Advisory #: 32
Title: codders-dataset Gem for Ruby Process Table Local Plaintext Credential Disclosure
Author: Larry W. Cashdollar, @_larry0
Date: 2014-06-01
CVE-ID:[CVE-2014-4991]
CWE:
Download Site: http://rubygems.org/gems/codders-dataset
Vendor: octomonkey.org.uk
Vendor Notified: 2014-06-25
Vendor Contact: codders[at]octomonkey.org.uk
Advisory: http://www.vapid.dhs.org/advisories/codders-dataset-1.3.2.1.html
Description: A simple API for creating and finding sets of data in your database, built on ActiveRecord.
Vulnerability:
From: ./codders-dataset-1.3.2.1/lib/dataset/database/postgresql.rb Lines 18 and 24 expose the password to the process table, and are vulnerable to command injection if used in the context of a rails application. The #{@username} and #{@password} variables aren't properly sanitized before being passed to the command line. 015- 16- def capture(datasets) 17- return if datasets.nil? || datasets.empty? 18: `pg_dump -c #{@database} > #{storage_path(datasets)}` 19- end 20- 21- def restore(datasets) 22- store = storage_path(datasets) 23- if File.file?(store) 24: `psql -U #{@username} -p #{@password} -e #{@database} < #{store}` 25- true 26- end 27- end
Export: JSON TEXT XML
Exploit Code:
  1.  
Screen Shots:
Notes:
108582