Ruby Gem Fastreader version 1.0.8 suffers from a remote command execution vulnerability due to a lack of user input sanitization.
1fab775f0aafbbbde6c3e31e5072977d382d54542fa209d3fc109a74349d293aRuby gem fastreader-1.0.8 remote code exec
3/6/2013
https://rubygems.org/gems/fastreader
if the url contains any ; characters code will be executed as the user when a web browser is launched.
for example if fastreader is fed http://www.g;id;.com id will be executed.
./fastreader-1.0.8/lib/entry_controller.rb
.strip only removes whitespace before and after the URL.
115 # open web browser
116 command = (ENV['FASTREADER_WEB'] || "open") + " {@current_entry.url.strip}"
117 `{command}`
Larry W. Cashdollar
@_larry0
http://vapid.dhs.org
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed