Webbynode Ruby Gems命令注入漏洞

Bugtraq ID:64289 CVE ID:CVE-2013-7086 Ruby Gem Webbynode是一款让用户部署应用至Webbynode平台的工具。 Ruby Gem Webbynode没有正确过滤通过growlnotify命令所提交的消息，如果消息中包含shell元字符，可以应用程序上下文执行任意命令。 0 Ruby Gem Webbynode 1.0.5.3 目前厂商暂无提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本： http://rubygems.org/gems/webbynode...

Ruby Gem Webbynode 1.0.5.3 Command Injection

Command injection in Ruby Gem Webbynode 1.0.5.3 Date: 11/11/2014 Author: Larry W. Cashdollar, @larry0 Download: http://rubygems.org/gems/webbynode Vulnerability Description: The following code located in: ./webbynode-1.0.5.3/lib/webbynode/notify.rb doesn't fully sanitize user supplied input befor...

Ruby Gem Sprout 0.7.246 Command Injection

Title: Command injection vulnerability in Ruby Gem sprout 0.7.246 Download: http://rubygems.org/gems/sprout, http://projectsprouts.org/ Vulnerability: The unpackzip function contains the following code: sprout-0.7.246/lib/sprout/archiveunpacker.rb 60 zipdir = File.expandpathFile.dirnamezipfile 61...

Ruby Gem Features 0.3.0 Injection

Title: Features 0.3.0 Ruby gem file injection vulnerability Date: 9/1/2013 Author: Larry W. Cashdollar @larry0 Download: http://rubygems.org/gems/features Description: "Plaintext User Stories Parser supporting native programming languages. Especially Objective-C" Same vulnerability as...

Fog Dragonfly 0.8.2 Command Injection Vulnerability

Ruby Gem Fog Dragonfly version 0.8.2 suffers from a remote command injection vulnerability. TITLE: Remote Command Injection in fog-dragonfly-0.8.2 Ruby Gem Credit: Larry W. Cashdollar, @larry0 Date: 8/16/2013 CVE: 2013-5671 Download: https://rubygems.org/gems/fog-dragonfly Description: "Dragonfly...

Rgpg 0.2.2 Ruby Gem Remote Command Injection

Title: Rgpg 0.2.2 Ruby Gem Remote Command Injection Date: 7/31/2013 Advisory Author: Larry W. Cashdollar, @larry0 CVE: CVE-2013-4203 Download: https://rubygems.org/gems/rgpg Description: "A simple Ruby wrapper around gpg command for file encryption. rgpg is a simple API for interacting with the g...

rubygem-passenger: incorrect temporary file usage

Phusion Passenger gem before 3.0.21 and 4.0.x before 4.0.5 for Ruby allows local users to cause a denial of service prevent application start or gain privileges by pre-creating a temporary "config" file in a directory with a predictable name in /tmp/ before it is used by the gem...

Ruby Gem Rgpg 0.2.2 Command Injection

Title: Rgpg 0.2.2 Ruby Gem Remote Command Injection Date: 7/31/2013 Advisory Author: Larry W. Cashdollar, @larry0 CVE: CVE-2013-4203 Download: https://rubygems.org/gems/rgpg Description: "A simple Ruby wrapper around gpg command for file encryption. rgpg is a simple API for interacting with the g...

Show In Browser 0.0.3 Ruby Gem File Injection Vulnerability

Show In Browser 0.0.3 is a Ruby Gem that suffers from a file injection vulnerability, allowing arbitrary text to be opened in a browser. TITLE: Show In Browser 0.0.3 Ruby Gem /tmp file injection vulnerability. DATE: 5/15/2023 AUTHOR: Larry W. Cashdollar @larry0 DOWNLOAD:...

Ruby Gem Creme Fraiche 0.6 Command Injection

TITLE: Remote command Injection in Creme Fraiche 0.6 Ruby Gem DATE: 5/14/2013 AUTHOR: Larry W. Cashdollar @larry0 DOWNLOAD: http://rubygems.org/gems/cremefraiche, http://www.uplawski.eu/technology/cremefraiche/ DESCRIPTION: Converts Email to PDF files. VENDOR: Notifed on 5/13/2013, provided fix...

Remote command execution in Ruby Gem ldoce 0.0.2

Remote command execution in Ruby Gem ldoce 0.0.2 Larry W. Cashdollar @larry0 3/25/2013 Ldoce Ruby Gem: Easily interface with the Longman Dictionary of Contemporary English API from Ruby: NB currently mac only as it depends on the afplay command. https://rubygems.org/gems/ldoce...

Remote command execution in fastreader ruby gem

Ruby gem fastreader-1.0.8 remote code exec 3/6/2013 if the url contains any ; characters code will be executed as the user. for example if fastreader is fed http://www.g;id;.com id will be executed. ./fastreader-1.0.8/lib/entrycontroller.rb .strip only removes whitespace before and after the URL...

Remote command injection in Ruby Gem kelredd-pruview 0.3.8

Remote command injection in Ruby Gem kelredd-pruview 0.3.8 Larry W. Cashdollar 4/4/2013 @larry0 Description: "A gem to ease generating image previews thumbnails of various files." https://rubygems.org/gems/kelredd-pruview Remote commands can be executed if the file name contains shell meta...

Ruby Gem md2pdf Command Injection Vulnerability

Ruby Gem md2pdf suffers from a remote command injection vulnerability. Remote command injection md2pdf ruby gem 4/10/2013 Description: "creates pdf documents from markdown documents" https://rubygems.org/gems/md2pdf In md2pdf/converter.rb we see user supplied input being passed to the command lin...

Ruby Gem md2pdf Command Injection

Remote command injection md2pdf ruby gem 4/10/2013 Description: "creates pdf documents from markdown documents" https://rubygems.org/gems/md2pdf In md2pdf/converter.rb we see user supplied input being passed to the command line with out proper sanitization. 12 shell.exec"pandocoptions inputfilena...

Ruby Gem kelredd-pruview 0.3.8 Command Injection Vulnerability

Ruby Gem kelredd-pruview version 0.3.8 suffers from a remote command injection vulnerability. Remote command injection in Ruby Gem kelredd-pruview 0.3.8 Larry W. Cashdollar 4/4/2013 @larry0 Description: "A gem to ease generating image previews thumbnails of various files."...

Ruby Gem kelredd-pruview 0.3.8 Command Injection

Remote command injection in Ruby Gem kelredd-pruview 0.3.8 Larry W. Cashdollar 4/4/2013 @larry0 Description: "A gem to ease generating image previews thumbnails of various files." https://rubygems.org/gems/kelredd-pruview Remote commands can be executed if the file name contains shell meta...

Ruby Gem Karteek Docsplit 0.5.4 Command Injection Vulnerability

Ruby Gem Karteek Docsplit version 0.5.4 fails to sanitize user-supplied input. If a user is tricked into extracting a file with shell characters in the name, code can be executed remotely. Remote Command Injection Ruby Gem Karteek Docsplit 0.5.4 4/1/2013 Larry W. Cashdollar @larry0 User supplied...

Ruby Gem Karteek Docsplit 0.5.4 Command Injection

Remote Command Injection Ruby Gem Karteek Docsplit 0.5.4 4/1/2013 Larry W. Cashdollar @larry0 User supplied input isn't sanitized against shell metacharacters and is fed directly to the shell. If the user is tricked into extracting a file with shell characters in the name code can be executed...

CVE-2013-1800

The crack gem 0.3.1 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service memory and CPU consumption by leveraging Action Pack support for 1 YAML type...