Support

Admin Tools

#25174 Image Magick vulnerability

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by appnweb on Tuesday, 17 May 2016 09:01 CDT

Tuesday, 17 May 2016 07:29 CDT

appnweb
 Hi,

It seems there is a serious vulnerability in Image Magick : https://blog.sucuri.net/2016/05/imagemagick-remote-command-execution-vulnerability.html

We are actually contacting hosting companies for our customers in order to know if they have done what's necessary about it.

Actually does Admintools protect us in such a case or is there absolutely nothing to do about it except waiting for hosting companies to react on their side ?

Thanks in advance for your help.

Tuesday, 17 May 2016 08:40 CDT

nicholas
I am already aware about the "ImageTragic" series of attacks. However, Admin Tools cannot protect you against this kind of attack. The only possible protection is having an up to date version of Image Magic installed on your server and the Image Magic PHP module compiled against it and blacklist protocols in your server's ImageMagic configuration per ImageMagic developers' suggestions. This is server configuration that has to be undertaken by the host company.

The best protection is to, of course, disable uploading of SVG files in your Joomla! Global Configuration. While we could pretend to offer a similar feature in our .htaccess Maker it wouldn't be thorough: it would only prevent .svg/.mvg files from being uploaded to the server based on their filename. It is still possible to exploit ImageMagic vulnerabilities in case an upload script which uses ImageMagic makes assumptions that the uploaded file is .svg data without checking the file type or extension. Having half-arsed protection is worse than having no protection at all.

Therefore I'd like to warn you that system-level issues cannot be fully protected against by a web application firewall. The proper thing to do is update the server's configuration per ImageMagic developers' suggestions.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 17 May 2016 09:01 CDT

appnweb
Thanks for your anwser Nicholas.

Then we hope hosting companies will have a positive attitude and do their job correctly :-)

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!