ImageMagick Path Traversal Vulnerability Leading to Local File Disclosure

A local file inclusion vulnerability has been identified in ImageMagick versions prior to 7.1.2-15 and 6.9.13-40. The issue arises because the application's path security policy is applied to the raw filename before the filesystem has a chance to resolve it. This allows path traversal techniques to bypass policy rules, such as those restricting access to the /etc/ directory. The operating system resolves the traversal, enabling access to sensitive files, while the policy matcher only sees the unnormalized path and permits the read. This vulnerability allows local file disclosure even when the policy-secure.xml file is in use.

Impact

Exploitation of this vulnerability leads to unauthorized reading of restricted files, allowing for local file disclosure.

Remediation

Users can update to ImageMagick versions 7.1.2-15 or 6.9.13-40, where this vulnerability has been patched. Additionally, to prevent writing access through path traversal, the following policy rule should be added: '<policy domain="path" rights="none" pattern="*../*"/>'. This rule will also be included by default in ImageMagick's more secure policies.