Title: echor 0.1.6 Ruby Gem exposes login credentials

Date: 1/14/2014

Author: Larry W. Cashdollar,  @_larry0

Download: http://rubygems.org/gems/echor

Description: Echo ruby wrapper

Vulnerability:
in file echor-0.1.6/lib/echor/backplane.rb:

The function perform_request passes sensitive data to the shell and unsanitized user input, if this gem is used in a rails application a user could get remote command injection simply by putting a semi-colon in their username or password.

 45     def perform_request(data)
 46       JSON.parse(`curl -u #{Echo.backplane_user}:#{Echo.backplane_password}     --data-binary '#{data}' #{@channel}`)
 47     end

Vendor: Not notified, I don't think this Gem is maintained anymore.