Ars Technica: Huge number of sites imperiled by critical image-processing vulnerability [Updated]


Talk Tennis Guru

The vulnerability resides in ImageMagick, a widely used image-processing library that's supported by PHP, Ruby, NodeJS, Python, and about a dozen other languages. Many social media and blogging sites, as well as a large number of content management systems, directly or indirectly rely on ImageMagick-based processing so they can resize images uploaded by end users.

According to developer and security researcher Ryan Huber, ImageMagick suffers from a vulnerability that allows malformed images to force a Web server to execute code of an attacker's choosing. Websites that use ImageMagick and allow users to upload images are at risk of attacks that could completely compromise their security.

It doesn't look like there's a fix for this problem yet but the compromise would be on the server side. There is a working proof of concept exploit. Tennis Warehouse uploads avatars - I don't know whether or not they use the ImageMagick. My son's workplace does use it in their web application and he's going to contact his manager about the issue.

Similar threads