Image Magick Vulnerability

Lawrence

While not specifically PHP related, there is a newly announced serious vulnerability with Image Magick, as detailed on Ars:
http://arstechnica.com/security/2016/05/easily-exploited-bug-exposes-huge-number-of-sites-to-code-execution-attacks/
The fix, or at least workaround, is simple:
https://gist.github.com/rawdigits/d73312d21c8584590783a5e07e124723
^ Simply add those five lines to your Image Magick policy.xml file, and it'll prevent the problem in filetypes you're probably not using anyway (ie: it doesn't affect JPG, PNG or GIF).
But it's a -serious- vulnerability. I couldn't find anything that specifically indicates that it's a Linux-only issue, but I assume it's a problem for Windows users as well.
A fixed version of IM should be released ASAP, with luck Aprelium will be bundling it with their new PHP release. ^_^

admin

Lawrence,
As far as we understood, policy.xml is meant for ImageMagick command line tools and not the library (as used in PHP.)
In PHP, limits and restrictions are partly imposed by the programming language core (PHP) and by the Imagick::setResourceLimit() API call.
References:
* http://stackoverflow.com/questions/2121137/limit-number-of-threads-in-imagick-php
* http://php.net/manual/en/imagick.setresourcelimit.php

Lawrence

OK, so if I understand you correctly, it's only for users with command-line access to the server? Phew!
Though... Not sure why it would be such a widespread vulnerability in that case.

Lawrence

Reading up on it further, this does seem to be a more critical issue. From the Ars article:

ImageMagick suffers from a vulnerability that allows malformed images to force a Web server to execute code of an attacker's choosing. Websites that use ImageMagick and allow users to upload images are at risk of attacks that could completely compromise their security.

Websites that allow users to upload images are at risk.
Basically, specially crafted images cause code execution. It doesn't seem to be limited to the command line, as I interpret the news.