This is Google's cache of http://vapid.dhs.org/research/fastreader-1.0.8-remote-exec.txt. It is a snapshot of the page as it appeared on Apr 26, 2013 11:33:09 GMT. The current page could have changed in the meantime. Learn more
Tip: To quickly find your search term on this page, press Ctrl+F or ⌘-F (Mac) and use the find bar.

Text-only version

Ruby gem fastreader-1.0.8 remote code exec

if the url contains any ; characters code will be executed as the user.

for example if fastreader is fed http://www.g;id;.com id will be executed.

./fastreader-1.0.8/lib/entry_controller.rb 

.strip only removes whitespace before and after the URL.

115       # open web browser
116       command = (ENV['FASTREADER_WEB'] || "open") + " #{@current_entry.url.strip}"
117       `#{command}`



Larry W. Cashdollar
@_larry0
http://vapid.dhs.org