“If you’re using ImageMagick on your website to identify, crop, resize or tweak pictures provided by your users, you must make sure you’ve applied these mitigations, and tweaked your code to only accept valid image files. Sandboxing ImageMagick is also a good idea.”
See Server-jacking exploits for ImageMagick are so trivial, you’ll screamYep. This is one of those widely used FLOSS tools that has big holes in security. It’s again one of those vulnerabilities where images are treated as code with no checking/sanitizing.
ImageMagick is a tool I use widely. Fortunately, it’s not exposed to users on this blog and at home TLW mostly uses it with images that she produces, so exposure is limited. OTOH, it could take a week to do a major rewrite and distribution of the package. To be safer, I could switch to another image-processor locally or use these tweaks. This is very embarrassing as ImageMagick has been around for many years. Somehow, the authours learned nothing from hundreds of similar exploits of That Other OS.
On a lighter note, I’ve been helping TLW learn to use ImageMagick through Coppermine Photo Gallery on Beast and setting up a nice database of images mostly of plants and fruits and vegetables. It will be very useful when discussing horticulture at our next big party.