He's an example of why you want to run your web apps as an unprivileged user.
Running your app as a user with write perms to the app itself is just asking to get p0wned. - Mike ---------- Forwarded message ---------- From: Michael Koziarski <mich...@koziarski.com> Date: Wed, Jan 26, 2011 at 4:10 PM Subject: Vulnerability in the Mail gem affecting Rails 3.0.x applications To: rubyonrails-secur...@googlegroups.com Mikel Lindsaar has released a new version of the mail gem which addresses a potential vulnerability affecting the sendmail delivery method. As this affects rails users I'm cross posting the announcement here. For more information see the original announcement: http://groups.google.com/group/mail-ruby/browse_thread/thread/e93bbd05706478dd?pli=1 The original report follows: There is a vulnerability in the sendmail delivery agent of the Mail gem that could allow an attacker to pass arbitrary commands to the system. Versions Affected: Versions 2.2.14 or earlier Not affected: Any application not using sendmail delivery Fixed Versions: 2.2.15 or later Impact ------------------------------------------------------------------ An attacker could craft an email address used to send out an email and inject code that would be executed by the system shell. All users who are using sendmail to deliver their system email and running a 2.2.14 or earlier release of Mail should upgrade immediately. Releases ------------------------------------------------------------------ Mail version 2.2.15 has been released which fixes this problem and is available on RubyGems.org. Steps to Protect your application. ------------------------------------------------------------------ Update your Gemfile and include: gem "mail", "~> 2.2.15" and run $ bundle install Or for non bundler systems, install the mail gem 2.2.15 with: gem install mail Workarounds ------------------------------------------------------------------ Changing your delivery method to use SMTP or File instead of Sendmail will also protect you from the potential exploit. In Mail, instructions on how to use the SMTP or File delivery methods can be found at: http://rdoc.info/github/mikel/mail/master/Mail/SMTP http://rdoc.info/github/mikel/mail/master/Mail/FileDelivery For Ruby on Rails users, delivery method settings can be found at: http://guides.rubyonrails.org/action_mailer_basics.html Patch ------------------------------------------------------------------ A patch can be found at the following URL for the Mail Sendmail class for those who are running an earlier version of Mail and can not update to the latest version. https://github.com/mikel/mail/raw/master/patches/20110126_sendmail.patch Credits ------------------------------------------------------------------ Thanks to Andy Lindeman for initially reporting the vulnerability and providing a patch fix and to Steven Lorek for also reporting the issue. -- Cheers Koz -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Security" group. To post to this group, send email to rubyonrails-secur...@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-security+unsubscr...@googlegroups.com<rubyonrails-security%2bunsubscr...@googlegroups.com> . For more options, visit this group at http://groups.google.com/group/rubyonrails-security?hl=en. -- You received this message because you are subscribed to the Google Groups "Ruby or Rails Oceania" group. To post to this group, send email to rails-oceania@googlegroups.com. To unsubscribe from this group, send email to rails-oceania+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rails-oceania?hl=en.