oss-sec: Re: Show In Browser 0.0.3 Ruby Gem /tmp file injection vulnerability

oss-sec mailing list archives

Re: Show In Browser 0.0.3 Ruby Gem /tmp file injection vulnerability

From: Kurt Seifried <kseifried () redhat com>
Date: Sat, 18 May 2013 01:00:48 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/17/2013 10:34 AM, Larry W. Cashdollar wrote:

TITLE: *Show In Browser 0.0.3 Ruby Gem /tmp file injection
vulnerability*

DATE: 5/15/2023

AUTHOR: Larry W. Cashdollar (@_larry0)

DOWNLOAD: https://rubygems.org/gems/show_in_browser

DESCRIPTION: Opens arbitrary text in your browser

VENDOR: Jonathan Leung

FIX: N/A

CVE: TBD

DETAILS: The following code uses the temporary file
"/tmp/browser.html" insecurely.

|  2   FILE_LOCATION = "/tmp/browser.html" 3 4   class << self 5 6
def show(html) 7       file = File.open(FILE_LOCATION, 'w') 8
file.write(html) 9       file.close 10 11       `open
#{FILE_LOCATION}` |

By a malicious user creating /tmp/browser.html first and
repeatedly writing to it they can inject malicious html into the
file right before it is about to be opened.

PoC:

| nobody@pitter:/$ while (true); do echo "<script> alert('Hello');
</script>" >> /tmp/browser.html; done|

Will pop up a java script alert in other gem users browser.


Please use CVE-2013-2105 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRlycgAAoJEBYNRVNeJnmTTnMP/00aBMhjLsdQfBaer0VHe09o
YVJFI0iMfx7ilxSKgK36aJ2KTi2Cg4Aaiv1o85RehDlQG62Nt5SGrl8ayzjbtlJE
7NPixqsrg/dz6f9ZKX9AopX3b3gAnbBHkxd3sczsgs5RLyDzhmHjS+atUtnZZvI6
RCJxPEaPRZXrAbrYGYEPZZUARLN6wZRugWOSx3NJdyYK6/0XTj8rarv9WjOGysrN
qJxhA7tGvy1cXEaZuLjMz8FVWweFDIcI0OPBLrMOt2RKTxh3k/GYQwpitEy6BmQ4
kr1/j9L0Pt52R5TwH0UTWvFhJtOgUTT57BpMIDWiMf03S8UK8hOyRrKDHzAUfPhf
1PHP/7u+Y7S2WNe4tLc3US7opskPaNo3nISi0noQM5Ksm09Ymmk8AyXEkPfqfMRo
dQ72FLqUq1HAhvQlouhQqiquxBMCt0yWfkkJwdlw2Oi25E/fUCrrsjM1iEB+MhlV
KYcTBTIdzVq87kDF5D9Ec6yv3vRxfD7Cn+EBQBESXS0c0/cuHzhPPrH47vwMzbT+
mdacFxPcuxfhPRGgVDNGhn6AtTUYJU3gpCRWD98AiFdCX4f/Mh2RGfsvMOrZdMit
y851IP3Y+eyU+A9aiH+HS0+fm9qAotcyzWLz2ZzVhmcaZepdVB4Da+toKeeFUWtC
JVMdEjeH0nKSTJMJotgX
=L06d
-----END PGP SIGNATURE-----

By Date By Thread

Current thread:

Show In Browser 0.0.3 Ruby Gem /tmp file injection vulnerability Larry W. Cashdollar (May 17)
- Re: Show In Browser 0.0.3 Ruby Gem /tmp file injection vulnerability Kurt Seifried (May 18)