A large number of websites are vulnerable to a simple attack that allows hackers to execute malicious code hidden inside booby-trapped images.
The vulnerability resides in ImageMagick, a widely used image-processing library that's supported by PHP, Ruby, NodeJS, Python, and about a dozen other languages. Many social media and blogging sites, as well as a large number of content management systems, directly or indirectly rely on ImageMagick-based processing so they can resize images uploaded by end users.
According to developer and security researcher Ryan Huber, ImageMagick suffers from a vulnerability that allows malformed images to force a Web server to execute code of an attacker's choosing. Websites that use ImageMagick and allow users to upload images are at risk of attacks that could completely compromise their security.
"The exploit is trivial, so we expect it to be available within hours of this post," Huber wrote in a blog post published Tuesday. He went on to say: "We have collectively determined that these vulnerabilities are available to individuals other than the person(s) who discovered them. An unknowable number of people having access to these vulnerabilities makes this a critical issue for everyone using this software."
Update, May 4, 2016: 3:55: Almost 24 hours after this post went live, researchers from website security firm Suciri published an independent analysis that concurs with Huber's assessment. It also sheds new light on how the exploit works. They said that recent versions of ImageMagick don't properly filter the uploaded file names before passing them to the server processes such as HTTPS. The ommission allows attackers to execute commands of their choosing, leading to a full remote command capability.
"The vulnerability is very simple to exploit," Sucuri founder and CTO wrote in Wednesday's post. "An attacker only needs an image uploader tool that leverages ImageMagick. During our research we found many popular web applications and SaaS products vulnerable to it (people love gravatars), and we have been contacting them privately to get things patched. Unfortunately, even with all the media attention, not everyone is aware of this issue."
As Huber predicted, it didn't take long for people to develop proof-of-concept exploits. At least one of them is publicly available.