Ruby Gem Creme Fraiche 0.6 Command Injection

Type packetstorm
Reporter Larry W. Cashdollar
Modified 2013-05-14T00:00:00


                                            `TITLE: Remote command Injection in Creme Fraiche 0.6 Ruby Gem  
DATE: 5/14/2013  
AUTHOR: Larry W. Cashdollar (@_larry0)  
DESCRIPTION: Converts Email to PDF files.  
VENDOR: Notifed on 5/13/2013, provided fix 5/14/2013  
FIX: Version in 0.6.1  
CVE: 2013-2090  
DETAILS: The following lines pass unsanitized user input directly to the command line.  
A malicious email attachment with a file name consisting of shell meta characters could inject commands into the shell.  
If the attacker is allowed to specify a filename (via a web gui) commands could be injected that way as well.  
218 cmd = "pdftk %s updateinfo %s output %s" %[pdf, infofile, tfile] 219 @log.debug('pdftk-command is ' << cmd) 220 pdftkresult = system( cmd)  
GREETINGS: @vladz,@quine,@BrandonTansey,@sushidude,@jkouns,@sub_space and @attritionorg