ImageMagick vulnerable to Code injection via PostScript header in ps coders

Vulnerability

ImageMagick versions prior to 7.1.2-15 and 6.9.13-40 contain two injection vulnerabilities in its output handling. The ps coders, which generate PostScript files, do not sanitize input before writing it into the PostScript header, allowing arbitrary PostScript code injection [1][3]. Similarly, the HTML encoder fails to escape strings, enabling injection of arbitrary HTML into generated HTML documents [3].

Exploitation

An attacker can craft a malicious image file that, when processed by ImageMagick (e.g., via convert to PostScript or HTML format), embeds injected code into the output. For PostScript output, the injected code is executed when the file is opened by a printer or a viewer like Ghostscript. For HTML output, the injected code is interpreted when the HTML file is viewed in a browser, potentially leading to cross-site scripting (XSS) [2].

Impact

Successful exploitation allows an attacker to execute arbitrary PostScript or HTML code in the context of the user or service processing the output. This can lead to remote code execution (for PostScript) or XSS (for HTML). Attackers require no authentication if the service processes untrusted images [2][3].

Mitigation

The vulnerabilities are fixed in ImageMagick versions 7.1.2-15 and 6.9.13-40. The commit introducing sanitization functions (FilenameToTitle) ensures only printable ASCII and balanced parentheses are included in PostScript headers [2]. Users should update to the latest versions and consider restricting use of the ps and html coders until patched.