By Keith Petkus on Tuesday, 10 May 2016
Category: Cloud Hosting

ImageTragick, what you need to know

In the last few days, we have seen questions regarding the recently released ImageTragick vunerabilites. We began working to patch and protect the CloudAccess.net platform shortly after the vunerability was announced. Here are a few commonly asked questions that we have seen.

What is ImageTragick / CVE-2016–3714?

ImageTragick is the internet nickname that was given to CVE-2016–3714 to help spread the word of this vulnerability to end users and the media. It features a website and a logo and is a pun based on "ImageMagick".

What is this "ImageMagick" that you speak of?

ImageMagick is a steadfast workhorse that has been around since the 1990's. Being free and open source software, it is one the thousands of open source libraries that is installed on millions of Linux servers around the world. It also features a nifty logo of a wizard with a pointed starry cap.

This collection of software facilitates advanced, automated, image processing. It can be used to do many different things to an image, such as adding transparency, rotate or flipping a sideways image, or conversion of an image to a format with better compression.

Here at CloudAccess.net we have both the command-line and the library version installed on our shared hosting platform. This is to ensure compatibility with community third party extensions and plugins.

ImageMagick is most commonly used in third party extensions or plugins to resize a picture into a thumbnail on-the-fly.

Hold up, what is CVE?

CVE is an acronym for "Common Vulnerabilities and Exposures". It is a dictionary of publicly known information security vulnerabilities and exposures. These are known problems with software that can allow for a remote attacker to take over an affected system, or in this case, a website.

How does this affect my Joomla or WordPress site?

Here are a couple of examples of at-risk websites:

On a vulnerable, unpatched, at-risk website, an attacker could use the ImageTragick vulnerability to attack, deface, or otherwise or compromise a website.

What are some possible solutions or workarounds?

The current known workaround is something that needs to be handled at the hosting provider level. Your website hosting provider should be able to adjust ImageMagick's global policy.xml to patch this problem and provide a solution.

Has my website hosting provider patched this?

If you already host your website with us, please understand that we patched this problem several days ago. You should not expect to see your website hosted with us to become compromised because of this vulnerability.

If you host with another provider, we highly recommend contacting your system administrator to find out if proper mitigation has been applied, especially if you operate a complex website with a lot of third party extensions or plugins.