1 |
On Thursday, 23 August 2018 09:06:12 BST Mick wrote: |
2 |
> I noticed this enotice in imagemagick: |
3 |
> |
4 |
> * For security reasons, a policy.xml file was installed in |
5 |
> /etc/ImageMagick-7 * which will prevent the usage of the following coders |
6 |
> by default: * |
7 |
> * - PS |
8 |
> * - EPS |
9 |
> * - PDF |
10 |
> * - XPS |
11 |
> |
12 |
> Excuse my ignorance, but I am not sure why the above PS related files are |
13 |
> disabled. What is the security threat exactly? JavaScript contents which |
14 |
> may be executed by ImageMagick? |
15 |
|
16 |
My google-fu is rusty this morn - I found this explanation[1]: |
17 |
|
18 |
"ImageMagick allows to process files with external libraries. This feature is |
19 |
called 'delegate'. It is implemented as a system() with command string |
20 |
('command') from the config file delegates.xml with actual value for different |
21 |
params (input/output filenames etc). Due to insufficient %M param filtering it |
22 |
is possible to conduct shell command injection." |
23 |
|
24 |
So, remote code execution is one such vulnerability. |
25 |
|
26 |
[1] https://imagetragick.com/ |
27 |
|
28 |
-- |
29 |
Regards, |
30 |
Mick |