RubyGems Navigation menu

rubygems-pwn 0.1.1

A Proof of Concept (PoC) exploit for an trivial Security vulnerability in how RubyGems converts YAML-dumped gemspecs, back into Ruby code, when installing RubyGems. This ties into the larger design mistake, of storing installed gemspecs as Ruby code; since evaling Ruby code was faster than loading YAML gemspecs. When handling data, it is safer to store it in a static format (YAML, XML, CSV), instead of executable code.

Versions:

  1. 0.1.1 - August 26, 2011 (5.5 KB)
  2. 0.1.0 - August 25, 2011 (5 KB)

Authors:

  • Postmodern

Owners:

66f5d5b64b951b3eeb8b6c34fcb69237

Sha 256 checksum:

ebc836ce53873404a7460986747023febb88f50fc46896990b0a8cebb48e45ef

Total downloads 2,360

For this version 1,233

Required Ruby Version: None

Licenses:

N/A

Gemfile:
= Copy to clipboard Copied!

install:
= Copy to clipboard Copied!

Links: