Title: Vulnerability Report for Ruby Gem lingq-0.3.1

Author: Larry W. Cashdollar, @_larry0<br><br>Date: 06/01/2014

Download: http://rubygems.org/gems/lingq

Gem Author: ethan.vizitei[at]gmail.com

From: ./lingq-0.3.1/lib/lingq/client.rb

Line 46 exposes the lingq.com API key to the command line via #{@apikey} variable. If this Gem is used in the context of a rails application a remote user may be able to inject commands into the shell via special meta characters like ; and & as the variables are not sanitized.

08- attr_reader :target_language
9- attr_reader :languages
10-
11: def initialize(api_key)

12:      @apikey = api_key
13-      load_languages!

14- end
15-
--
43- put_with_language("lingqs/",word.params) 44-
46: system_call("curl -X PUT -d id={word.id};status={word.status};hint={word.hint};fragment=#{word.fragment} http://www.lingq.com/api_v2/#{@target_language}/lingqs/?apikey=#{@apikey}") 47- end