RubySec

Providing security resources for the Ruby community

OSVDB-110439 (fog-dragonfly): Dragonfly Gem for Ruby Image Uploading & Processing Remote Command Execution

ADVISORIES

  • OSVDB-110439

GEM

fog-dragonfly

PATCHED VERSIONS

  • >= 0.8.4

DESCRIPTION

Dragonfly Gem for Ruby contains a flaw in Uploading & Processing that is due to the gem failing to restrict arbitrary commands to imagemagicks convert. This may allow a remote attacker to gain read/write access to the filesystem and execute arbitrary commands.

This gem has been renamed. Please use “dragonfly” from now on.