Security researchers have traced an argument injection vulnerability in content management systems (CMS) to flaws in Ruby Gem Dragonfly, an image handling library.
New Zealand security consultancy ZX Security uncovered the problem after encountering issues in configurations of Refinery CMS while carrying out security assessments for a client.
The researchers subsequently discovered that other content management systems that rely on the same vulnerable Dragonfly library – including Locomotive CMS and Alchemy CMS – were also at risk.
The flaw allowed exploits including arbitrary file read, arbitrary file write, and (given favourable conditions) remote code execution.
A technical write up by ZX Security explains the issue in more detail.
The Daily Swig submitted a number of follow-up questions to ZX Security. We’ll update this story as and when more information comes to hand.
The Dragonfly library handles functions such as generating image thumbnails and text images, or just managing attachments in general. Argument injection vulnerabilities are a class of attack that means untrusted inputs can be passed as arguments while executing a specific command.
The security weakness sets the scenes for running OS commend injection and similar attacks.
Updating the Dragonfly Ruby Gem to 1.4.0 or above would mitigate this issue. Alternatively, ensuring that the default Dragonfly verify_urls option is enabled offers an effective mitigation, according to ZX Security.