![]() That would make a good target for an attacker. This sort of functionality is quite common - for example - when a newly registered user uploads a profile picture. So a Drupal site which uses Imagemagick to handle image processing (GD is the default in core but alternative "image toolkits" are available) might be exploited if an attacker could upload a malicious SVG and have the site try to perform an image manipulation on this, such as resizing it to prepare a thumbnail. ![]() For example, a thumbnail image is often prepared to show in previews of articles. How might an attacker try to take advantage of this?ĭrupal core has built-in support for "image styles" which can perform preset transformations on uploaded images. I verified that in Drupal 9 the built-in file type detection prevented a malicious SVG from being smuggled into an upload with a permitted file extension.ĭrupal 7 core by itself doesn't have this protection, although modules are available that add e.g. However, the PoC write up showed Imagemagick being tricked into parsing an SVG with a fake jpg extension. We'd determined that SVG is not in the default list of permitted image extensions in Drupal. Here's a quick write-up of some of the investigation I did. Our goal in such an investigation is to determine whether it would be sufficiently easy, with a common Drupal configuration, that we ought to issue a Public Security Announcement (PSA) warning Drupal users and providing any mitigation steps they might be able to take until an upstream fix was available. ![]() This was later assigned CVE-2021-3781.Īt least one viable Proof of Concept (PoC) was made public not long after the Zero Day which illustrated Scalable Vector Graphics (SVG) handling in Imagemagick being used as an attack vector.ĭrupal core doesn't use Ghostscript directly, but it's fairly common for Drupal sites to use Imagemagick in some form.Īs such, we began to look at how an attacker might try to exploit the Ghostscript vulnerability via SVG and Imagemagick on a Drupal site. My colleagues and I in the Drupal Security Team recently became aware of a Zero Day RCE vulnerability in Ghostscript. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |