[Full-disclosure] Remote command Injection in Creme Fraiche 0.6 Ruby Gem

["Larry W. Cashdollar" <larry0@xxxxxx>]

<html><body><div><p>TITLE: <b>Remote command Injection in Creme Fraiche 0.6 
Ruby Gem</b></p>

<p>DATE: 5/14/2013</p>

<p>AUTHOR: Larry W. Cashdollar (@_larry0)</p>

<p>DOWNLOAD: http://rubygems.org/gems/cremefraiche, 
http://www.uplawski.eu/technology/cremefraiche/</p>

<p>DESCRIPTION: Converts Email to PDF files.</p>

<p>VENDOR: Notifed on 5/13/2013, provided fix 5/14/2013</p>

<p>FIX: Version in 0.6.1</p>

<p>CVE: 2013-2090</p>

<p>DETAILS: The following lines pass unsanitized user input directly to the 
command line.</p>A malicious email attachment with a file name consisting of 
shell meta characters could inject commands into the shell.<p>  If the attacker 
is allowed to specify a filename (via a web gui) commands could be injected 
that way as well.

</p><pre><p>218                         cmd = "pdftk %s update<em>info %s 
output %s" %[pdf, info</em>file, t<em>file]
219                         @log.debug('pdftk-command is ' &lt;&lt; cmd)
220                         pdftk</em>result = system( cmd)</p>
</pre>
<p>GREETINGS: @vladz,@quine,@BrandonTansey,@sushidude,@jkouns,@sub_space and 
@attritionorg </p>

<p>ADVISORY: 
http://vapid.dhs.org/advisories/cremefraiche-cmd-inj.html</p></div></body></html>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/