WordPress blog Wp_image_editor_imagick Vulnerability

As a webmaster, in fact, as early as a few days ago saw the relevant information news: ImageMagick was a high-risk vulnerability (cve-2016-3714), hackers and other attackers through this vulnerability can execute arbitrary commands, and ultimately steal important information to obtain server control. Want to be to the server, the degree of harm is still relatively large.

At the same time, this afternoon, stall owners received from the Aliyun server security prompts, a store on the Aliyun host WordPress Web site program exists Wp_image_editor_imagick vulnerabilities, need to log in the background repair patches.

Of course, the Knight Professional Edition that provides the online fix the function as the Aliyun's charge service, certainly is not free to obtain, but this service charge is not expensive, if does not have the technical ability and expects the official security service Safeguard's stationmaster, the payment is still the best choice. For stall owners, naturally will not because of this wp_image_editor_imagick loophole easy to open charging services, because this vulnerability is not originally from the WP program itself, but the server environment installed ImageMagick and did not upgrade repair patches.

"Technology Control" solution WordPress blog Wp_image_editor_imagick loophole

After careful examination, the cloud host system has not installed the ImageMagick component, but finally for the sake of security, although did not install ImageMagick, since Aliyun prompted the loophole or should be repaired in time.

A temporary solution to the WP vulnerability is simply to modify one line of code.

1, find wp-includes/media.php, line No. 2898;

2, modify the following first code for the second article:

$implementations = apply_filters (' wp_image_editors ', Array (' Wp_image_editor_imagick ', ' wp_image_editor_gd '));

$implementations = apply_filters (' wp_image_editors ', Array (' WP_IMAGE_EDITOR_GD ', ' Wp_image_editor_imagick '));

That is, the 2-Library priority can be swapped.

Alternatively, modify the/wp-includes/media.php annotation to drop the statement:

Require_once Abspath. Wpinc. '/class-wp-image-editor-imagick.php ';

Even if the machine is loaded with Imagemagic, WordPress will not call that thing. So you can not worry about the imagemagic problem for the time being.

This fix is only a temporary solution, the more reliable, the most direct way is to upgrade the WordPress program to the latest version, if the server is installed ImageMagick build also need to upgrade to the new version.

In the end, we enclose the interim solution provided by the ImageMagick official:

To temporarily disable ImageMagick by configuring a policy file, add the following code to the "/etc/imagemagick/policy.xml" file:

<policymap>
<policy domain= "coder" rights= "none" pattern= "ephemeral"/>
<policy domain= "coder" rights= "None" pattern= "URL"/>
<policy domain= "coder" rights= "None" pattern= "HTTPS"/>
<policy domain= "coder" rights= "None" pattern= "MVG"/>
<policy domain= "coder" rights= "None" pattern= "MSL"/></policymap>
RELATED links:

ImageMagick (http://www.imagemagick.org/)

WordPress (https://cn.wordpress.org/)

Supplementary content:

See that there should be a lot of webmaster friends pay attention to this problem, need to explain is: the real reason for this flaw is not related to WordPress, is ImageMagick loophole, by modifying the order of GD library can only bypass Aliyun security vulnerability detection, if the system is installed ImageMagick Please resolve its own vulnerabilities first, if the server or the cloud host itself does not have the ImageMagick component installed (check/etc if there is a/imagemagick folder known) then the problem is not big, because WordPress, discuz! and other procedures are generally used in the GD library to deal with, Aliyun appear false positives is not a strange thing.

Second, there will be a convert program as long as the ImageMagick is installed. The inspection method is to perform convert-v look version. If you return Bash:convert:command not found the system does not find the Convert program, indicating that the ImageMagick is not installed, there is no need to worry.

If the ImageMagick program is installed, this vulnerability affects all previous versions of ImageMagick 6.9.3-9, including ImageMagick installed in the Ubuntu source. In the 6.9.3-9 version, the authorities did not fully fix the vulnerability. Therefore, we cannot eliminate this vulnerability simply by updating the ImageMagick version.

There are two ways to temporarily circumvent vulnerabilities:

First, before processing the picture, first examines the picture "magic bytes", namely the picture head, if the picture head is not the format which you want, then does not call ImageMagick processing picture. If you are a PHP user, you can use the GetImageSize function to check the picture format, and if you are a user of Web applications such as WordPress, you can temporarily uninstall the ImageMagick, using PHP with the GD library to process pictures.

Second, use policy file to defend against this vulnerability, this file default location in/etc/imagemagick/policy.xml. Specific modifications to the content referenced in the previous code provided.

Therefore, although the imagemagick loophole in the news report is very harmful, but also for large web sites or the vast number of virtual host, the general Personal Web site Cloud Host configuration does not install ImageMagick components, at least from the LNMP one-button installation package is not installed. So, to resolve the Ali cloud Leak detection report can!