Reply to post: Re: That's the unix way of doing things..

Server-jacking exploits for ImageMagick are so trivial, you'll scream

Frumious Bandersnatch

Re: That's the unix way of doing things..

I'll tell you a true story. Back in Uni, we had a practical programming exam (in Basic) on the mainframe. The lecturer had set up a restricted environment where commands that could be used to cheat (those relating to sending messages to other users and accessing shared folders) were disabled by using aliases. I noticed that I could undo these aliases from within the Basic interpreter. I hacked the system by asking the lecturer if we could use the Basic interpreter during the exam, because it was more convenient for testing things quickly. They didn't see the problem and whitelisted the interpreter. So after finishing my assignment, I had a bit of fun messaging my mates to show that I'd broken out of the jail.

The moral of the story is not that there's anything wrong with interpreters (like your diatribe against shells) but the context that they're allowed to be used from. ImageMagick evolved from being a command-line tool and now it's being used in an unsafe context. That is all.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2021