Sunday, 8 May 2016

On 02:14 by admin   No comments
In recent days, the ImageMagick program is called a burst ImageTragick security vulnerabilities , causing many users attention. All servers installed ImageMagick are affected by this vulnerability. Therefore, please immediately contact the server administrator as soon as possible to fix this security hole.
The outset, our host WordPress WordPress Chinese professional network (http://wpchina.org) provided already at the first time to fix this loophole, the use of the user need not worry about this problem.

What is ImageMagick?

ImageMagick is a widely used web services image processing program. Many image processing plug-ins are based on ImageMagick library work, for example, PHP's imagick extension, Ruby's rmagick and paperclip plug, Nodejs of imagemagick like.
The use ImageMagick image processing library applications are affected ImageTragick problem.

What is ImageTragick loophole?

ImageTragic this vulnerability is discovered multiple vulnerabilities in ImageMagick nickname. These vulnerabilities are:
  1. CVE-2016-3714 ,Insufficient shell characters filtering leads to (potentially remote) code execution,即不完善的Shell字符过滤导致(有可能远程)代码执行。
  2. -2016-3718 CVE , SSRF, the full name of Server-Side Request Forgery, or "server-side request forgery" loophole.
  3. -2016-3715 CVE , File Deletion, file deletion.
  4. -2016-3716 CVE , Moving File, the file position.
  5. -2016-3717 CVE , the Local File the Read, read local files.

WordPress affected by what?

If the user uploaded data contains malicious code in WordPress, it could cause ImageMagick library to perform one or more of the above malicious acts. Any WordPress user with permission to upload files, mainly WordPress administrator, editor, author of the three users could exploit this vulnerability to compromise the website security.
If there is no time to repair the vulnerability would allow remote code execution (RCE).

WordPress core team, why not fix this vulnerability?

For WordPress users, the root of this problem lies Imagick PHP extensions on the server, not WordPress itself. Yesterday released version WordPress 4.5.2 security update version of the time, WordPress team has done a legend. The best approach is a service provider in the host level to deal with this vulnerability.

How to check if your site is vulnerable?

If you are using a standalone server, or VPS, it usually requires you to deal with this problem. If the virtual hosting service you use, please immediately contact your hosting service provider space, let them deal with "ImageTragic Vulnerability (numbered CVE-2016-3714, CVE-2016-3718, CVE-2016-3715, CVE-2016 -3716 and CVE-2016-3717) ".
If your server site where PHP Imagick extension installed, then your website is easy to be attacked. You can check the following two ways:
  1. Check phpinfo () output to see if contains Imagick.
  2. Run php -m | grep imagick command.

How to fix this vulnerability?

Currently, ImageMagick development team has fixed this vulnerability, has released a version of ImageMagick 6.9.3-10 (on May 3, 2016 update log ). If a standalone server or VPS you manage, install the latest version of ImageMagick as soon as possible. If you are using virtual hosting space, please contact your hosting service provider to fix this problem.
Our WordPress Chinese network to provide professional WordPress hosts, have already installed the latest version of the patch for this vulnerability.

ImageTragick vulnerability timeline

  • April 21, 2016, Mail.Ru security team found a service from http://hackerone.com/stewie of My.com site file read vulnerability to ImageMagick team made a report.
  • April 21, 2016, My.com development team fixes the vulnerability to read files.
  • April 28, 2016, Mail.Ru security team Nikolay Ermishkin first thing I read in the study blog post, found ImageMagick code execution vulnerability exists.
  • April 30, 2016, report to the code execution vulnerability ImageMagick development team.
  • April 30, 2016, ImageMagick development team fixes the code execution vulnerability (not fully repaired).
  • April 30, 2016, released ImageMagick 6.9.3-9 version (not fully repaired).
  • May 1, 2016, ImageMagic announced the restoration.
  • May 2, 2016, to "distros" mailing list team made a small range of vulnerability note;
  • May 3, 2016, released ImageMagick 6.9.3-10 version (fully restored);
  • May 3, 2016, publicly released a detailed description of the vulnerability.


0 comments:

Post a comment