文件: root - text - article - 2016 - 05 - quickhost-urgent-network-security.txt
标签: 安全, Security, | 英文 | 主页 | 类别: 计算机科学 | 599 次阅读, 29310 次搜索 | 453 个单词
| 浏览 | 博客存档
标签: 安全, Security, | 英文 | 主页 | 类别: 计算机科学 | 599 次阅读, 29310 次搜索 | 453 个单词
| 浏览 | 博客存档
Dear Zhihua Lai (Ranplan),
New Vulnerabilities (CVE-2016–3714) in ImageMagick used by most Linux server OS's.
You can read the article on the redhat online security blog: http://arstechnica.com/security/2016/05/easily-exploited-bug-exposes-huge-number-of-sites-to-code-execution-attacks/
About the vulnerability:
The vulnerability resides in ImageMagick, a widely used image-processing library that's supported by PHP, Ruby, NodeJS, Python, and about a dozen other languages. Many social media and blogging sites, as well as a large number of content management systems, directly or indirectly rely on ImageMagick-based processing so they can resize images uploaded by end users.
Background Information:
According to developer and security researcher Ryan Huber, ImageMagick suffers from a vulnerability that allows malformed images to force a Web server to execute code of an attacker's choosing. Websites that use ImageMagick and allow users to upload images are at risk of attacks that could completely compromise their security.
"The exploit is trivial, so we expect it to be available within hours of this post," Huber wrote in a blog post published Tuesday. He went on to say: "We have collectively determined that these vulnerabilities are available to individuals other than the person(s) who discovered them. An unknowable number of people having access to these vulnerabilities makes this a critical issue for everyone using this software."
ImageMagick maintainers have also acknowledged the possibility of critical vulnerabilities allowing remote code execution. They haven't issued any patches, but they did suggest website administrators add several lines of code to configuration files to block at least some of the possible exploits. Huber has made the same recommendation and put the lines in this downloadable file. He went a step further by advising sites that use ImageMagick to also verify that all uploaded image files begin with the expected “magic bytes” corresponding to the image file types before allowing the files to be processed. Admins should consider temporarily suspending image uploading in cases where these mitigations can't immediately be put in place.
If you are not a QuickHostUK Managed Hosting customer please ensure you have also taken the appropriate actions to secure your own servers. Alternatively, we can handle this for you with our adhoc management scheme, which for this occurrence would be £50 inc VAT per server.
Please contact us if you wish to utilise this service or if you have any questions.
Kind Regards,
QuickHostUK Limited
Email: [email protected]
Web: www.quickhostuk.com
Phone: 0845 576 0523
Copyright © 2016 QuickHostUK Limited - All Rights Reserved.
Registered in England and Wales. No. 08582667 | VAT Reg No: GB 131 1695 38
Follow us on Twitter for news & live updates - https://twitter.com/QuickHostUK
Tell us what you think - https://www.facebook.com/QuickHostUK?sk=reviews
visit our website | log in to your account | get support
Copyright © QuickHostUK, All rights reserved.
标签: 安全, Security, | 英文 | 主页 | 类别: 计算机科学 | 599 次阅读, 29310 次搜索 | 453 个单词 New Vulnerabilities (CVE-2016–3714) in ImageMagick used by most Linux server OS's.
You can read the article on the redhat online security blog: http://arstechnica.com/security/2016/05/easily-exploited-bug-exposes-huge-number-of-sites-to-code-execution-attacks/
About the vulnerability:
The vulnerability resides in ImageMagick, a widely used image-processing library that's supported by PHP, Ruby, NodeJS, Python, and about a dozen other languages. Many social media and blogging sites, as well as a large number of content management systems, directly or indirectly rely on ImageMagick-based processing so they can resize images uploaded by end users.
Background Information:
According to developer and security researcher Ryan Huber, ImageMagick suffers from a vulnerability that allows malformed images to force a Web server to execute code of an attacker's choosing. Websites that use ImageMagick and allow users to upload images are at risk of attacks that could completely compromise their security.
"The exploit is trivial, so we expect it to be available within hours of this post," Huber wrote in a blog post published Tuesday. He went on to say: "We have collectively determined that these vulnerabilities are available to individuals other than the person(s) who discovered them. An unknowable number of people having access to these vulnerabilities makes this a critical issue for everyone using this software."
ImageMagick maintainers have also acknowledged the possibility of critical vulnerabilities allowing remote code execution. They haven't issued any patches, but they did suggest website administrators add several lines of code to configuration files to block at least some of the possible exploits. Huber has made the same recommendation and put the lines in this downloadable file. He went a step further by advising sites that use ImageMagick to also verify that all uploaded image files begin with the expected “magic bytes” corresponding to the image file types before allowing the files to be processed. Admins should consider temporarily suspending image uploading in cases where these mitigations can't immediately be put in place.
If you are not a QuickHostUK Managed Hosting customer please ensure you have also taken the appropriate actions to secure your own servers. Alternatively, we can handle this for you with our adhoc management scheme, which for this occurrence would be £50 inc VAT per server.
Please contact us if you wish to utilise this service or if you have any questions.
Kind Regards,
QuickHostUK Limited
Email: [email protected]
Web: www.quickhostuk.com
Phone: 0845 576 0523
Copyright © 2016 QuickHostUK Limited - All Rights Reserved.
Registered in England and Wales. No. 08582667 | VAT Reg No: GB 131 1695 38
Follow us on Twitter for news & live updates - https://twitter.com/QuickHostUK
Tell us what you think - https://www.facebook.com/QuickHostUK?sk=reviews
visit our website | log in to your account | get support
Copyright © QuickHostUK, All rights reserved.
猜您喜欢...
- Compare Version Numbers
- Algorithm Interview: Longest Consecutive Sequence
- Daily Interview Problem: Tree Serialization
- Daily Interview Problem: 3 Sum
- Daily Interview Problem: Running Median
- Batch Programming in XP
- Daily Interview Problem: Look and Say Sequence
- Daily Interview Problem: Product of Array Except Self
- Algorithm Interview: Level Order Traversal of Binary Tree
- Print a tree level-by-level, with line-breaks
©2006~2024 牛排过熟 - 0.01017 秒 - 2036.858 KB/s - 132 在线 内存: 496.76 KB
18:54:01 up 13 days, 18:33, 2 users, load average: 0.98, 0.86, 0.73 - 服务器 PHP 版本号: 7.4.33
牛排怎么做才好吃? | <meta name="机器人" content="索引, 跟踪">
18:54:01 up 13 days, 18:33, 2 users, load average: 0.98, 0.86, 0.73 - 服务器 PHP 版本号: 7.4.33
评论 (0)
读写完全 - 一般 - 最小 - 表格 - 所有评论 - 统计
当前页暂时没有评论。