[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Remote Command Injection in fog-dragonfly-0.8.2 Ruby Gem

To: full <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] Remote Command Injection in fog-dragonfly-0.8.2 Ruby Gem
From: "Larry W. Cashdollar" <larry0@xxxxxx>
Date: Tue, 03 Sep 2013 03:42:08 +0000 (GMT)

<html><body><div><p style="font-family: Times; font-size: medium; 
">TITLE:&nbsp;<b>Remote Command Injection in fog-dragonfly-0.8.2 Ruby 
Gem</b></p><p style="font-family: Times; font-size: medium; "><br></p><p 
style="font-family: Times; font-size: medium; ">Credit: Larry W. Cashdollar, 
@_larry0</p><p style="font-family: Times; font-size: medium; "><br></p><p 
style="font-family: Times; font-size: medium; ">Date: 8/16/2013</p><p 
style="font-family: Times; font-size: medium; "><br></p><p style="font-family: 
Times; font-size: medium; ">CVE: 2013-5671</p><p style="font-family: Times; 
font-size: medium; "><br></p><p style="font-family: Times; font-size: medium; 
">Download: https://rubygems.org/gems/fog-dragonfly</p><p style="font-family: 
Times; font-size: medium; "><br></p><p style="font-family: Times; font-size: 
medium; ">Description:</p><p style="font-family: Times; font-size: medium; 
">"Dragonfly is an on-the-fly Rack-based image handling framework. It is 
suitable for use with Rails, Sinatra and other web frameworks. Although it's 
mainly used for images, it can handle any content type."</p><p 
style="font-family: Times; font-size: medium; ">Unescaped user supplied input 
is passed to the command line for shell execution:</p><pre>from 
fog-dragonfly-0.8.2/lib/dragonfly/image<em>magick</em>utils.rb:

20     def convert(temp<em>object, args='', format=nil)
 21       tempfile = new</em>tempfile(format)
 22       run "#{convert<em>command} #{args} #{temp</em>object.path} 
#{tempfile.path}"
 23       tempfile
 24     end
.
.
.

61     def run(command)
 62       log.debug("Running command: #{command}") if 
ImageMagickUtils.log_commands
 63       begin
 64         result = <code>#{command}</code><p></p>

Vendor Notified: 8/16/2013</pre></div></body></html>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] list of vulnerabilities discovered by realpentesting
Next by Date: Re: [Full-disclosure] list of vulnerabilities discovered by realpentesting
Previous by thread: [Full-disclosure] [ MDVSA-2013:225 ] libdigidoc
Next by thread: [Full-disclosure] [SECURITY] [DSA 2750-1] imagemagick security update
Index(es):
- Date
- Thread