How images on your site could compromise security
Submitted by Richard Dickenson on
Images on your website aren’t normally regarded as a security hazard but researchers have determined that images have put many sites at risk. The problem comes from a free open source image processing software called ImageMagick. It’s been in use for over 25 years so you may know of it or at least recognise its logo of a little wizard.
Unlike image editing software such as Adobe Photoshop, which lets you alter images in a graphical window using design tools, ImageMagick is a set of command-line programs, supported by PHP, Python, Ruby and other languages, that makes it easier to process multiple images in a repeatable way for your website. ImageMagick can be used to generate standardised thumbnails for image uploads to your website for example; or you could upload an entire batch of images to be displayed in the same dimensions and the same file format. You may have used ImageMagick without realising it, because a number of processing plugins rely on the ImageMagick library; such as ImageMagick , Ruby’s rmagick and paperclip, and nodejs’s imagemagick.
While the software is a great free resource, a major bug was discovered in May by security researchers from the Russian internet services company Mail.Ru Group. A huge number of websites have been made vulnerable to exploits that enable hackers to run malicious code on their websites via image uploads. If users are able to upload images to your website, then this could leave it vulnerable to remote code execution (RCE) by hackers. They can easily embed malicious code into an image file and rename the extension to a typical image format such as .jpg so that the ImageMagick file check system won’t detect a problem.
There are actually an array of vulnerabilities created by the software, all of which have been catalogued on a website called ImageTragick. Make sure your website admin is aware of this website as it includes advice on preventing attacks. ImageMagick have also released a code which can prevent security breaches which can be found here. However, the researchers from Mail.Ru said that ImageMagick’s patches in response to the issue were "incomplete." Many website admins are still unaware that the security risk even exists so it is important to spread the word around. If you do not allow users to upload images to your website then there is less risk, but if you do, then you should consider disabling this feature until such time that it no longer poses a security threat.
This unexpected security hazard from a trusted online resource demonstrates the importance of vigilance when it comes to website plugins. Website admins should delete all unused plugins and make sure that all those which are in use are frequently updated so that the website is not left vulnerable to attack. We also recommend that patching is automated in order to improve security and give you peace of mind.
The staff at Landmark Technologies are happy to advise you on website security issues such as those discussed here. We offer managed IT services and security solutions that protect against all kinds of cyber-attacks. Email us on firstname.lastname@example.org or call +44(0) 207 977 7707
About the author
Richard gained a Bsc from UEA in Business Management, since then he has worked within the Serviced office Industry for over 10 years. He enjoys the diversity of products and solutions at Landmark Technologies disposal in an ever evolving industry.
Richard is currently Captain of Chelmsford 3rd X1 Hockey team (who are challenging for Promotion) and in the Summer he plays cricket for Great Totham as an all-rounder. For his sins he is also an Everton fan.