Remote command Injection if the filename or geometry values supplied by the user
contain any shell meta characters.


In the following code snippet, user supplied data is passed directly to the command line. 

./attachment_on_the_fly-0.1.2/lib/attachment_on_the_fly.rb


 94     if kind == "height"
 95       # resize_image infilename, outfilename , 0, height
 96       command = "#{convert_command_path}convert -colorspace RGB -geometry x#{height} -quality 100 -sharpen 1 #{original} #{newfilename} 2    >&1 > /dev/null"
 97     elsif kind == "width"
 98       # resize_image infilename, outfilename, width
 99       command = "#{convert_command_path}convert -colorspace RGB -geometry #{width} -quality 100 -sharpen 1 #{original} #{newfilename} 2>&    1 > /dev/null"
100     elsif kind == "both"
101       # resize_image infilename, outfilename, height, width
102       command = "#{convert_command_path}convert -colorspace RGB -geometry #{width}x#{height} -quality 100 -sharpen 1 #{original} #{newfil    ename} 2>&1 > /dev/null"
103     end
104 
105     `#{command}`

If a file contains a shell meta character like ';' for example code can be injected into the command line.


Larry W. Cashdollar
@_larry0
http://vapid.dhs.org