[Discuss] phpBB not vulnerable to ImageMagick exploit

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Scam Warning
Post Reply
User avatar
Marc
Development Team Leader
Development Team Leader
Posts: 5402
Joined: Tue Oct 30, 2007 10:57 pm
Location: Munich, Germany
Name: Marc
Contact:

[Discuss] phpBB not vulnerable to ImageMagick exploit

Post by Marc » Thu May 05, 2016 5:29 pm

Use this topic to discuss the phpBB not vulnerable to ImageMagick exploit blog post.

User avatar
Elias
Registered User
Posts: 4625
Joined: Sat Feb 25, 2006 4:31 pm
Location: In the Water!
Name: Elias

Re: [Discuss] phpBB not vulnerable to ImageMagick exploit

Post by Elias » Thu May 05, 2016 6:55 pm

Thanks for the info!
"Mystery creates wonder, and wonder is the basis of man's desire to understand." - Neil Armstrong
|Installing Extensions|Writing Extensions|Extension Validation Policy|

User avatar
3Di
Former Team Member
Posts: 14047
Joined: Mon Apr 04, 2005 11:09 pm
Location: Milan (IT) Frankfurt (DE)
Name: Marco
Contact:

Re: [Discuss] phpBB not vulnerable to ImageMagick exploit

Post by 3Di » Thu May 05, 2016 8:38 pm

Interesting, many thanks. :)
Please PM me only to request paid works. Thx.
Want to compensate me for my interest? Donate
My development's activity ΒΊ PhpStorm's proud user
Extensions, Scripts, MOD porting, Update/Upgrades
πŸ‘¨β€πŸ« | Take a tour to | The Studio | πŸ‘¨β€πŸ«

User avatar
canonknipser
Registered User
Posts: 2063
Joined: Thu Sep 08, 2011 4:16 am
Location: Germany
Name: Frank Jakobs
Contact:

Re: [Discuss] phpBB not vulnerable to ImageMagick exploit

Post by canonknipser » Thu May 05, 2016 8:42 pm

Thanks - i thing that bug was the reason for this topic
Greetings, Frank
phpbb.de support team member
English is not my native language - no support via PM or mail
New arrival - Extensions and scripts for phpBB

User avatar
Lumpy Burgertushie
Registered User
Posts: 66559
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: [Discuss] phpBB not vulnerable to ImageMagick exploit

Post by Lumpy Burgertushie » Thu May 05, 2016 8:45 pm

canonknipser wrote:Thanks - i thing that bug was the reason for this topic
you are probably correct. however, it would have helped if that poster would have mentioned that as the reason for thier problem/question.


robert
I'm baaaaaccckkkk. still doing work on donation basis. PM your needs.

Premium phpBB 3.2 Styles by PlanetStyles.net

If a tree falls in the forest and nobody is there, does it make a sound?

User avatar
canonknipser
Registered User
Posts: 2063
Joined: Thu Sep 08, 2011 4:16 am
Location: Germany
Name: Frank Jakobs
Contact:

Re: [Discuss] phpBB not vulnerable to ImageMagick exploit

Post by canonknipser » Thu May 05, 2016 8:58 pm

The mentioned blog-posting is true for phpbb core functions.
But what about extensions or 3.0-Mods?
I remember that the very popular NV-Gallery-Mod had its own image-upload and -resize functions and did not use the phpbb-core functions for attachments.
Greetings, Frank
phpbb.de support team member
English is not my native language - no support via PM or mail
New arrival - Extensions and scripts for phpBB

User avatar
3Di
Former Team Member
Posts: 14047
Joined: Mon Apr 04, 2005 11:09 pm
Location: Milan (IT) Frankfurt (DE)
Name: Marco
Contact:

Re: [Discuss] phpBB not vulnerable to ImageMagick exploit

Post by 3Di » Thu May 05, 2016 9:04 pm

ImageMagik has been promptly sanitized in versions 7.0.1-1 and 6.9.3-10.

