The hugely popular ImageMagick tool used by thousands of websites and servers around the world, has a known zero day vulnerability. ImageMagick is an open source image library for modifying (resizing, cropping, scaling, watermarking ...) images via command line and many programming languages. It's supported by languages such as C++, Perl, Python, PHP and more. It's simple to use (I use it for bulk downsizing customers images) - and therefore used by thousands, if not millions, of websites around the world. The zero day was disclosed by Ryan Huber: (CVE-2016–3714). It allows an attacker to execute code on a server by uploading a maliciously crafted image.

So yes, if your server is running ImageMagick it is not vulnerable, but if your web application allows users to upload an image, which is processed by ImageMagick (for example, watermarked or resized), then your server is vulnerable.

If your Drupal, Wordpress or similar web application leverages ImageMagick's simple processing tools, your server may be insecure... This may allow an attacker to gain access to credentials, customer information, or anything else on your server. The exploit for this vulnerability has been named ImageTragick. A dedicated website has been setup. Branding a flaw: could look like a laugh, but perhaps the best way to spread the word? The flaw is ridiculously simple, and script kiddie could be using it in the wild: Examples (from

1. File Deletion


push graphic-context
viewbox 0 0 640 480
image over 0,0 0,0 'ephemeral:/tmp/delete.txt'
$ cat "goodbye, file" >  /tmp/delete.txt
$ convert delete.mvg out.png # deletes /tmp/delete.txt

2. Create a GET or FTP request


push graphic-context
viewbox 0 0 640 480
fill 'url('
pop graphic-context

Http request to

$ convert get.mvg out.png

ImageMagick have responded with a fix

If your site is vulnerable, I suggest reading more about the flaw at, or simply add the following to your policy.xml file:

<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />
<policy domain="coder" rights="none" pattern="TEXT" />
<policy domain="coder" rights="none" pattern="SHOW" />
<policy domain="coder" rights="none" pattern="WIN" />
<policy domain="coder" rights="none" pattern="PLT" />

Saturday, May 7, 2016

« Back