamsjaeger, Dan Kubb |
Vendor Notified: 2015-02-17 |
Vendor Contact: notreal@rhnh.net |
Advisory: http://www.vapid.dhs.org/advisory.php?v=115 |
Description: This gem provides the railtie that allows datamapper to hook into rails3 and thus behave like a rails framework component. Just like activerecord does in rails, dm-rails uses the railtie API to hook into rails. The two are actually hooked into rails almost identically. |
Vulnerability: The problem is with the execute function exposing the user credentials to the process table.
Lines 169 - 177 in /datamapper/dm-rails/blob/master/lib/dm-rails/storage.rb:
def execute(statement)
system(
'mysql',
(username.blank? ? '' : "--user=#{username}"),
(password.blank? ? '' : "--password=#{password}"),
'-e',
statement
)
end |
Export: JSON TEXT XML |
Exploit Code:
|
Screen Shots: |
Notes: 118579 |
Larry W. Cashdollar
Larry Cashdollar
Larry W. Cashdollar vulnerability
Larry Cashdollar advisory