[Discuss] phpBB not vulnerable to ImageMagick exploit

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Get Involved
User avatar
Marc
Development Team Leader
Development Team Leader
Posts: 5705
Joined: Tue Oct 30, 2007 10:57 pm
Location: Munich, Germany
Name: Marc

[Discuss] phpBB not vulnerable to ImageMagick exploit

Post by Marc »

Use this topic to discuss the phpBB not vulnerable to ImageMagick exploit blog post.
User avatar
Elias
Registered User
Posts: 5152
Joined: Sat Feb 25, 2006 4:31 pm
Name: Elias

Re: [Discuss] phpBB not vulnerable to ImageMagick exploit

Post by Elias »

Thanks for the info!
"Mystery creates wonder, and wonder is the basis of man's desire to understand." - Neil Armstrong
|Installing Extensions|Writing Extensions|Extension Validation Policy|
User avatar
3Di
I've Been Banned!
Posts: 17538
Joined: Mon Apr 04, 2005 11:09 pm
Location: I'm with Ukraine 🇺🇦
Name: Marco

Re: [Discuss] phpBB not vulnerable to ImageMagick exploit

Post by 3Di »

Interesting, many thanks. :)
🆓 Free support for our extensions also provided here: phpBB Studio
🚀 Looking for a specific feature or alternative option? We will rock you!
Please PM me only to request paid works. Thx. Buy me a coffee -> Image
My development's activity º PhpStorm's proud user º Extensions, Scripts, MOD porting, Update/Upgrades
User avatar
canonknipser
Registered User
Posts: 2096
Joined: Thu Sep 08, 2011 4:16 am
Location: Germany
Name: Frank Jakobs

Re: [Discuss] phpBB not vulnerable to ImageMagick exploit

Post by canonknipser »

Thanks - i thing that bug was the reason for this topic
Greetings, Frank
phpbb.de support team member
English is not my native language - no support via PM or mail
New arrival - Extensions and scripts for phpBB
User avatar
Lumpy Burgertushie
Registered User
Posts: 69228
Joined: Mon May 02, 2005 3:11 am

Re: [Discuss] phpBB not vulnerable to ImageMagick exploit

Post by Lumpy Burgertushie »

canonknipser wrote:Thanks - i thing that bug was the reason for this topic
you are probably correct. however, it would have helped if that poster would have mentioned that as the reason for thier problem/question.


robert
Premium phpBB 3.3 Styles by PlanetStyles.net

I am pleased to announce that I have completed the first item on my bucket list. I have the bucket.
User avatar
canonknipser
Registered User
Posts: 2096
Joined: Thu Sep 08, 2011 4:16 am
Location: Germany
Name: Frank Jakobs

Re: [Discuss] phpBB not vulnerable to ImageMagick exploit

Post by canonknipser »

The mentioned blog-posting is true for phpbb core functions.
But what about extensions or 3.0-Mods?
I remember that the very popular NV-Gallery-Mod had its own image-upload and -resize functions and did not use the phpbb-core functions for attachments.
Greetings, Frank
phpbb.de support team member
English is not my native language - no support via PM or mail
New arrival - Extensions and scripts for phpBB
User avatar
3Di
I've Been Banned!
Posts: 17538
Joined: Mon Apr 04, 2005 11:09 pm
Location: I'm with Ukraine 🇺🇦
Name: Marco

Re: [Discuss] phpBB not vulnerable to ImageMagick exploit

Post by 3Di »

ImageMagik has been promptly sanitized in versions 7.0.1-1 and 6.9.3-10.

It's up to the users/hosts to update/upgrade and follow the instructions here:
https://www.imagemagick.org/discourse-s ... 88#p132726

Releases: http://imagemagick.org/script/binary-releases.php
🆓 Free support for our extensions also provided here: phpBB Studio
🚀 Looking for a specific feature or alternative option? We will rock you!
Please PM me only to request paid works. Thx. Buy me a coffee -> Image
My development's activity º PhpStorm's proud user º Extensions, Scripts, MOD porting, Update/Upgrades
User avatar
AmigoJack
Registered User
Posts: 6120
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン

Re: [Discuss] phpBB not vulnerable to ImageMagick exploit

Post by AmigoJack »

It's 2016 and the blog lists only URIs (text) instead of links (clickable)?
  • "The problem is probably not my English but you do not want to understand correctly. ... We will not come anybody anyway, nevertheless, it's best to shit this." Affin, 2018-11-20
  • "But this shit is not here for you. You can follow with your. Maybe the question, instead, was for you, who know, so you shoved us how you are." axe70, 2020-10-10
  • "My reaction is not to everyone, especially to you." Raptiye, 2021-02-28
User avatar
Marc
Development Team Leader
Development Team Leader
Posts: 5705
Joined: Tue Oct 30, 2007 10:57 pm
Location: Munich, Germany
Name: Marc

Re: [Discuss] phpBB not vulnerable to ImageMagick exploit

Post by Marc »

It's still 2016 and the links are now clickable. This was supposed to be done before posting the blog post but was unfortunately overlooked. There are nicer ways of saying this, too.
canonknipser wrote:The mentioned blog-posting is true for phpbb core functions.
But what about extensions or 3.0-Mods?
I remember that the very popular NV-Gallery-Mod had its own image-upload and -resize functions and did not use the phpbb-core functions for attachments.
While we can't guarantee this for all MODS, Extensions, etc., Mods like nickvergessen's Gallery Mod seem to use phpBB's upload classes and therefore also don't seem to be vulnerable as the image checking is done during the upload.
Lars68
Registered User
Posts: 3
Joined: Thu May 12, 2016 4:12 pm

Re: [Discuss] phpBB not vulnerable to ImageMagick exploit

Post by Lars68 »

I hear about the exploit but don't know that phpBB use ImageMagick to create thumbnail.
Thanks for the info, I will have to look to the other parts of my website to find leaks :?
User avatar
AmigoJack
Registered User
Posts: 6120
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン

Re: [Discuss] phpBB not vulnerable to ImageMagick exploit

Post by AmigoJack »

Lars68 wrote:don't know that phpBB use ImageMagick
It's mentioned on the requirements and you also see it being found during the installation.
  • "The problem is probably not my English but you do not want to understand correctly. ... We will not come anybody anyway, nevertheless, it's best to shit this." Affin, 2018-11-20
  • "But this shit is not here for you. You can follow with your. Maybe the question, instead, was for you, who know, so you shoved us how you are." axe70, 2020-10-10
  • "My reaction is not to everyone, especially to you." Raptiye, 2021-02-28
Lars68
Registered User
Posts: 3
Joined: Thu May 12, 2016 4:12 pm

Re: [Discuss] phpBB not vulnerable to ImageMagick exploit

Post by Lars68 »

AmigoJack wrote:
Lars68 wrote:don't know that phpBB use ImageMagick
It's mentioned on the requirements and you also see it being found during the installation.
Well, maybe i instal phpBB to fast and don't look to the requirements, sorry.
TheNiceBigFella
Registered User
Posts: 38
Joined: Fri May 18, 2007 6:40 pm

Re: [Discuss] phpBB not vulnerable to ImageMagick exploit

Post by TheNiceBigFella »

Cool.

Return to “phpBB Discussion”