Forums

ImageMagick Vulnerability Issue

Permalink
I really don't know if this is the correct place to post this or if it is something that would affect all Concrete5 sites, but just in case...
I received an error message on one of my Concrete5 sites, saying that I was missing a file, magickwand.so in the lib/php/extensions directory. I contacted my hosting company to learn they had removed the ImageMagick extensions because of a security issue called "ImageTrick" and were in the process of uploading the patch.
Here is a link to describe the issue.
https://www.us-cert.gov/ncas/current-activity/2016/05/04/ImageMagick...

Anyone one else encounter this? Is this something Concrete5 websites need to be concerned about?

Thanks in advance for the feedback.
 
labdesignstudio replied on at Permalink Reply
This is just to finish this post up in case someone else runs into the problem or something similar.

The web hosting company removed the php extension Imagick but failed to comment out the call in php.ini to load that extension causing an error. Well, causing several errors. He has finally made a copy of the php.ini file, commented out the two lines of code for imagick and magicwand.so and placed it in my site's root directory. Fixed.
jero replied on at Permalink Reply
jero
Disabling the entire thing seems a bit harsh. There's a documented workaround for the exploits:

http://www.imagemagick.org/discourse-server/viewtopic.php?t=29588...
labdesignstudio replied on at Permalink Reply
Yes, harsh and uninformed. But he could have avoided any issues if he had disabled the extension and then commented it out in the php.ini. I would have never known about the problem. I am surprised, though, that I was the only one having a problem with him.