On Thursday, 23 August 2018 09:06:12 BST Mick wrote: > I noticed this enotice in imagemagick: > > * For security reasons, a policy.xml file was installed in > /etc/ImageMagick-7 * which will prevent the usage of the following coders > by default: * > * - PS > * - EPS > * - PDF > * - XPS > > Excuse my ignorance, but I am not sure why the above PS related files are > disabled. What is the security threat exactly? JavaScript contents which > may be executed by ImageMagick?
My google-fu is rusty this morn - I found this explanation[1]:
"ImageMagick allows to process files with external libraries. This feature is
called 'delegate'. It is implemented as a system() with command string
('command') from the config file delegates.xml with actual value for different
params (input/output filenames etc). Due to insufficient %M param filtering it
is possible to conduct shell command injection."
So, remote code execution is one such vulnerability.
[1] https://imagetragick.com/
--
Regards,
Mick
signature.asc
Description: This is a digitally signed message part.
