RubySec

Providing security resources for the Ruby community

OSVDB-110439 (dragonfly): Dragonfly Gem for Ruby Image Uploading & Processing Remote Command Execution

ADVISORIES

GEM

dragonfly

PATCHED VERSIONS

  • >= 1.0.7

DESCRIPTION

Dragonfly Gem for Ruby contains a flaw in Uploading & Processing that is due to the gem failing to restrict arbitrary commands to imagemagicks convert. This may allow a remote attacker to gain read/write access to the filesystem and execute arbitrary commands.

RELATED