Описание
Arbitrary Code Injection in mobile-icon-resizer
mobile-icon-resizer resizes large images for use as icons for iOS and Android.
mobile-icon-resizer has a code execution vulnerability in versions before 0.4.3.
mobile-icon-resizer takes an options object as an argument to define the resulting icons as such:
var options = {
config: './config.js'
}
resize(options, function(err){});
config.js would need to be a file on the filesystem and look something like:
var config = {
iOS: {
"images": [
/* iOS image definitions are not vulnerable */
]
},
android: {
"images" : [
{
"baseRatio" : "console.log('Executing script as baseRatio property')",
"folder" : "drawable-ldpi"
},
{
"ratio" : "console.log('Executing script as ratio property')",
"folder" : "drawable-mdpi"
},
/* other android image defintiions ... */
]
}
};
exports = module.exports = config;
The parameters ratio and baseRatio are passed directly to eval(), thus allowing dynamic javascript payloads to be executed.
Recommendation
Update to version 0.4.3 or later.
Пакеты
Наименование
mobile-icon-resizer
npm
Затронутые версииВерсия исправления
>= 0.2.0, < 0.4.3
0.4.3
6.5 Medium
CVSS3
Дефекты
CWE-94
6.5 Medium
CVSS3
Дефекты
CWE-94