Skip to content

Instantly share code, notes, and snippets.

@idyll
Forked from markpundsack/heroku-CVE-2013-0156.rb
Last active December 10, 2015 23:59
Show Gist options
  • Save idyll/4513393 to your computer and use it in GitHub Desktop.
Save idyll/4513393 to your computer and use it in GitHub Desktop.
## The quick-and-nasty CVE-2013-0156 Heroku inspector!
## Originally brought to you by @elliottkember with changes by @markpundsack @ Heroku
## Download and run using:
## ruby heroku-CVE-2013-0156.rb
`heroku list`.split("\n").each do |app|
app = app.strip
# Some "heroku apps" lines have === formatting for grouping. They're not apps.
next if app[0..2] == "==="
# Some are appended by owner emails
app = app.split(" ")[0].to_s.strip
# Blank lines can be ommitted.
next if app == ""
multi_xml_path = `heroku run bundle show multi_xml --app #{app}`.split("\n")[-1]
multi_xml_version_number = multi_xml_path.split("multi_xml-")[1]
multi_xml_version_number = multi_xml_version_number.strip unless multi_xml_version_number.nil?
rails_path = `heroku run bundle show rails --app #{app}`.split("\n")[-1]
rails_version_number = rails_path.split("rails-")[1]
rails_version_number = rails_version_number.strip unless rails_version_number.nil?
unless ["3.2.11", "3.1.10", "3.0.19", "2.3.15"].include?(rails_version_number) or rails_version_number.nil?
puts "VULNERABLE:: #{app} has #{rails_version_number}."
else
puts "SAFE:: #{app} has #{rails_version_number}."
end
unless multi_xml_version_number == "0.5.2" || multi_xml_version_number.nil?
puts "VULNERABLE:: #{app} has #{multi_xml_version_number}."
else
puts "SAFE:: #{app} has #{multi_xml_version_number}."
end
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment