CodeIgniter Command Injection Vulnerability in ImageMagick Handler

A command injection vulnerability has been identified in CodeIgniter versions prior to 4.6.2. This issue affects applications using the ImageMagick handler for image processing, specifically with the 'imagick' library. The vulnerability arises in scenarios that allow file uploads with user-controlled filenames, which are processed with the 'resize()' method, or when the 'text()' method is used with user-controlled text or options. An attacker could exploit this by uploading a file with a malicious filename containing shell metacharacters, which would be executed during image processing, or by providing harmful text content or options that are executed when text is added to images.

Impact

Exploitation of this vulnerability allows for command injection, where an attacker can execute arbitrary commands on the server with the application's privileges. This could lead to unauthorized access to files, modification of data, or disruption of service by crashing or restarting the application.

Reproduction

To reproduce this vulnerability, upload a file through a feature that allows user-controlled filenames, ensuring the filename includes shell metacharacters. Alternatively, use the 'text()' method with injected text that includes metacharacters. After processing the image, check for the execution of the injected commands, such as the creation of a file that should not have been generated.

Remediation

Users are advised to upgrade to CodeIgniter version 4.6.2 or later. If an immediate upgrade is not possible, switch to the GD image handler, which is not vulnerable to this issue. For applications that handle file uploads, use random filenames to avoid the injection vector, and for text operations, sanitize input to allow only safe characters.