ImageMagick's Security Policy Bypass through config/policy-secure.xml via "fd handler" leads to stdin/stdout access
The shipped “secure” security policy includes a rule intended to prevent reading/writing from standard streams:
```xml
<policy domain="path" rights="none" pattern="-"/>
```
However, ImageMagick also supports fd:<n> pseudo-filenames (e.g., fd:0, fd:1). This path form is not blocked by the secure policy templates, and therefore bypasses the protection goal of “no stdin/stdout”.
To resolve this, users can add the following change to their security policy.
```xml
<policy domain="path" rights="none" pattern="fd:*"/>
```
And this will also be included in ImageMagick's more secure policies by default.
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
1
cwe_id
937
name
OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description
Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
2
cwe_id
1035
name
OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description
Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
3
cwe_id
184
name
Incomplete List of Disallowed Inputs
description
The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete, leading to resultant weaknesses.