Posted by Javantea on Mar 25

Remote Code Execution in realms-wiki install.sh
by Javantea
Mar 15, 2015

Product: Realms Wiki
Website: http://realms.io/
Github: https://github.com/scragg0x/realms-wiki
CVSS Score: 7.9 (AV:A/AC:M/Au:N/C:C/I:C/A:C)

On line 20 of realms-wiki install.sh, a GPG key that is requested via HTTP is added to the apt keyring. A remote
attacker that has a man-in-the-middle (via ARP spoof, DNS spoof, or HTTP man-in-the-middle) against the person…