Title: Vulnerability Report for Ruby Gem kcapifony-2.1.6 |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2014-06-01 |
CVE-ID:[CVE-2014-5001] |
CWE: |
Download Site: http://rubygems.org/gems/kcapifony |
Vendor: roderik.van.der.veer[at]kunstmaan.be |
Vendor Notified: 2014-06-25 |
Vendor Contact: roderik.van.der.veer@kunstmaan.be |
Advisory: http://www.vapid.dhs.org/advisories/kcapifony-2.1.6.html |
Description: kCapistrano is an open source tool for running scripts on multiple servers. It’s primary use is for easily deploying applications. While it was built specifically for deploying Rails apps, it’s pretty simple to customize it to deploy other types of applications. This package is a deployment “recipe” to work with symfony (both 1 and 2) applications. This is a fork to make working with our deployment system more easy. |
Vulnerability: ./kcapifony-2.1.6/lib/ksymfony1.rb
Lines 482, 484, 522 and 524 expose the password to the process table via the #{config['pass']} variable. If this Gem is used in the context of a rails application it maybe possible to inject commands remotely by supplying special shell meta characters like ; and & via #{config['user']} and #{config['pass']}.
0479- FileUtils::mkdir_p("backups")
480- case config[type]
481- when mysql
482: `mysqldump -u{config[user]} --password=\"{config[pass]}\" #{config[db]} > #{tmpfile}`
483- when pgsql
484: `pg_dump -U {config[user]} --password=\"{config[pass]}\" #{config[db]} > #{tmpfile}`
485- end
486- File.open(tmpfile, "r+") do |f|
--
519-
520- case config[type]
521- when mysql
522: `mysql -u{config[user]} --password=\"{config[pass]}\" {config[db]} < backups/{sqlfile}`
523- when pgsql
524: `psql -U {config[user]} --password=\"{config[pass]}\" {config[db]} < backups/{sqlfile}`
525- end
526- FileUtils.rm("backups/#{sqlfile}")
527- end
|
Export: JSON TEXT XML |
Exploit Code: |
Screen Shots: |
Notes: 108572 108571 |
Larry W. Cashdollar
Larry Cashdollar
Larry W. Cashdollar vulnerability
Larry Cashdollar advisory