ImageTragick, the fancy nickname for a series of recent critical security vulnerabilities in the ImageMagick library, has gotten some attention in the press already. ImageMagick is a widely used library for image processing. If it is installed on the ownCloud server, ownCloud will use ImageMagick for the generation of previews for certain graphical files including SVG, TIFF, PDF, AI, PSD, EPS, and TTF. Read on to find out if you need to take action to protect your privacy and security.
Are ownCloud users at risk?
When it is used by the ownCloud server, ImageMagick can offer an attacker a way to attack. At least one of the vulnerabilities is known to allow arbitrary remote code execution, allowing adversaries the ability to execute code of their choice. That is one of the most dangerous types of security vulnerabilities and reason for serious concern.
In a newly setup ownCloud instance the vulnerable preview providers are disabled by default. Older instances may have different values and we recommend checking whether you have additional config providers configured in your config.php
in the enabledPreviewProviders
array. If you can’t find this entry then ownCloud will use the sane defaults.
While ownCloud itself is not vulnerable, ownCloud servers are in danger if all the following conditions are met:
- The PHP Imagick module is installed
- The PHP fileinfo module is not installed.
- Previews are enabled and a preview provider for one of the previously mentioned files is enabled.
- Malicious users can upload files (including over publicly shared links!)
Even though it is thus not very likely the typical ownCloud server would be vulnerable, due to the criticality of this issue we recommend performing one of the following steps as soon as possible:
- Disable the PHP Imagick module (recommended)
- Make sure to remove the
enabledPreviewProviders
array from your config. This will use sane defaults (recommended) - Configure a policy file as described at this page
For enhanced security of your ownCloud server, we recommend taking a look at some of our hardening recommendations. From our side we’re working on mitigating security problems in the preview providers through sandboxing in the future.
For more technical information see the imagetragick.com website.