Fix ImageMagick vulnerability

11. May 2016 Security 0

ImageMagick, an open-source image processing software suite, has released versions 7.0.1-1 and 6.9.3-10 to address a vulnerability in previous software versions. Exploitation of this vulnerability may allow an attacker to take control of an affected system.

Evidence :

http://arstechnica.com/security/2016/05/exploits-gone-wild-hackers-target-critical-image-processing-bug/
https://www.us-cert.gov/ncas/current-activity/2016/05/04/ImageMagick-Vulnerability

You can fix it by edit policy.xml file.

Add following lines to policy.xml file

<policy domain=”coder” rights=”none” pattern=”EPHEMERAL”></policy>
<policy domain=”coder” rights=”none” pattern=”URL”></policy>
<policy domain=”coder” rights=”none” pattern=”HTTPS”></policy>
<policy domain=”coder” rights=”none” pattern=”MVG”></policy>
<policy domain=”coder” rights=”none” pattern=”MSL”></policy>
<policy domain=”coder” rights=”none” pattern=”TEXT”></policy>
<policy domain=”coder” rights=”none” pattern=”SHOW”></policy>
<policy domain=”coder” rights=”none” pattern=”WIN”></policy>
<policy domain=”coder” rights=”none” pattern=”PLT”></policy>

Default File path:

Ubuntu/Debian 7/CentOS/RHEL/Arch Linux : /etc/ImageMagick/policy.xml
Debian 8/Fedora : /etc/ImageMagick-6/policy.xml
FreeBSD : /usr/local/etc/ImageMagick-6/policy.xml
CentOS with cPanel/WHM: /usr/local/cpanel/3rdparty/etc/ImageMagick-6/policy.xml