Title: flukso4r 0.3.8 ruby gem remote command injection

Date: 1/1/2013

Author: Larry W. Cashdollar, @_larry0

Download: http://rubygems.org/gems/flukso4r
 

Description: This gem provides a library for the Flukso API. See http://flukso.net for more information.

The following lines of code pass unsantized input to the command line via %x.

+--------------------[./flukso4r-0.3.8/lib/flukso/R.rb]-------------------+
      puts "executing commands:\n#{cmdSet}" if $verbose
      commandline="#{R_CMD} #{cmdfile.path}"
      puts "using commandline: #{commandline}" if $verbose
      stdout = %x[#{commandline}]
      puts "R (Exitcode: #{$?}) said: #{stdout}" if $verbose
    end