security

ImageTragick: Dangerous for ownCloud Users?

ImageTragick, the fancy nickname for a series of recent critical security vulnerabilities in the ImageMagick library, has gotten some attention in the press already. ImageMagick is a widely used library for image processing. If it is installed on the ownCloud server, ownCloud will use ImageMagick for the generation of previews for certain graphical files including […]

logo mediumImageTragick, the fancy nickname for a series of recent critical security vulnerabilities in the ImageMagick library, has gotten some attention in the press already. ImageMagick is a widely used library for image processing. If it is installed on the ownCloud server, ownCloud will use ImageMagick for the generation of previews for certain graphical files including SVG, TIFF, PDF, AI, PSD, EPS, and TTF. Read on to find out if you need to take action to protect your privacy and security.

Are ownCloud users at risk?

When it is used by the ownCloud server, ImageMagick can offer an attacker a way to attack. At least one of the vulnerabilities is known to allow arbitrary remote code execution, allowing adversaries the ability to execute code of their choice. That is one of the most dangerous types of security vulnerabilities and reason for serious concern.

In a newly setup ownCloud instance the vulnerable preview providers are disabled by default. Older instances may have different values and we recommend checking whether you have additional config providers configured in your config.php in the enabledPreviewProviders array. If you can’t find this entry then ownCloud will use the sane defaults.

While ownCloud itself is not vulnerable, ownCloud servers are in danger if all the following conditions are met:

  • The PHP Imagick module is installed
  • The PHP fileinfo module is not installed.
  • Previews are enabled and a preview provider for one of the previously mentioned files is enabled.
  • Malicious users can upload files (including over publicly shared links!)

Even though it is thus not very likely the typical ownCloud server would be vulnerable, due to the criticality of this issue we recommend performing one of the following steps as soon as possible:

  • Disable the PHP Imagick module (recommended)
  • Make sure to remove the enabledPreviewProviders array from your config. This will use sane defaults (recommended)
  • Configure a policy file as described at this page

For enhanced security of your ownCloud server, we recommend taking a look at some of our hardening recommendations. From our side we’re working on mitigating security problems in the preview providers through sandboxing in the future.

For more technical information see the imagetragick.com website.

ownCloud

May 4, 2016

Read now:

Comprehensive Encryption: Keeping sensitive data safe from prying eyes

Comprehensive Encryption: Keeping sensitive data safe from prying eyes

Cyber security is an area of burgeoning concern across the digital world. Over the last several years, companies, governments and individual users are grappling with an alarming increase in the variety and frequency of cybercrimes and threats. This calls for enhanced cybersecurity initiatives and high-end automation efforts to safeguard sensitive data from being illegally accessed, disrupted or disabled.

read more