Title: echor 0.1.6 Ruby Gem exposes login credentials

Date: 1/14/2014

Author: Larry W. Cashdollar, @_larry0

Download: http://rubygems.org/gems/echor

Description: Echo ruby wrapper

Vulnerability

in file echor-0.1.6/lib/echor/backplane.rb:

The function perform_request passes sensitive data to the shell and unsanitized user input, if this gem is used in a rails application a user could get remote command injection simply by putting a semi-colon in their username or password. At a minimum a local user can steal the login credentials just by watching the process table on the system.

 45     def perform_request(data)
 46       JSON.parse(`curl -u {Echo.backplane_user}:{Echo.backplane_password}     --data-binary '#{data}' #{@channel}`)
 47     end

Vendor: Not notified, I don't think this Gem is maintained anymore.