Command injection in Ruby Gem Webbynode

Date: 11/11/2014
Author: Larry W. Cashdollar, @_larry0


Vulnerability Description:

The following code located in: ./webbynode- doesn't fully sanitize user supplied input before passing it to the shell via %x.

Messages via the growlnotify command line can possibly be used to execute shell commands if the message contains shell meta characters.

def self.message(message)
  if self.installed? and !$testing
    message = message.gsub(/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]/, "")
    %x(growlnotify -t "#{TITLE}" -m "#{message}" --image "#{IMAGE_PATH}")

The message.gsub regex strips ANSI encoded characters from the #{message} variable, it doesn't strip characters like ;&| etc. If the attacker can control the contents of #{message}, #{TITLE} or #{IMAGE_PATH} they can possibly inject shell commands and execute them as the client user.

Vendor: Notified 11/11/2013

I also submitted a pull request