Title: Vulnerability Report for Ruby Gem lynx-0.2.0

Author: Larry W. Cashdollar, @_larry0

Date: 06/01/2014

OSVDB: 108579

CVE:Please Assign

Download: http://rubygems.org/gems/lynx

Gem Author: pan.thomakos[at]gmail.com

Author Contacted:6/25/2014

From: ./lynx-0.2.0/lib/lynx/pipe/get.rb

Doesn't properly sanitize user input before sending to command line:

From: lynx/blob/master/lib/lynx/pipe/run.rb module Lynx
module Pipe
class Run < Basic

      def perform(command)
        system(command.to_s)
      end

end
end
end

Exposes password to the process table
From:lynx/blob/master/lib/lynx/command/basic.rb

@command << "--password=#{config.password}" if config.password

04- module Pipe

6-      def perform(command)
7:        `#{command}`.strip
8-      end

9- end
10- end

Advisory: http://www.vapid.dhs.org/advisories/lynx-0.2.0.html