Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Security Update:
Imagemagick - Multiple Vulnerabilities
May 05, 2016 @ 11:07:35

Imagemagick, a well-used alternative by PHP developers for graphics manipulation (an alternative to GD) has had several new vulnerabilities announced. These vulnerabilities allow for everything from remote code execution to initiating network requests. The Imagetragick site has more information:

There are multiple vulnerabilities in ImageMagick, a package commonly used by web services to process images. One of the vulnerabilities can lead to remote code execution (RCE) if you process user submitted images. The exploit for this vulnerability is being used in the wild.

A number of image processing plugins depend on the ImageMagick library, including, but not limited to, PHP’s imagick, Ruby’s rmagick and paperclip, and nodejs’s imagemagick. If you use ImageMagick or an affected library, we recommend you mitigate the known vulnerabilities.

There's two mitigations listed to help with a more immediate fix: using a policy.xml file and verifying that image data starts with the right "magic bytes". The site also shares more information about the different vulnerabilities and what kind of attacks they could allow. It is highly recommended that you add the mitigations they show and update your installation to use the latest release (7.0.1-1) with fixes for these issues.

tagged: imagemagick vulnerabilities multiple upgrade mitigation

Link: https://imagetragick.com