DarckSol (L1) cache Пользователь Регистрация 17.03.2008 Сообщения 894 Реакции 182 05.03.2013 Добавить закладку #1 Ruby Gem Flash Tool version 0.6.0 suffers from a remote code execution vulnerability. Flash Tool 0.6.0 Remote code execution vulnerability 3/1/2013 http://rubygems.org/gems/flash_tool https://github.com/milboj/flash_tool If files downloaded contain shell characters it's possible to execute code as the client user. ie: flash_file;id>/tmp/o;.swf ./flash_tool-0.6.0/lib/flash_tool.rb Lines: 26 command = "swfstrings #{file}" 27: output = `#{command} 2>&1` 88: command = "#{command} #{option} #{file}" 89: output = `#{command} 2>&1` ./flash_tool-0.6.0/lib/flash_tool/flash.rb 75: command = "#{command} #{args.join(" ")}" 76: output = `#{command} 2>&1` @_larry0 Larry W. Cashdollar
Ruby Gem Flash Tool version 0.6.0 suffers from a remote code execution vulnerability. Flash Tool 0.6.0 Remote code execution vulnerability 3/1/2013 http://rubygems.org/gems/flash_tool https://github.com/milboj/flash_tool If files downloaded contain shell characters it's possible to execute code as the client user. ie: flash_file;id>/tmp/o;.swf ./flash_tool-0.6.0/lib/flash_tool.rb Lines: 26 command = "swfstrings #{file}" 27: output = `#{command} 2>&1` 88: command = "#{command} #{option} #{file}" 89: output = `#{command} 2>&1` ./flash_tool-0.6.0/lib/flash_tool/flash.rb 75: command = "#{command} #{args.join(" ")}" 76: output = `#{command} 2>&1` @_larry0 Larry W. Cashdollar
