Untrusted Code Execution Bug in Sicuro (Round 2)
This has been fixed as of Sicuro v0.6.0.
This is a required update. There should be no loss in functionality.
Scott Olson found a major security hole in Sicuro, 8 months (almost to the day) after the one Jens Nockert found.
Scott demonstrated that you could use the
$stdin variable to get a reference to the
IO class. This provided undetered access to the filesystem and shell.
The following is the code Scott used:
io=$stdin.class;f=io.new(io.sysopen("hack", "w")); f.puts "you dun goofed"; f.close
The problem was simply that since
$stdin wasn’t worth using, I had forgotten to change it to a
StringIO instance. However, when looking into it, I found that
STDIN were vulnerable to the same issue. This led to a rather verbose change that fixed it by placing any references to IO out of scope of the untrusted code.
I highly recommend that everyone upgrade immediately. This is a major security hole, and allows access to all of the IO class.