Flash Tool 0.6.0 Remote code execution vulnerability  3/1/2013 http://rubygems.org/gems/flash_tool https://github.com/milboj/flash_tool If files downloaded contain shell characters it's possible to execute code as the client user. ie: flash_file;id>/tmp/o;.swf ./flash_tool-0.6.0/lib/flash_tool.rb Lines: 26 command = "swfstrings #{file}" 27: output = `#{command} 2>&1` 88: command = "#{command} #{option} #{file}" 89: output = `#{command} 2>&1` ./flash_tool-0.6.0/lib/flash_tool/flash.rb 75: command = "#{command} #{args.join(" ")}" 76: output = `#{command} 2>&1` @_larry0 Larry W. Cashdollar http://otiose.dhs.org/advisories/flash_tool-0.6.0-cmd_exec.html