Image Magick Vulnerability

 
Post new topic   Reply to topic    Aprelium Forum Index -> PHP
View previous topic :: View next topic  
Author Message
Lawrence
-


Joined: 16 Jan 2003
Posts: 203
Location: Brisbane, AU

PostPosted: Wed May 04, 2016 9:52 am    Post subject: Image Magick Vulnerability Reply with quote

While not specifically PHP related, there is a newly announced serious vulnerability with Image Magick, as detailed on Ars:

http://arstechnica.com/security/2016/05/easily-exploited-bug-exposes-huge-number-of-sites-to-code-execution-attacks/

The fix, or at least workaround, is simple:

https://gist.github.com/rawdigits/d73312d21c8584590783a5e07e124723

^ Simply add those five lines to your Image Magick policy.xml file, and it'll prevent the problem in filetypes you're probably not using anyway (ie: it doesn't affect JPG, PNG or GIF).

But it's a -serious- vulnerability. I couldn't find anything that specifically indicates that it's a Linux-only issue, but I assume it's a problem for Windows users as well.

A fixed version of IM should be released ASAP, with luck Aprelium will be bundling it with their new PHP release. ^_^
_________________
[ Please stop confusing your opinion with fact. ]
Back to top View user's profile Send private message Visit poster's website ICQ Number
admin
Site Admin


Joined: 03 Mar 2002
Posts: 772

PostPosted: Wed May 04, 2016 11:47 am    Post subject: Re: Image Magick Vulnerability Reply with quote

Lawrence,

As far as we understood, policy.xml is meant for ImageMagick command line tools and not the library (as used in PHP.)

In PHP, limits and restrictions are partly imposed by the programming language core (PHP) and by the Imagick::setResourceLimit() API call.

References:
* http://stackoverflow.com/questions/2121137/limit-number-of-threads-in-imagick-php
* http://php.net/manual/en/imagick.setresourcelimit.php
_________________
Forum Administrator
Aprelium - http://www.aprelium.com
Back to top View user's profile Send private message
Lawrence
-


Joined: 16 Jan 2003
Posts: 203
Location: Brisbane, AU

PostPosted: Wed May 04, 2016 12:49 pm    Post subject: Reply with quote

OK, so if I understand you correctly, it's only for users with command-line access to the server? Phew!

Though... Not sure why it would be such a widespread vulnerability in that case.
_________________
[ Please stop confusing your opinion with fact. ]
Back to top View user's profile Send private message Visit poster's website ICQ Number
Lawrence
-


Joined: 16 Jan 2003
Posts: 203
Location: Brisbane, AU

PostPosted: Wed May 04, 2016 1:10 pm    Post subject: Reply with quote

Reading up on it further, this does seem to be a more critical issue. From the Ars article:

Quote:
ImageMagick suffers from a vulnerability that allows malformed images to force a Web server to execute code of an attacker's choosing. Websites that use ImageMagick and allow users to upload images are at risk of attacks that could completely compromise their security.


Websites that allow users to upload images are at risk.

Basically, specially crafted images cause code execution. It doesn't seem to be limited to the command line, as I interpret the news.
_________________
[ Please stop confusing your opinion with fact. ]
Back to top View user's profile Send private message Visit poster's website ICQ Number
Display posts from previous:   
Post new topic   Reply to topic    Aprelium Forum Index -> PHP All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB phpBB Group