Title: Vulnerability Report for Ruby Gem lawn-login-0.0.7
Author: Larry W. Cashdollar, @_larry0
Date: 06/01/2014
Download: http://rubygems.org/gems/lawn-login
Gem Author: mike.skalnik@gmail.com
From: ./lawn-login-0.0.7/lib/lawn.rb
Line 24 exposes the password to the process table via the #{password} variable. If this Gem is used in the context of a rails application it maybe possible to inject commands remotely into the shell as these variables are not sanitized.
021- end
22-
23- def login(username, password)
24: `curl -s -f -F username=\#{username}\ -F password=\#{password}\ -F iss=\false\ -F output=\binary\ https://auth.lawn.gatech.edu/index.php`
25- end
26-end