[Discuss] phpBB not vulnerable to ImageMagick exploit

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Scam Warning
Post Reply
User avatar
Marc
Development Team Leader
Development Team Leader
Posts: 5356
Joined: Tue Oct 30, 2007 10:57 pm
Location: Munich, Germany
Name: Marc
Contact:

[Discuss] phpBB not vulnerable to ImageMagick exploit

Post by Marc » Thu May 05, 2016 5:29 pm

Use this topic to discuss the phpBB not vulnerable to ImageMagick exploit blog post.

User avatar
Elias
Registered User
Posts: 4617
Joined: Sat Feb 25, 2006 4:31 pm
Location: In the Water!
Name: Elias
Contact:

Re: [Discuss] phpBB not vulnerable to ImageMagick exploit

Post by Elias » Thu May 05, 2016 6:55 pm

Thanks for the info!
"Mystery creates wonder, and wonder is the basis of man's desire to understand." - Neil Armstrong
|Installing Extensions|Writing Extensions|Extension Validation Policy|

User avatar
3Di
Registered User
Posts: 13226
Joined: Mon Apr 04, 2005 11:09 pm
Location: Milan (IT) Frankfurt (DE)
Name: Marco
Contact:

Re: [Discuss] phpBB not vulnerable to ImageMagick exploit

Post by 3Di » Thu May 05, 2016 8:38 pm

Interesting, many thanks. :)
:game_die: The new Dice Roller extension for phpBB 3.2 is out! :game_die:

Please PM me only to request paid works. Thx.
Want to compensate me for my interest? Donate
Extensions, Scripts, MOD porting, Update/Upgrades
My development's activity º PhpStorm's proud user

User avatar
canonknipser
Registered User
Posts: 1758
Joined: Thu Sep 08, 2011 4:16 am
Location: Germany
Name: Frank Jakobs
Contact:

Re: [Discuss] phpBB not vulnerable to ImageMagick exploit

Post by canonknipser » Thu May 05, 2016 8:42 pm

Thanks - i thing that bug was the reason for this topic
Greetings, Frank
phpbb.de support team member
English is not my native language - no support via PM or mail
New arrival - Extensions and scripts for phpBB

User avatar
Lumpy Burgertushie
Registered User
Posts: 65524
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: [Discuss] phpBB not vulnerable to ImageMagick exploit

Post by Lumpy Burgertushie » Thu May 05, 2016 8:45 pm

canonknipser wrote:Thanks - i thing that bug was the reason for this topic
you are probably correct. however, it would have helped if that poster would have mentioned that as the reason for thier problem/question.


robert
I am available for custom work on a donation basis. Please send me a PM with your needs.

Premium phpBB 3.2 Styles by PlanetStyles.net

OK, so what's the speed of dark?

User avatar
canonknipser
Registered User
Posts: 1758
Joined: Thu Sep 08, 2011 4:16 am
Location: Germany
Name: Frank Jakobs
Contact:

Re: [Discuss] phpBB not vulnerable to ImageMagick exploit

Post by canonknipser » Thu May 05, 2016 8:58 pm

The mentioned blog-posting is true for phpbb core functions.
But what about extensions or 3.0-Mods?
I remember that the very popular NV-Gallery-Mod had its own image-upload and -resize functions and did not use the phpbb-core functions for attachments.
Greetings, Frank
phpbb.de support team member
English is not my native language - no support via PM or mail
New arrival - Extensions and scripts for phpBB

User avatar
3Di
Registered User
Posts: 13226
Joined: Mon Apr 04, 2005 11:09 pm
Location: Milan (IT) Frankfurt (DE)
Name: Marco
Contact:

Re: [Discuss] phpBB not vulnerable to ImageMagick exploit

Post by 3Di » Thu May 05, 2016 9:04 pm

ImageMagik has been promptly sanitized in versions 7.0.1-1 and 6.9.3-10.

It's up to the users/hosts to update/upgrade and follow the instructions here:
https://www.imagemagick.org/discourse-s ... 88#p132726

Releases: http://imagemagick.org/script/binary-releases.php
:game_die: The new Dice Roller extension for phpBB 3.2 is out! :game_die:

Please PM me only to request paid works. Thx.
Want to compensate me for my interest? Donate
Extensions, Scripts, MOD porting, Update/Upgrades
My development's activity º PhpStorm's proud user

User avatar
AmigoJack
Registered User
Posts: 5423
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: [Discuss] phpBB not vulnerable to ImageMagick exploit

Post by AmigoJack » Fri May 06, 2016 6:25 am

It's 2016 and the blog lists only URIs (text) instead of links (clickable)?
The worst thing about censorship is ███████████
Affin wrote:
Tue Nov 20, 2018 9:51 am
The problem is probably not my English but you do not want to understand correctly.
...
We will not come anybody anyway, nevertheless, it's best to shit this.

User avatar
Marc
Development Team Leader
Development Team Leader
Posts: 5356
Joined: Tue Oct 30, 2007 10:57 pm
Location: Munich, Germany
Name: Marc
Contact:

Re: [Discuss] phpBB not vulnerable to ImageMagick exploit

Post by Marc » Fri May 06, 2016 7:18 pm

It's still 2016 and the links are now clickable. This was supposed to be done before posting the blog post but was unfortunately overlooked. There are nicer ways of saying this, too.
canonknipser wrote:The mentioned blog-posting is true for phpbb core functions.
But what about extensions or 3.0-Mods?
I remember that the very popular NV-Gallery-Mod had its own image-upload and -resize functions and did not use the phpbb-core functions for attachments.
While we can't guarantee this for all MODS, Extensions, etc., Mods like nickvergessen's Gallery Mod seem to use phpBB's upload classes and therefore also don't seem to be vulnerable as the image checking is done during the upload.

Lars68
Registered User
Posts: 3
Joined: Thu May 12, 2016 4:12 pm
Contact:

Re: [Discuss] phpBB not vulnerable to ImageMagick exploit

Post by Lars68 » Thu May 12, 2016 4:29 pm

I hear about the exploit but don't know that phpBB use ImageMagick to create thumbnail.
Thanks for the info, I will have to look to the other parts of my website to find leaks :?

User avatar
AmigoJack
Registered User
Posts: 5423
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: [Discuss] phpBB not vulnerable to ImageMagick exploit

Post by AmigoJack » Sat May 14, 2016 6:48 am

Lars68 wrote:don't know that phpBB use ImageMagick
It's mentioned on the requirements and you also see it being found during the installation.
The worst thing about censorship is ███████████
Affin wrote:
Tue Nov 20, 2018 9:51 am
The problem is probably not my English but you do not want to understand correctly.
...
We will not come anybody anyway, nevertheless, it's best to shit this.

Lars68
Registered User
Posts: 3
Joined: Thu May 12, 2016 4:12 pm
Contact:

Re: [Discuss] phpBB not vulnerable to ImageMagick exploit

Post by Lars68 » Sat May 14, 2016 7:23 pm

AmigoJack wrote:
Lars68 wrote:don't know that phpBB use ImageMagick
It's mentioned on the requirements and you also see it being found during the installation.
Well, maybe i instal phpBB to fast and don't look to the requirements, sorry.

TheNiceBigFella
Registered User
Posts: 38
Joined: Fri May 18, 2007 6:40 pm

Re: [Discuss] phpBB not vulnerable to ImageMagick exploit

Post by TheNiceBigFella » Mon May 16, 2016 3:53 am

Cool.

Post Reply

Return to “phpBB Discussion”

Who is online

Users browsing this forum: kinerity and 22 guests