[Discuss] phpBB not vulnerable to ImageMagick exploit

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Scam Warning
Post Reply
User avatar
Marc
Development Team Leader
Development Team Leader
Posts: 5441
Joined: Tue Oct 30, 2007 10:57 pm
Location: Munich, Germany
Name: Marc
Contact:

[Discuss] phpBB not vulnerable to ImageMagick exploit

Post by Marc »

Use this topic to discuss the phpBB not vulnerable to ImageMagick exploit blog post.

User avatar
Elias
Registered User
Posts: 4628
Joined: Sat Feb 25, 2006 4:31 pm
Location: In the Water!
Name: Elias

Re: [Discuss] phpBB not vulnerable to ImageMagick exploit

Post by Elias »

Thanks for the info!
"Mystery creates wonder, and wonder is the basis of man's desire to understand." - Neil Armstrong
|Installing Extensions|Writing Extensions|Extension Validation Policy|

User avatar
3Di
Former Team Member
Posts: 14720
Joined: Mon Apr 04, 2005 11:09 pm
Location: Milan (IT) Frankfurt (DE)
Name: Marco
Contact:

Re: [Discuss] phpBB not vulnerable to ImageMagick exploit

Post by 3Di »

Interesting, many thanks. :)
Please PM me only to request paid works. Thx.
Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user
Extensions, Scripts, MOD porting, Update/Upgrades
:studio_microphone: Premium extensions @ The Studio

User avatar
canonknipser
Registered User
Posts: 2096
Joined: Thu Sep 08, 2011 4:16 am
Location: Germany
Name: Frank Jakobs
Contact:

Re: [Discuss] phpBB not vulnerable to ImageMagick exploit

Post by canonknipser »

Thanks - i thing that bug was the reason for this topic
Greetings, Frank
phpbb.de support team member
English is not my native language - no support via PM or mail
New arrival - Extensions and scripts for phpBB

User avatar
Lumpy Burgertushie
Registered User
Posts: 67049
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: [Discuss] phpBB not vulnerable to ImageMagick exploit

Post by Lumpy Burgertushie »

canonknipser wrote:Thanks - i thing that bug was the reason for this topic
you are probably correct. however, it would have helped if that poster would have mentioned that as the reason for thier problem/question.


robert
I'm baaaaaccckkkk. still doing work on donation basis. PM your needs.

Premium phpBB 3.3 Styles by PlanetStyles.net

If a tree falls in the forest and nobody is there, does it make a sound?

User avatar
canonknipser
Registered User
Posts: 2096
Joined: Thu Sep 08, 2011 4:16 am
Location: Germany
Name: Frank Jakobs
Contact:

Re: [Discuss] phpBB not vulnerable to ImageMagick exploit

Post by canonknipser »

The mentioned blog-posting is true for phpbb core functions.
But what about extensions or 3.0-Mods?
I remember that the very popular NV-Gallery-Mod had its own image-upload and -resize functions and did not use the phpbb-core functions for attachments.
Greetings, Frank
phpbb.de support team member
English is not my native language - no support via PM or mail
New arrival - Extensions and scripts for phpBB

User avatar
3Di
Former Team Member
Posts: 14720
Joined: Mon Apr 04, 2005 11:09 pm
Location: Milan (IT) Frankfurt (DE)
Name: Marco
Contact:

Re: [Discuss] phpBB not vulnerable to ImageMagick exploit

Post by 3Di »

ImageMagik has been promptly sanitized in versions 7.0.1-1 and 6.9.3-10.

It's up to the users/hosts to update/upgrade and follow the instructions here:
https://www.imagemagick.org/discourse-s ... 88#p132726

Releases: http://imagemagick.org/script/binary-releases.php
Please PM me only to request paid works. Thx.
Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user
Extensions, Scripts, MOD porting, Update/Upgrades
:studio_microphone: Premium extensions @ The Studio

User avatar
AmigoJack
Registered User
Posts: 5680
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: [Discuss] phpBB not vulnerable to ImageMagick exploit

Post by AmigoJack »

It's 2016 and the blog lists only URIs (text) instead of links (clickable)?
The worst thing about censorship is ███████████
Affin wrote:
Tue Nov 20, 2018 9:51 am
The problem is probably not my English but you do not want to understand correctly.
...
We will not come anybody anyway, nevertheless, it's best to shit this.

User avatar
Marc
Development Team Leader
Development Team Leader
Posts: 5441
Joined: Tue Oct 30, 2007 10:57 pm
Location: Munich, Germany
Name: Marc
Contact:

Re: [Discuss] phpBB not vulnerable to ImageMagick exploit

Post by Marc »

It's still 2016 and the links are now clickable. This was supposed to be done before posting the blog post but was unfortunately overlooked. There are nicer ways of saying this, too.
canonknipser wrote:The mentioned blog-posting is true for phpbb core functions.
But what about extensions or 3.0-Mods?
I remember that the very popular NV-Gallery-Mod had its own image-upload and -resize functions and did not use the phpbb-core functions for attachments.
While we can't guarantee this for all MODS, Extensions, etc., Mods like nickvergessen's Gallery Mod seem to use phpBB's upload classes and therefore also don't seem to be vulnerable as the image checking is done during the upload.

Lars68
Registered User
Posts: 3
Joined: Thu May 12, 2016 4:12 pm
Contact:

Re: [Discuss] phpBB not vulnerable to ImageMagick exploit

Post by Lars68 »

I hear about the exploit but don't know that phpBB use ImageMagick to create thumbnail.
Thanks for the info, I will have to look to the other parts of my website to find leaks :?

User avatar
AmigoJack
Registered User
Posts: 5680
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: [Discuss] phpBB not vulnerable to ImageMagick exploit

Post by AmigoJack »

Lars68 wrote:don't know that phpBB use ImageMagick
It's mentioned on the requirements and you also see it being found during the installation.
The worst thing about censorship is ███████████
Affin wrote:
Tue Nov 20, 2018 9:51 am
The problem is probably not my English but you do not want to understand correctly.
...
We will not come anybody anyway, nevertheless, it's best to shit this.

Lars68
Registered User
Posts: 3
Joined: Thu May 12, 2016 4:12 pm
Contact:

Re: [Discuss] phpBB not vulnerable to ImageMagick exploit

Post by Lars68 »

AmigoJack wrote:
Lars68 wrote:don't know that phpBB use ImageMagick
It's mentioned on the requirements and you also see it being found during the installation.
Well, maybe i instal phpBB to fast and don't look to the requirements, sorry.

TheNiceBigFella
Registered User
Posts: 38
Joined: Fri May 18, 2007 6:40 pm

Re: [Discuss] phpBB not vulnerable to ImageMagick exploit

Post by TheNiceBigFella »

Cool.

Post Reply

Return to “phpBB Discussion”