CVE-2013-2105 in Show In Browser
Summary
by MITRE
The Show In Browser (show_in_browser) gem 0.0.3 for Ruby allows local users to inject arbitrary web script or HTML via a symlink attack on /tmp/browser.html.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 05/11/2026
The CVE-2013-2105 vulnerability affects the show_in_browser gem version 0.0.3 for ruby applications, presenting a significant security risk through improper file handling mechanisms. This vulnerability stems from a lack of proper input validation and sanitization within the gem's implementation, specifically when processing user-provided data that gets written to temporary files. The flaw manifests when the gem creates a temporary file at /tmp/browser.html without adequate security measures to prevent symbolic link attacks, creating an exploitable condition that can be leveraged by local attackers to execute malicious code.
The technical exploitation of this vulnerability relies on a classic symlink attack vector where an attacker creates a symbolic link pointing to a sensitive file or directory, then manipulates the gem's behavior to write malicious content through the symlink. When the show_in_browser gem processes user input and writes to /tmp/browser.html, it does not verify whether the target path is a legitimate file or a symbolic link that points elsewhere. This oversight allows attackers to redirect the gem's output to arbitrary locations, potentially overwriting critical system files or injecting malicious scripts that execute with the privileges of the user running the application.
The operational impact of this vulnerability extends beyond simple code injection, as it enables attackers to perform privilege escalation and persistent system compromise. Local users with minimal privileges can exploit this weakness to gain unauthorized access to system resources, potentially leading to complete system takeover depending on the application's execution context. The vulnerability is particularly concerning because it operates at the file system level and can be exploited without requiring network connectivity or specialized tools beyond basic file manipulation capabilities. This makes it highly attractive to attackers seeking to establish persistent backdoors or escalate privileges within compromised systems.
Security practitioners should implement immediate mitigations including updating to a patched version of the show_in_browser gem, implementing proper file system permissions for temporary directories, and conducting thorough code reviews to identify similar vulnerabilities in other components. The vulnerability aligns with CWE-59, which describes improper handling of symbolic links, and represents a clear violation of the principle of least privilege. From an ATT&CK framework perspective, this vulnerability maps to privilege escalation techniques and can be leveraged to establish persistence through file system manipulation. Organizations should also consider implementing mandatory access controls and monitoring for unusual file system activities in temporary directories, particularly those involving symbolic link creation or modification.