ImageMagick is a one of the most popular image processing libraries for resizing, cropping and editing uploaded images. Websites with profile pictures and avatars commonly use ImageMagick to resize these uploads.
In basic terms, hackers upload an image with malicious embedded code, which calls ImageMagick to begin processing an image. This can cause the code to run on your server with elevated user permissions. At that point, the hacker can take total control of the server, and what’s worse, this exploit is relatively easy to use.
Here’s how to protect yourself. First, find out if you’re vulnerable, and then fix the ImageMagick exploit. If your website accepts user image uploads of any kind, this should be a high priority.
Check for the vulnerability
If your site processes images and uses PHP, Ruby, or Node.js, there’s a good chance you use ImageMagick or a plugin based on it.
Here’s how to test if your site is at risk:
Create a new text file and save it with the name test.mvg. Add the following lines of text into it:
push graphic-context viewbox 0 0 640 480 fill 'url(https://example.com/image.jpg" | ls "-la)' pop graphic-context
Upload it to the server and from the command line (ssh), run
convert test.mvg out.png
If this shows the content of your directory as though you just ran ls -la, you’re affected. For more information on testing, see the RedHat page on CVE-2016-3714, and the ImageTragick Team has additional tests.
Fix the vulnerability
Red Hat Enterprise Linux and CentOS 6 and 7 already have patches available to fix this issue. Update your system with yum update imagemagick to fix this vulnerability. There are more details on the RHEL site.
For RHEL and CentOS 5, you will need to make some changes to mitigate the problem:
So far, the number of attacks using this vulnerability are limited, but if left unmitigated, it represents a serious risk to websites using the ImageMagick package. We advise all site owners and developers to take care and ensure that they’ve taken steps to cut off this avenue of attack.
eBoundHost is the best. I have dealt with many hosting providers over the last 10 years. eBoundHost surpasses them all. Absolutely the highest level of quality service anywhere. Do yourself a big favor and sign on with eBoundHost.
1) Their technical support people are always available to help with questions. 2)Server and network speed excellent. 3)Everything works great. 4)I highly recommend them!!!Thank you.
We at Alico have 4 domain names which we started subscribing at eBoundHost since more than 4 years. In brief they are the best webhosting provider with a sexy Control Panel and perfect fast response support.
Every time I have contacted my host provider. They have responded with speed, courtesy and accuracy they are professional and a joy to work with.
Reliability and customer service that is rare and refreshing. We have been using eBoundHost for several years and unlike many companies who's service wanes over the years, the staff at eBound has consistently delivered top notch performance. Bravo!
I'm Stan Bogdashin, a customer of your hosting company for the past 2 years. Our company provides web design, development and Search Engine Optimization (SEO) services. Want to thank you for helping us by providing great hosting seamless support - this is why I continue to recommend you and don't use anyone else for hosting!
I have been a customer since December of 2001, and the service has been nothing less than excellent. I would recommend eBoundHost highly.
Fast, reliable, full of features... Over the years, I have used more than a dozen hosts, both the big ones and smaller ones; eBoundHost.com is by far my favorite.
Cost, technical support and promptness of return calls are of paramount importance to me since most of my work is done on the road and waiting for a reply is frustrating. eBoundHost has been a pleasure to work with friendly, courteous and professional.
I came to eBoundHost after a very bad experience with a so called "big boy" - you know one of those places you are only a number. I have been a satisfied customer for more than 4 years now. The support is second to none.
I was just looking over our emails and adding up how much time you guys have taken to get me squared away with my new eboundhost account. I can't tell you what a relief it is to have fast, dependable hosting and the kind of immediate support I've gotten from you, after having struggled with a sub-standard host for years. eboundhost has, in the short time I've been with you, already saved me hundreds of dollars of billable time. My thanks.
Every time I call with a problem or question, Everyone, especially Denis has always stepped up to the occasion. As usual he solved yet another problem I had. You have a superlative customer service. It doesn't get any better. Keep it up guys.
I have worked with many hosting companies over the course of my years in the website building and design business. I can say with certainty that eBoundHost.com is among the elite companies. I would and have recommended them to anyone.
eBoundHost.com has been a dream to work with. My questions are answered in minutes, the price is very reasonable, the interface is great, I am very happy with how smooth everything works.
I waited to write a review until I had absolutely everything working, thinking that something would come up that eboundhost couldn't solve almost immediately. I've never been so happy to be wrong - their customer support is just incredible.
eBoundHost is really the best hosting service in today's marketplace. Fast and efficient customer service with excellent IT knowledge. Good price and many bundled extra options. Highly recommended!