Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Argument injection vulnerability in image handling library affects content management systems

Security researchers have traced an argument injection vulnerability in content management systems (CMS) to flaws in Ruby Gem Dragonfly, an image handling library.

New Zealand security consultancy ZX Security uncovered the problem after encountering issues in configurations of Refinery CMS while carrying out security assessments for a client.

The researchers subsequently discovered that other content management systems that rely on the same vulnerable Dragonfly library – including Locomotive CMS and Alchemy CMS – were also at risk.

The flaw allowed exploits including arbitrary file read, arbitrary file write, and (given favourable conditions) remote code execution.

technical write up by ZX Security explains the issue in more detail.

The Daily Swig submitted a number of follow-up questions to ZX Security. We’ll update this story as and when more information comes to hand.

The Dragonfly library handles functions such as generating image thumbnails and text images, or just managing attachments in general. Argument injection vulnerabilities are a class of attack that means untrusted inputs can be passed as arguments while executing a specific command.

The security weakness sets the scenes for running OS commend injection and similar attacks.

Updating the Dragonfly Ruby Gem to 1.4.0 or above would mitigate this issue. Alternatively, ensuring that the default Dragonfly verify_urls option is enabled offers an effective mitigation, according to ZX Security.

Source: https://portswigger.net/daily-swig/argument-injection-vulnerability-in-image-handling-library-affects-content-management-systems

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Cyber Security

The Environmental Protection Agency cited a lack of resources and the sheer volume of critical vulnerabilities as the reasons for its inability to patch...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO