| 1 |
On Thursday, 23 August 2018 09:06:12 BST Mick wrote: |
| 2 |
> I noticed this enotice in imagemagick: |
| 3 |
> |
| 4 |
> * For security reasons, a policy.xml file was installed in |
| 5 |
> /etc/ImageMagick-7 * which will prevent the usage of the following coders |
| 6 |
> by default: * |
| 7 |
> * - PS |
| 8 |
> * - EPS |
| 9 |
> * - PDF |
| 10 |
> * - XPS |
| 11 |
> |
| 12 |
> Excuse my ignorance, but I am not sure why the above PS related files are |
| 13 |
> disabled. What is the security threat exactly? JavaScript contents which |
| 14 |
> may be executed by ImageMagick? |
| 15 |
|
| 16 |
My google-fu is rusty this morn - I found this explanation[1]: |
| 17 |
|
| 18 |
"ImageMagick allows to process files with external libraries. This feature is |
| 19 |
called 'delegate'. It is implemented as a system() with command string |
| 20 |
('command') from the config file delegates.xml with actual value for different |
| 21 |
params (input/output filenames etc). Due to insufficient %M param filtering it |
| 22 |
is possible to conduct shell command injection." |
| 23 |
|
| 24 |
So, remote code execution is one such vulnerability. |
| 25 |
|
| 26 |
[1] https://imagetragick.com/ |
| 27 |
|
| 28 |
-- |
| 29 |
Regards, |
| 30 |
Mick |
Archives