ImageTragick Vulnerability ; ImageMagick

  • Resolved jephperro

    (@jephperro)


    10 years, 1 month ago

    Hi,

    There was a ImageMagick vulnerability discovered on May 3, 2016 called ImageTragick :
    https://imagetragick.com

    I looked into my WordPress installations, and I see that the ImageMagick library is installed and it appears that WordPress uses it in the class : class-wp-image-editor-imagick.php

    So, out of caution, I have followed the instructions suggested by imageMagick below, and updated the policy file they suggest will prevent the exploit :

    https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588

    But I haven’t seen any concern about this in the WordPress community yet. Is it just too new, or is it not a problem for self-hosted WordPress instances.

    Thanks,

    Jeff

Viewing 2 replies - 1 through 2 (of 2 total)
  • Moderator Samuel Wood (Otto)

    (@otto42)

    WordPress.org Admin

    10 years, 1 month ago

    Generally speaking, as the problem is in a library on the server, the server host will probably need to patch it or update the server.

    While WordPress can use the imagemagick library if it is available, it’s not generally available on most lower end hosting systems, and WordPress falls back to the GD library, which is available nearly everywhere.

    So yes, if you have the imagemagick library on your server, then you should update your server or make the policy adjustments as above. Or your host should be making those changes for you (many are). WordPress might include something to address the problem, or it might not. Depends on how it all shakes out, I expect. But as the issue is kind of at a lower level than WordPress, it’s probably something to be addressed differently.

    Additionally, WordPress does have image processing, but only for user accounts with the ability to upload images to the site. This is not something that the general public can usually do.

    Moderator Samuel Wood (Otto)

    (@otto42)

    WordPress.org Admin

    10 years, 1 month ago

    More information about this issue has been posted on the Core blog.

    ImageMagick Vulnerability Information

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘ImageTragick Vulnerability ; ImageMagick’ is closed to new replies.