Title: Vulnerability Report for Ruby Gem VladTheEnterprising-0.2

Author: Larry W. Cashdollar, @_larry0<br><br>Date: 06/01/2014

Download: http://rubygems.org/gems/VladTheEnterprising

Gem Author:  mlwelles@gmail.com

From: ./VladTheEnterprising-0.2/lib/vlad/dba/mysql.rb

The mysql root password can be read out of /tmp/my.cnf.#{target_host} if a local user waits to read that after it is written and before it is removed in line 394.

It is also possible to clobber files owned by the  VladTheEnterprising user process via symlink attack because the my.cnf.#{target_host} doesn't have a randomly created filename.

If this Gem is used in the context of a rails application and the user is allowed to specify the target host command injection can occur at line 394 if special shell meta characters are injected like ; and &.

0384-      cnf << "host     = localhost\n"
385-      cnf << "user     = root\n"
386-      cnf << "password = #{mysql_root_password}\n"
387:      File.open("/tmp/my.cnf.#{target_host}", "w") do |file|
388-        file.write(cnf)
389-      end
390:      scp "/tmp/my.cnf.#{target_host}", ".my.cnf"
391-    end
392-
393-    remote_task :remove_dot_my_cnf, :roles => :new_slave do
394:      `rm /tmp/my.cnf.#{target_host}; exit 0`
395-      run "rm -f .my.cnf; exit 0"
396-    end
397-
--
599-           :mysql_err => "/var/log/mysql.err",
600-           :my_cnf => lambda { "/etc/mysql/conf.d/#{shortname}.cnf" },
601-           :my_src_cnf => lambda { "files/mysql/configs/#{shortname}.cnf" },
602:           :my_tmp_cnf => lambda { "/tmp/my.cnf-#{version}"},
603-           :my_dest_cnf => lambda { my_cnf },
604-           :mysql_config_nfs_copy => lambda { true },
605-           :mysql_config_copy => lambda {