karo Metacharacter Handling Remote Command Execution
The karo gem through 2.5.2 for Ruby allows Remote command injection via the host field. A flaw in db.rb is triggered when handling metacharacters. This may allow a remote attacker to execute arbitrary commands. In particular lines 76 and 95 (as of 2014-06-01) pass unsanitized user supplied input to the command line. 73- host = "{@configuration["user"]}@{@configuration["host"]}" 74- cmd = "ssh #{host} cat {server_db_config_file}" 75- 76: server_db_config_output = {cmd} 79- – …