RubySec

Providing security resources for the Ruby community

OSVDB-110796 (flavour_saver): FlavourSaver handlebars helper remote code execution.

ADVISORIES

  • OSVDB-110796

GEM

flavour_saver

PATCHED VERSIONS

  • >= 0.3.3

DESCRIPTION

FlavourSaver contains a flaw in helper method dispatch where it uses Kernel::send to call helpers without checking that they are defined within the template context first. This allows expressions such as {{system “ls”}} or {{eval “puts 1 + 1”}} to be executed.