Blog

Archive for the ‘Security’ Category

phpBB not vulnerable to ImageMagick exploit

Posted by Marc Alexander in Development, Security, Support on May 5th, 2016

As some of you might have noticed, a security issue has recently been uncovered in ImageMagick, a widely used software suite for displaying and modifying images. You can read about the full details of the exploit on news outlets like Ars Technica (article on ImageMagick exploit) and the ImageMagick community forum.

It has come to our attention that admins are unsure whether this affects their phpBB installation and/or what they might have to do to secure their installation.
First and foremost let me make it clear that, based on the currently available information, phpBB is not vulnerable to the exploits.
phpBB already verifies the supplied image types and therefore already contains one of the described mitigations for the ImageMagick vulnerabilities.

phpBB supports using ImageMagick for creating thumbnails only. Other parts of phpBB, such as image or general attachment uploads, are not using ImageMagick at all. The described exploits rely on directly passing uploads to ImageMagick and/or passing “clear text” image formats such as SVG or MVG to it. phpBB itself does not support these image types for creating thumbnails and therefore will not pass them onto ImageMagick. Additionally, supported image types are checked for integrity before passing it onto ImageMagick for thumbnail creation. Passing malicious files as described and disguising them as other image types is therefore not possible.

We hope this will help with clearing up any confusion or uncertainty on this subject.