It's up to the users/hosts to update/upgrade and follow the instructions here:
https://www.imagemagick.org/discourse-s ... 88#p132726

Releases: http://imagemagick.org/script/binary-releases.php
Please PM me only to request paid works. Thx.
Want to compensate me for my interest? Donate
My development's activity ΒΊ PhpStorm's proud user
Extensions, Scripts, MOD porting, Update/Upgrades
πŸ‘¨β€πŸ« | Take a tour to | The Studio | πŸ‘¨β€πŸ«

User avatar
AmigoJack
Registered User
Posts: 5604
Joined: Tue Jun 15, 2010 11:33 am
Location: γ‚°γƒͺーン ヒル ゾーン
Contact:

Re: [Discuss] phpBB not vulnerable to ImageMagick exploit

Post by AmigoJack » Fri May 06, 2016 6:25 am

It's 2016 and the blog lists only URIs (text) instead of links (clickable)?
The worst thing about censorship is β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ
Affin wrote: ↑
Tue Nov 20, 2018 9:51 am
The problem is probably not my English but you do not want to understand correctly.
...
We will not come anybody anyway, nevertheless, it's best to shit this.

User avatar
Marc
Development Team Leader
Development Team Leader
Posts: 5402
Joined: Tue Oct 30, 2007 10:57 pm
Location: Munich, Germany
Name: Marc
Contact:

Re: [Discuss] phpBB not vulnerable to ImageMagick exploit

Post by Marc » Fri May 06, 2016 7:18 pm

It's still 2016 and the links are now clickable. This was supposed to be done before posting the blog post but was unfortunately overlooked. There are nicer ways of saying this, too.
canonknipser wrote:The mentioned blog-posting is true for phpbb core functions.
But what about extensions or 3.0-Mods?
I remember that the very popular NV-Gallery-Mod had its own image-upload and -resize functions and did not use the phpbb-core functions for attachments.
While we can't guarantee this for all MODS, Extensions, etc., Mods like nickvergessen's Gallery Mod seem to use phpBB's upload classes and therefore also don't seem to be vulnerable as the image checking is done during the upload.

Lars68
Registered User
Posts: 3
Joined: Thu May 12, 2016 4:12 pm
Contact:

Re: [Discuss] phpBB not vulnerable to ImageMagick exploit

Post by Lars68 » Thu May 12, 2016 4:29 pm

I hear about the exploit but don't know that phpBB use ImageMagick to create thumbnail.
Thanks for the info, I will have to look to the other parts of my website to find leaks :?

User avatar
AmigoJack
Registered User
Posts: 5604
Joined: Tue Jun 15, 2010 11:33 am
Location: γ‚°γƒͺーン ヒル ゾーン
Contact:

Re: [Discuss] phpBB not vulnerable to ImageMagick exploit

Post by AmigoJack » Sat May 14, 2016 6:48 am

Lars68 wrote:don't know that phpBB use ImageMagick
It's mentioned on the requirements and you also see it being found during the installation.
The worst thing about censorship is β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ
Affin wrote: ↑
Tue Nov 20, 2018 9:51 am
The problem is probably not my English but you do not want to understand correctly.
...
We will not come anybody anyway, nevertheless, it's best to shit this.

Lars68
Registered User
Posts: 3
Joined: Thu May 12, 2016 4:12 pm
Contact:

Re: [Discuss] phpBB not vulnerable to ImageMagick exploit

Post by Lars68 » Sat May 14, 2016 7:23 pm

AmigoJack wrote:
Lars68 wrote:don't know that phpBB use ImageMagick
It's mentioned on the requirements and you also see it being found during the installation.
Well, maybe i instal phpBB to fast and don't look to the requirements, sorry.

TheNiceBigFella
Registered User
Posts: 38
Joined: Fri May 18, 2007 6:40 pm

Re: [Discuss] phpBB not vulnerable to ImageMagick exploit

Post by TheNiceBigFella » Mon May 16, 2016 3:53 am

Cool.

Post Reply

Return to β€œphpBB Discussion”