Security researchers have discovered that a large number of websites are vulnerable to relatively "trivial" exploits that allows hackers to run malicious code on a targeted website using uploaded images. The vulnerabilities lie in ImageMagick, a popular open source, image-processing library used to create, edit and convert images in a variety of formats that is supported by PHP, Ruby, Python and other languages.
The bug was discovered by "Stewie" and security researcher Nikolay Ermishkin from the Russian internet services company Mail.Ru Group. A website dubbed ImageTragick has been created including detailed information about the multiple vulnerabilities has been created for website admins and developers. It also includes mitigation advice until a patch is rolled out by the company.
Among the vulnerabilities, one of the most pressing ones found is CVE-2016-3714, a code-execution vulnerability that was reportedly first seen in recent bug bounty submissions.
According to website security firm Suciri, who published an independent analysis on the vulnerability, recent versions of ImageMagick do not filter the file names of uploaded images properly before passing them on to the server processes.
To carry out the exploit, a hacker can potentially embed malicious code into a seemingly harmless image, upload it and sneak it past ImageMagick's file check simply by renaming the file extension to a traditional image file format such as .jpg or .png. If ImageMagick handles the image, it could potentially compromise the security of both the site and anyone who visits it.
Many social media sites, blogs and content management systems rely on ImageMagick-based processing, either directly or indirectly, to resize images uploaded by users.
"The vulnerability is very simple to exploit," Sucuri founder and CTO Daniel Cid wrote. "An attacker only needs an image uploader tool that leverages ImageMagick. During our research we found many popular web applications and SaaS products vulnerable to it (people love gravatars), and we have been contacting them privately to get things patched. Unfortunately, even with all the media attention, not everyone is aware of this issue."
The flaw is already being actively exploited in the wild, according to the researchers. Dan Tentler, another security expert and founder of Phobos Group, quickly built his own exploit and tweeted the proof on Twitter.
The company acknowledged the vulnerability on 3 May and responded by developing patches for version 7.0.1-1 and 6.9.3-10 and suggested website administrators add several lines to code to configuration files to block the possible exploits. The Mail.Ru researchers, however, called these measures "incomplete."
The ImageTragick website also recommends that developers verify the integrity of all uploaded image files and temporarily suspend image uploaded in cases where mitigations cannot be immediately implemented.