Basically, disable image uploading (if you can) on the site until you can deploy a fix for this (not sure if it's even available yet). Links are OK, but image uploads could compromise the whole thing.
Edit: This thread (https://www.imagemagick.org/discourse-server/viewtopic.php?f=2&t=29594) thinks a fix will be out today, but that's upstream, so who knows how long until you can just "take a fix" for it. Supposedly there's a way to deny the TYPE of image that's vulnerable with a policy XML file that you probably already have, but you'll have to investigate how to do that if that's what you're going to do.
#2
PatrThom
Been hearing about this a lot the last few days. Right now, the recommended fix (until an actual patch can be rolled out) is to make sure the file header data actually matches the purported file type.
I don't know enough about the forum back end to know if we use imagemagik or not.
Also disabling the ability for people with < (nonTrivialNumbr) posts to upload images would be another stopgap.
--Patrick
#3
GasBandit
We don't use ImageMagick. We have the option to, but we don't.[DOUBLEPOST=1462560217,1462559895][/DOUBLEPOST]GasBanditry.com, however, DOES. And it might explain a thing'r two... Grumble grumble.
We don't use ImageMagick. We have the option to, but we don't.[DOUBLEPOST=1462560217,1462559895][/DOUBLEPOST]GasBanditry.com, however, DOES. And it might explain a thing'r two... Grumble grumble.
I figured it was worth the warning here since I wouldn't have been surprised to see XenForo using it, not to mention the number of people here who run other websites that should also check.
#5
GasBandit
Yeah, this might be the final straw that retires the ol' Image Hoard. These days, between google, giphy, imgur and gfycat, it doesn't see as much use anyway.
Yeah, this might be the final straw that retires the ol' Image Hoard. These days, between google, giphy, imgur and gfycat, it doesn't see as much use anyway.
It's only a problem on upload, right? So if you're the only one with the power to upload, is it much of a concern (assuming you are manually screening your images prior to upload, that is)?
It's only a problem on upload, right? So if you're the only one with the power to upload, is it much of a concern (assuming you are manually screening your images prior to upload, that is)?
Well, I didn't authorize ANY uploaders (I would usually just FTP new pictures), but I still got suspicious new folders being created that looked like they were part of somebody's attempt to fraudulently impersonate a USAA website.