Title: Remote command execution ldoce 0.0.2 |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2013-03-28 |
CVE-ID:[CVE-2013-1911] |
CWE: CWE-20 Input Validation |
Download Site: https://github.com/markburns/ldoce |
Vendor: https://github.com/markburns |
Vendor Notified: 2013-03-28 |
Vendor Contact: https://github.com/markburns |
Advisory: http://www.vapid.dhs.org/advisories/ldoce-0.0.2-cmd-exec.html |
Description: Easily interface with the Longman Dictionary of Contemporary English API from Ruby |
Vulnerability: Ldoce passes an mp3 url to commandline for audio output of the pronunciation of a dictonary word:
If the URL or filename for the mp3 files contain shell metacharacters
code can be executed remotely as the client:
[./ldoce-0.0.2/lib/ldoce/word.rb]
if mp3?
unless File.exists? filename
command = "curl #{mp3_url} -silent > {filename}"
`{command}`
end
`afplay #{filename}`
end |
Export: JSON TEXT XML |
Exploit Code: |
Screen Shots: |
Notes: 91870 |
Larry W. Cashdollar
Larry Cashdollar
Larry W. Cashdollar vulnerability
Larry Cashdollar advisory