Title: Vulnerability Report for Ruby Gem kajam-1.0.3.rc2

Author: Larry W. Cashdollar, @_larry0

Date: 06/01/2014

OSVDB: 108530

CVE:Please Assign

Download: http://rubygems.org/gems/kajam

Gem Author: scienceblock[at]gmail.com

Author Contacted:6/25/2014

From: ./kajam-1.0.3.rc2/vendor/plugins/dataset/lib/dataset/database/mysql.rb

Lines 18 and 24 expose the mysql user password to the process table via #{@password}. If this Gem is used in the context of a rails application it maybe possible to inject commands via user supplied input as these variables are not sanitized before being passed to the shell.

015-

16-      def capture(datasets)
17-        return if datasets.nil? || datasets.empty?
18:        `mysqldump -u {@username} --password={@password} --compact --extended-insert --no-create-db --add-drop-table --quick --quote-names #{@database} > #{storage_path(datasets)}`
19-      end
20-      
21-      def restore(datasets)
22-        store = storage_path(datasets)
23-        if File.file?(store)
24:          `mysql -u {@username} --password={@password} --database=#{@database} < #{store}`
25-          true
26-        end
27-      end

Advisory: http://www.vapid.dhs.org/advisories/kajam-1.0.3.rc2.html