There’s been a major vulnerability discovered in ImageMagick – known officially as CVE-2016-3714, or unofficially as ImageTragick. You can read more about this vulnerability in the Ars Technica article “Huge number of sites imperilled by critical image-processing vulnerability”, on the website ImageTragick, or on the Openwall mailing list.
ImageMagick is a common piece of software used to edit, resize, and manipulate images. Many applications, including WordPress, use ImageMagick to upload and edit images, and many web servers have ImageMagick installed as a convenient way to provide image manipulation to their users.
Unfortunately, this vulnerability is very easy to exploit – any image uploader that uses ImageMagick to edit its files can be affected. An attacker uploads a file that has the name of an image (i.e. “file.jpg”) but contains information that can access files on your server or cause even more damage. You can read about what attackers can do in The Register’s article “Server-jacking exploits for ImageMagick are so trivial, you’ll scream”.
While ImageMagick has not yet been fully patched yet (and we will update this article once there has been a patched version released), there is a convenient way for system administrators to temporarily protect against these exploits. You can read more about it on the ImageMagick forums.
To do this, open the policy.xml file in your ImageMagick directory, and add these five lines between <policymap> and </policymap>:
<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />
<policy domain="coder" rights="none" pattern="TEXT" />
Once you’ve added these lines, you can verify it by running this command:
convert -list policy
Which will show you the rights for the files in question.
We have adjusted policy.xml on our servers. This means that all shared hosting customers and resellers are protected.
If you have ImageMagick on your self-managed VPS or Dedicated Server, we heavily recommend you apply these changes or disable ImageMagick altogether.
We will update this post as changes are made. If you have further questions, please raise a ticket with our Customer Services team.
The post Vulnerability discovered in ImageMagick appeared first on Heart Internet Blog - Focusing on all aspects of the web.