Security heads-up: Image processing exploit in wide circulation!

[Grall]

I don't know if this applies to the board software B3D uses, but it might be worth checking into anyway to make sure it does not:

http://arstechnica.com/security/201...ge-number-of-sites-to-code-execution-attacks/

 

[BRiT]

https://xenforo.com/community/threads/imagemagick-remote-code-execution-rce-vulnerability.115665/

From XF Dev:
None of the example "images" in those PoCs actually can be uploaded because they are not actually image files and therefore not accepted as such. This confirms our theory that XF is protected due to the "magic byte" detection, which is essentially what the getimagesize() function does.

That said, regardless -- please update ImageMagick anyway!

----

With that being by said, make sure to upgrade IM especially if you have other extensions or plugins that use it.

 

[Rys]

Thanks for the heads up. I'd caught the "imagetragick" thread when it first was announced and did a quick set of tests to make sure B3D was OK, but haven't spent further time on it since then. While I think we're fine, I do plan to spend more time on it tonight.