DATE: 6/3/2013
AUTHOR: Larry W. Cashdollar (@_larry0)
DOWNLOAD: http://rubygems.org/gems/lipsiadmin, https://github.com/Lipsiasoft/lipsiadmin
DESCRIPTION: "Lipsiadmin is a new revolutionary admin for your projects. Lipsiadmin is based on Ext Js 3+. framework (with prototype adapter) and is ready for Rails 2.+"
VENDOR: Notifed on 6/5/2013
FIX: N/A
CVE: TBD
DETAILS: The function method Attachment.run() is used to convert images ie resize, create thumbnails etc by passing the user supplied filename as an argument to various command line utilities supplied by ImageMagick. Shell meta characters aren't sanitized allowing a remote user to inject commands into the shell via ';'.
lipsiadmin-5.1.9/lib/data_base/attachment/attach.rb
74 def run(cmd, params = "", expected_outcodes = 0)
75 command = %Q<#{%Q[#{path_for_command(cmd)} #{params}].gsub(/\s+/, " ")}>
76 command = "#{command} 2>#{bit_bucket}" if Attachment.options[:swallow_stderr]
77 output = `#{command}`
78 unless [expected_outcodes].flatten.include?($?.exitstatus)
79 raise AttachmentCommandLineError, "Error while running #{cmd}"
80 end
81 output
82 end
From ./lib/data_base/attachment/geometry.rb:
15 # Uses ImageMagick to determing the dimensions of a file, passed in as either a
16 # File or path.
17 def self.from_file(file)
18 file = file.path if file.respond_to? "path"
19 geometry = begin
20 Attachment.run("identify", %Q[-format "%wx%h" "#{file}"[0]])
21 rescue AttachmentCommandLineError
22 ""
23 end
From ./lib/data_base/attachment/thumbnail.rb:
46 command = <<-end_command
47 "#{ File.expand_path(src.path) }[0]"
48 #{ transformation_command }
49 "#{ File.expand_path(dst.path) }"
50 end_command
51
52 begin
53 success = Attachment.run("convert", command.gsub(/\s+/, " "))
54 rescue AttachmentCommandLineError
55 raise AttachmentError, "There was an error processing the thumbnail for #{@basename}" if @whiny
56 end