Threat posed by Ruby Gem Dragonfly flaws is unarguable
Safety researchers have traced an argument injection vulnerability in content material administration techniques (CMS) to flaws in Ruby Gem Dragonfly, a picture dealing with library.
New Zealand safety consultancy ZX Safety uncovered the issue after encountering points in configurations of Refinery CMS whereas finishing up safety assessments for a shopper.
The researchers subsequently found that different content material administration techniques that depend on the identical vulnerable Dragonfly library – together with Locomotive CMS and Alchemy CMS – had been additionally in danger.
The flaw allowed exploits together with arbitrary file learn, arbitrary file write, and (given beneficial situations) remote code execution.
A technical write up by ZX Safety explains the difficulty in additional element.
The Each day Swig submitted plenty of follow-up inquiries to ZX Safety. We’ll replace this story as and when extra info comes handy.
The Dragonfly library handles features akin to producing picture thumbnails and textual content photos, or simply managing attachments basically. Argument injection vulnerabilities are a category of assault meaning untrusted inputs might be handed as arguments whereas executing a selected command.
The safety weak point units the scenes for operating OS commend injection and related assaults.
Updating the Dragonfly Ruby Gem to 1.4.0 or above would mitigate this difficulty. Alternatively, guaranteeing that the default Dragonfly verify_urls choice is enabled provides an efficient mitigation, based on ZX Safety.