[dokuwiki] [SECURITY ALERT] problems in fetch.php
- From: Andreas Gohr <andi@xxxxxxxxxxxxxx>
- To: dokuwiki@xxxxxxxxxxxxx <dokuwiki@xxxxxxxxxxxxx>
- Date: Tue, 26 Sep 2006 22:45:05 +0200
Hi all!
Another two vulnerabilities have been discovered in DokuWiki. Both are
mostly harmful for users of ImageMagick's convert utility only, but
should be quickly fixed by everyone.
The first one is a possible denial of service vulnerability caused by
allowing images being resized unlimited. When libGD is used (default)
the needed RAM is calculated before and the function aborts if not
enough RAM for the PHP process is available (typically 8 to 32MB).
However if ImageMagick ($conf['imconvert']) is used, no such limit
exists, allowing an attacker to potentially consume a lot of system
ressources.
More info and how to fix this is available at
http://bugs.splitbrain.org/?do=details&id=924
While examining this problem I discovered another, more serious one.
The input parameters for width and height are not sanitized properly,
which can be used by an attacker to introduce arbitrary shell commands
into the imagemagick commandline. I was not able exploit this with the
default libGD option but all users should apply the fix as soon as
possible anyway.
More info and how to fix this is available at
http://bugs.splitbrain.org/?do=details&id=926
Both problems are fixed in the new hotfixed tarball available at
http://www.splitbrain.org/go/dokuwiki
Andi
--
http://www.splitbrain.org
Other related posts:
