###########################

# Paratrooper-newrelic 1.0.1 Ruby Gem exposes API key

###########################

 Title: Paratrooper-newrelic 1.0.1 Ruby Gem exposes API key

Author: Larry W. Cashdollar, @_larry0

CVE: Please assign one.

Download: http://rubygems.org/gems/paratrooper-newrelic

Description: "Send deploy notifications to Newrelic service when deploying with Paratrooper."

Vulnerable Code:

From paratrooper-newrelic-1.0.1/lib/paratrooper-newrelic.rb:

lines 25 and 29 expose the API key, a malicious user can monitor the process tree and steal the API key.

24 def setup(options = {})
25 %x[curl
https://heroku.newrelic.com/accounts/#{account_id}/applications/#{application_id}/ping_targets/disable -X POST -H
"X-Api-Key: #{api_key} "]
26 end
27
28 def teardown(options = {})
29 %x[curl
https://heroku.newrelic.com/accounts/#{account_id}/applications/#{application_id}/ping_targets/enable -X POST -H
"X-Api-Key: #{api_key}" ]
30 end

Advisory: http://www.vapid.dhs.org/advisories/paratrooper-newrelic-api.html



###########################

# Iranian Exploit DataBase = http://IeDb.Ir [2014-01-11]

###########################