[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Remote command execution in Ruby Gem ldoce 0.0.2
- To: full <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: [Full-disclosure] Remote command execution in Ruby Gem ldoce 0.0.2
- From: "Larry W. Cashdollar" <larry0@xxxxxx>
- Date: Mon, 01 Apr 2013 15:32:03 +0000 (GMT)
<html><body><div><h2>Remote command execution in Ruby Gem ldoce 0.0.2</h2>
<i>Larry W. Cashdollar<br>
@_larry0<br>
3/25/2013</i>
<hr>
<p>Ldoce Ruby Gem:
</p>
<p>Easily interface with the Longman Dictionary of Contemporary English API
from Ruby:
</p>
<p>NB currently mac only as it depends on the afplay command.
</p>
https://rubygems.org/gems/ldoce
<p><a
href="https://github.com/markburns/ldoce";>https://github.com/markburns/ldoce</a>
</p>
<p>Ldoce passes an mp3 url to commandline for audio output of the pronunciation
of a dictonary word:
</p>
<p>If the URL or filename for the mp3 files contain shell metacharacters
code can be executed remotely as the client:
</p>
<p>[./ldoce-0.0.2/lib/ldoce/word.rb]
</p>
<pre> if mp3?
unless File.exists? filename
command = "curl #{mp3_url} -silent > {filename}"
`{command}`
end
`afplay #{filename}`
end
</pre>
This vulnerability has been assigned CVE-ID CVE-2013-1911
<p>
http://otiose.dhs.org/advisories/ldoce-0.0.2-cmd-exec.html
</p></div></body></html>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/