[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] MiniMagic ruby gem remote code execution
- To: full <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: [Full-disclosure] MiniMagic ruby gem remote code execution
- From: "Larry W. Cashdollar" <larry0@xxxxxx>
- Date: Tue, 12 Mar 2013 23:06:38 +0000 (GMT)
<html><body><div><h2>MiniMagic ruby gem remote code execution
</h2>
<p>3/12/2013
</p><hr>
<p><a
href="https://github.com/hcatlin/mini_magick";>https://github.com/hcatlin/mini_magick</a>
</p>
<p>A ruby wrapper for ImageMagick or GraphicsMagick command line.
</p>
<p>Tested on both Ruby 1.9.2 and Ruby 1.8.7.
</p>
<p>If a URL is from an untrusted source, commands can be injected into it
for remote code execution with the ; character.
</p>
<p>image = MiniMagick::Image.open(remoteurl)
image.resize "5x5"<br>
image.format "gif"<br>
image.write "localcopy.gif"
</p>
<p>./hcatlin-mini_magick-1.3.1/lib/mini_magick.rb
</p>
<dl><dt>Lines</dt><dd>
<br></dd></dl>
<p>172 command = "#{MiniMagick.processor} #{command} <strong>{args.join('
')}".strip
173
</strong></p><pre><strong>174 if ::MiniMagick.use_subexec
175 sub = Subexec.run(command, :timeout => MiniMagick.timeout)
176 exit_status = sub.exitstatus
177 output = sub.output
178 else
179 output = `</strong>{command} 2>&1`
180 exit_status = $?.exitstatus
181 end
</pre>
<p>The .strip will only remove whitespace from the beginning and end of the
command.
</p>
<p>Larry W. Cashdollar<br>
@_larry0<br>
<a href="http://vapid.dhs.org";>http://vapid.dhs.org</a></p></div></body></html>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/