Advisory #: 71
Title: Vulnerability Report for Ruby Gem lingq-0.3.1
Author: Larry W. Cashdollar, @_larry0
Date: 2014-06-01
CVE-ID:[CVE-none]
CWE:
Download Site: http://rubygems.org/gems/lingq
Vendor: ethan.vizitei[at]gmail.com
Vendor Notified: 2014-06-25
Vendor Contact: ethan.vizitei[at]gmail.com
Advisory: http://www.vapid.dhs.org/advisories/lingq-0.3.1.html
Description: Gem for interacting with the API of lingq.com. It's a language learning website, and it's pretty useful, but I want to be able to work on my flashcards offline. This gem is being written to be included in a desktop client (and maybe eventually a mobile client), but will certainly still be useful as a standalone api wrapper for other projects that want to interact with Lingq.com
Vulnerability:
From: ./lingq-0.3.1/lib/lingq/client.rb Line 46 exposes the lingq.com API key to the command line via #{@apikey} variable. If this Gem is used in the context of a rails application a remote user may be able to inject commands into the shell via special meta characters like ; and & as the variables are not sanitized. 08- attr_reader :target_language 9- attr_reader :languages 10- 11: def initialize(api_key) 12: @apikey = api_key 13- load_languages! 14- end 15- -- 43- put_with_language("lingqs/",word.params) 44- 46: system_call("curl -X PUT -d id={word.id};status={word.status};hint={word.hint};fragment=#{word.fragment} http://www.lingq.com/api_v2/#{@target_language}/lingqs/?apikey=#{@apikey}") 47- end
Export: JSON TEXT XML
Exploit Code:
  1.  
Screen Shots:
Notes:
108585