Title: Vulnerability Report for Ruby Gem backup-agoddard-3.0.28

Author: Larry W. Cashdollar, @_larry0

Date: 06/01/2014

OSVDB: 108578

CVE:Please Assign

Download: http://rubygems.org/gems/backup-agoddard

Gem Author: anthony[at]anthonygoddard.com

Author Contacted:6/25/2014

From: ./backup-agoddard-3.0.28/lib/backup/cli/utility.rb

Lines 178 and 180 exposed the password to the process table, they are also remote command injection points if this gem is used in the context of a rails application as the user input isn't properly sanitized.

0175-          base64   = options[:base64] ? -base64 : 
176-          password = options[:password_file].empty? ?  : "-pass file:#{options[:password_file]}"
177-          salt     = options[:salt] ? -salt : 
178:          %x[openssl aes-256-cbc -d #{base64} #{password} #{salt} -in #{options[:in]} -out #{options[:out]}]
179-        when gpg
180:          %x[gpg -o #{options[:out]} -d #{options[:in]}]
181-        else
182-          puts "Unknown encryptor: #{options[:encryptor]}"
183-          puts "Use either openssl or gpg."
--
224-          puts "Please wait..\n\n"
226-        end
227-
228-        if options[:installed]
230-        end
231-      end

232-

Advisory: http://www.vapid.dhs.org/advisories/backup-agoddard-3.0.28.html