| Title: paratrooper-pingdom-1.0.0 ruby gem exposes API login credentials |
| Author: Larry W. Cashdollar, @_larry0 |
| Date: 2013-12-26 |
| CVE-ID:[CVE-2014-1233] |
| CWE: CWE-200 Information Leak / Disclosure |
| Download Site: http://rubygems.org/gems/paratrooper-pingdom |
| Vendor: Tobias L. Maier |
| Vendor Notified: 2013-12-26 |
| Vendor Contact: tobias.maier@baucloud.com |
| Advisory: http://www.vapid.dhs.org/advisories/paratrooper-api-key-pingdom.html |
| Description: Send deploy notifications to Pingdom service when deploying with Paratrooper. |
| Vulnerability: From: paratrooper-pingdom-1.0.0/lib/paratrooper-pingdom.rb
24 def setup(options = {})
25 %x[curl https://api.pingdom.com/api/2.0/checks -X PUT -d "paused=tru e" -H "App-Key: {app_key}" -u "{username}:#{password}"]
26 end
27
28 def teardown(options = {})
29 %x[curl https://api.pingdom.com/api/2.0/checks -X PUT -d "paused=fal se" -H "App-Key: {app_key}" -u "{username}:#{password}"]
30 end
A malicious user could monitor the process tree to steal the API key, username and password for the API login. |
| Export: JSON TEXT XML |
| Exploit Code: |
| Screen Shots: |
Notes: 101847 |
Larry W. Cashdollar
Larry Cashdollar
Larry W. Cashdollar vulnerability
Larry Cashdollar advisory