###########################

# Paratrooper-pingdom-1.0.0 ruby gem exposes API login credentials

###########################

Title: paratrooper-pingdom-1.0.0 ruby gem exposes API login credentials

Author: Larry W. Cashdollar, @_larry0

Date: 12/26/2013

CVE: Please assign.

Download: http://rubygems.org/gems/paratrooper-pingdom

Description: "Send deploy notifications to Pingdom service when deploying with Paratrooper"
Vulnerable Code:

From: paratrooper-pingdom-1.0.0/lib/paratrooper-pingdom.rb

24 def setup(options = {})
25 %x[curl
https://api.pingdom.com/api/2.0/checks -X PUT -d "paused=tru e" -H "App-Key: {app_key}" -u
"
{username}:#{password}"]
26 end
27
28 def teardown(options = {})
29 %x[curl
https://api.pingdom.com/api/2.0/checks -X PUT -d "paused=fal se" -H "App-Key: {app_key}" -u
"
{username}:#{password}"]
30 end

A malicious user could monitor the process tree to steal the API key, username and password for the API login.

http://www.vapid.dhs.org/advisories/paratrooper-api-key-pingdom.html

###########################

# Iranian Exploit DataBase = http://IeDb.Ir [2014-01-11]

###########################