CVE-2013-4318

Vulnerability

Description CVE-2013-4318 is a file injection vulnerability in the Ruby gem Features version 0.3.0, a plain-text user stories parser for Rails and other frameworks. The gem writes an HTML output file to /tmp/out.html without verifying the file's integrity, allowing an attacker with local access to pre-create or symlink the file to inject arbitrary content [2].

Exploitation

An attacker with local access can create a malicious /tmp/out.html file (or a symlink pointing to an attacker-controlled location) before the gem writes its output. By repeatedly writing to the file, the attacker can inject arbitrary HTML/JavaScript. The gem then opens this file in a browser, leading to potential cross-site scripting (XSS) attacks [2][1].

Impact

Successful exploitation allows an attacker to inject arbitrary HTML and JavaScript, which could be executed in the context of the user opening the file, leading to information disclosure, session hijacking, or other client-side attacks. The vulnerability does not require authentication if the attacker already has local access to create files in /tmp [2][3].

Mitigation

As of the advisory, version 0.3.0 is vulnerable and no official patch has been released. The repository appears unmaintained. Users should avoid using the Features gem or implement proper file handling, such as using a secure temporary directory with random names and avoiding the use of fixed paths like /tmp/out.html [4].