Title: Vulnerability Report for Ruby Gem kcapifony-2.1.6

Author: Larry W. Cashdollar, @_larry0

Date: 06/01/2014

OSVDB: 108572

CVE:Please Assign

Download: http://rubygems.org/gems/kcapifony

Gem Author: roderik.van.der.veer[at]kunstmaan.be

Author Contacted:6/25/2014

From: ./kcapifony-2.1.6/lib/ksymfony1.rb

Lines 482, 484, 522 and 524 expose the password to the process table via the #{config['pass']} variable. If this Gem is used in the context of a rails application it maybe possible to inject commands remotely by supplying special shell meta characters like ; and & via #{config['user']} and #{config['pass']}.

0479-      FileUtils::mkdir_p("backups")
480-      case config[type]
481-      when mysql
482:        `mysqldump -u{config[user]} --password=\"{config[pass]}\" #{config[db]} > #{tmpfile}`
483-      when pgsql
484:        `pg_dump -U {config[user]} --password=\"{config[pass]}\" #{config[db]} > #{tmpfile}`
485-      end
486-      File.open(tmpfile, "r+") do |f|

--
519-

520-      case config[type]
521-      when mysql
522:        `mysql -u{config[user]} --password=\"{config[pass]}\" {config[db]} < backups/{sqlfile}`
523-      when pgsql
524:        `psql -U {config[user]} --password=\"{config[pass]}\" {config[db]} < backups/{sqlfile}`
525-      end
526-      FileUtils.rm("backups/#{sqlfile}")

527- end

Advisory: http://www.vapid.dhs.org/advisories/kcapifony-2.1.6.html