In association with heise online

27 January 2011, 09:56

Ruby Mail gem can execute arbitrary shell commands

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The sendmail mechanism of the Ruby mail gem has been found to be vulnerable to crafted email addresses which can inject arbitrary commands to the underlying system. Any application that implements sendmail-based delivery, and which uses the Ruby mail gem 2.2.14 or earlier, is vulnerable.The issue will also affect Ruby on Rails 3.0.x applications which use the sendmail delivery mechanism.

Version 2.2.15 of the mail gem has been released in order to fix the problem. For users who cannot upgrade to the new version, one option is to change the delivery method used by the mail gem to SMTP or File (Details on how to change are available). A patch is also available for those who want to fix the problem in the code; it shows that the issue concerned email addresses that were subject to no shell escaping. The patch adds processing to the from address when mailing, calling a new shellescape() function to prevent exploitation.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit