Ruby Gem Fastreader 1.0.8 Command Execution

2013-03-13T00:00:00
ID PACKETSTORM:120776
Type packetstorm
Reporter Larry W. Cashdollar
Modified 2013-03-13T00:00:00

Description

                                        
                                            `Ruby gem fastreader-1.0.8 remote code exec  
3/6/2013  
  
  
https://rubygems.org/gems/fastreader  
  
if the url contains any ; characters code will be executed as the user when a web browser is launched.  
  
for example if fastreader is fed http://www.g;id;.com id will be executed.  
  
./fastreader-1.0.8/lib/entry_controller.rb  
  
.strip only removes whitespace before and after the URL.  
  
115 # open web browser  
116 command = (ENV['FASTREADER_WEB'] || "open") + " {@current_entry.url.strip}"  
117 `{command}`  
  
Larry W. Cashdollar  
@_larry0  
http://vapid.dhs.org  
`