Secure ImageMagick to Prevent Vulnerabilities

Posted on December 17, 2018 at 11:07 am

You can “harden” ImageMagick to prevent code execution and other vulnerabilities.

Add this to /etc/ImageMagick-6/policy.xml:

  <!-- Mitigate Image Magick vulnerabilities -->
  <!-- https://imagetragick.com/#FAQ -->
  <policy domain="coder" rights="none" pattern="URL" />
  <policy domain="coder" rights="none" pattern="HTTPS" />
  <policy domain="coder" rights="none" pattern="EPHEMERAL" />
  <policy domain="coder" rights="none" pattern="MVG" />
  <policy domain="coder" rights="none" pattern="MSL" />
  <policy domain="coder" rights="none" pattern="TEXT" />
  <policy domain="coder" rights="none" pattern="SHOW" />
  <policy domain="coder" rights="none" pattern="WIN" />
  <policy domain="coder" rights="none" pattern="PLT" />

You can add it below:

  <policy domain="delegate" rights="none" pattern="HTTP" />

Example:

  <policy domain="delegate" rights="none" pattern="URL" />
  <policy domain="delegate" rights="none" pattern="HTTPS" />
  <policy domain="delegate" rights="none" pattern="HTTP" />
  <!-- Mitigate Image Magick vulnerabilities -->
  <!-- https://imagetragick.com/#FAQ -->
  <policy domain="coder" rights="none" pattern="URL" />
  <policy domain="coder" rights="none" pattern="HTTPS" />
  <policy domain="coder" rights="none" pattern="EPHEMERAL" />
  <policy domain="coder" rights="none" pattern="MVG" />
  <policy domain="coder" rights="none" pattern="MSL" />
  <policy domain="coder" rights="none" pattern="TEXT" />
  <policy domain="coder" rights="none" pattern="SHOW" />
  <policy domain="coder" rights="none" pattern="WIN" />
  <policy domain="coder" rights="none" pattern="PLT" />
  <!-- in order to avoid to get image with password text -->
  <policy domain="path" rights="none" pattern="@*"/>
  <policy domain="cache" name="shared-secret" value="passphrase" stealth="true"/>

Then make sure to always VERIFY image file content:

Check file signature in PHP

Verify that all image files begin with the expected “magic bytes” corresponding to the image file types you support before sending them to ImageMagick for processing.

More information and suggestions here:

https://imagetragick.com/
https://github.com/ImageTragick/PoCs
https://en.wikipedia.org/wiki/List_of_file_signatures
https://www.garykessler.net/library/file_sigs.html
https://imagemagick.org/script/security-policy.php
https://www.exploit-db.com/exploits/39767

Receive updates via email

Other Posts

Updated Posts