Vulnerability discovered in ImageMagick | Heart Internet Blog – Focusing on all aspects of the web

Vulnerability discovered in ImageMagick

There’s been a major vulnerability discovered in ImageMagick – known officially as CVE-2016-3714, or unofficially as ImageTragick. You can read more about this vulnerability in the Ars Technica article “Huge number of sites imperilled by critical image-processing vulnerability”, on the website ImageTragick, or on the Openwall mailing list.

ImageMagick is a common piece of software used to edit, resize, and manipulate images. Many applications, including WordPress, use ImageMagick to upload and edit images, and many web servers have ImageMagick installed as a convenient way to provide image manipulation to their users.

Unfortunately, this vulnerability is very easy to exploit – any image uploader that uses ImageMagick to edit its files can be affected. An attacker uploads a file that has the name of an image (i.e. “file.jpg”) but contains information that can access files on your server or cause even more damage. You can read about what attackers can do in The Register’s article “Server-jacking exploits for ImageMagick are so trivial, you’ll scream”.

While ImageMagick has not yet been fully patched yet, there is a convenient way for system administrators to temporarily protect against these exploits. You can read more about it on the ImageMagick forums.

To do this, open the policy.xml file in your ImageMagick directory, and add these five lines between <policymap> and </policymap>:

<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />
<policy domain="coder" rights="none" pattern="TEXT" />

Once you’ve added these lines, you can verify it by running this command:

convert -list policy

Which will show you the rights for the files in question.

We have adjusted policy.xml on our servers. This means that all shared hosting customers and resellers are protected.

If you have ImageMagick on your self-managed VPS or Dedicated Server, we heavily recommend you apply these changes or disable ImageMagick altogether.

If you have further questions, please raise a ticket with our Customer Services team.

Comments

Please remember that all comments are moderated and any links you paste in your comment will remain as plain text. If your comment looks like spam it will be deleted. We're looking forward to answering your questions and hearing your comments and opinions!

Got a question? Explore our Support Database. Start a live chat*.
Or log in to raise a ticket for support.
*Please note: you will need to accept cookies to see and use our live chat service