Ruby gems can execute code as root while they're being installed

29 May 2016 18:07 | ruby | security

Another hilarious and trivial rubygems exploit.  The file ext/<ext>/extconf.rb
gets executed as root during installation.  A malicious gem could put code in
there that installs a backdoor.

Demonstration PoC: https://github.com/m4rkw/rubygems-poc2
[read more...]

Abusing rubygems for fun and profit

29 May 2016 12:18 | ruby | security

RubyGems is a nice system, very easy to use and also easy to abuse.  Anyone can push
a gem straight into the global namespace, even if the gem has the same name as a core
library.

This can be trivially abused to break into systems of anyone who isn't very careful
what gems they use (and let's be honest, that's probably a lot of developers :).
[read more...]

Gangsta Lean ruby web framework

18 Aug 2015 22:22 | ruby | development

When I started building my new website, I didn't want to be boring and just use
rails so I decided to write my work super-lightweight ruby web framework.

It's powering this website but is quite basic and rough so probably shouldn't
be used by anyone.
[read more...]

TVFeed and TransmissionNG

18 Aug 2015 22:17 | ruby | development

I've written a couple of ruby gems that people might find useful..

tvfeed - https://github.com/m4rkw/tvfeed

A gem designed to provide a feed of new TV episodes as magnet links from
torrent sites. This is offered purely for research purposes and should suit
[read more...]