Attn: Websites That Work with Graphics – Critical Exploit Found in ImageMagick


The Issue

It has become known that websites relying on ImageMagick, a popular image processing library, are vulnerable to multiple hacker exploits, including the risk of remote code execution (RCE). Other potential dangers are the ability to perform HTTP GET and FTP requests, the ability to relocate or even remove files.

The vulnerability is classified as 0-days, and the biggest danger lies in the fact that ImageMagick supports .svg and .mvg file formats (among other things) that could be linked to external files.

The ImageMagick team has officially acknowledged the security issue several hours ago. The company has also posted a possible solution on their forum.

What Is ImageMagick?

ImageMagick is a library used by a wide range of web services for image processing purposes. Some well-known image processing plugins depend on this package, too. Among them are PHP’s imagick , Ruby’s rmagick and paperclip, nodejs’s imagemagick, and others.

What Are The Websites Affected?

The full scope of websites that may be vulnerable to the discovered exploits is hard to grasp. The issue could potentially affect many social media sites, blogs and networking platforms as well as eCommerce sites that use ImageMagick to process /resize images uploaded by customers.

So, if your Magento store has anything to do with user-added images, graphics or other visual and multi-media materials, it’s best to check back with your admin regarding IM and to secure your web property, if necessary. 

Possible Fixes

A group of people have set up the to-the-rescue humorous website where possible solutions to the issue are listed.

Overall, it is recommended to take either of (or preferably both) the two steps:

1. Disable the vulnerable coders in the ImageMagick’s policy.xml file.

As per ImageMagick, “by default any coder, delegate, filter, or file path is permitted. Use a policy to deny access to, for example, the MPEG video delegate, or permit reading images from a file system but deny writing to that same file system. Or use the resource policy to set resource limits.”

Just add the following to the policy config:

<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="URL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />

The file is normally located in /etc/ImageMagick.

2. Verify  that file “magic bytes” correspond to the file types you support.

E.g., the first few bytes of a typical .png file would be “89 50 4E”.. There is a list of the magic bytes for the most common file types on Wikipedia.

Aitoc Team
Aitoc is a young team of passionate professionals delivering robust Magento extensions. Founded in 2001, Aitoc has produced over 100 modules for clients worldwide. The company continuously evolves, now offering a full range of custom ecommerce development services.