12

Our server was exploited by a ransomware. We allow admins to upload PDF, docx, excel etc. But also images and SVG.

And we use dragonfly to generate thumbnails on those files that are supported.

Let's say I upload a infected image to the server.

When resizing images with imagemagick, are the files being executed or just read? Can a resize jeopardize the security of a server?

Philip
  • 223
  • 1
  • 5
  • Are you asking if image resize CAN be a vector, or if it WAS the vector of your ransomware episode? – Mindwin Apr 13 '16 at 19:18
  • 4
    An image isn't an executable file type. What does it even mean to "execute" an image file? – Ajedi32 Apr 13 '16 at 19:29
  • 5
    @Ajedi32 Evidently you've never heard of [piet](http://www.dangermouse.net/esoteric/piet.html). In all seriousness though, [image files can hide executable code in their metadata.](http://stackoverflow.com/questions/9675941/how-can-a-virus-exist-in-an-image). – Pharap Apr 13 '16 at 19:33
  • 2
    Do you verify if said files are, really, what they seem to be? If administrators can upload php files, or upload php disguised as something else, then rename it to php, and then retrieve the file from the web, the server may execute the php code. This attack vector seems way more likely to me than a malicious image. – Guntram Blohm Apr 14 '16 at 07:07

1 Answers1

25

Unless you have a bug in your image handling tools code the image gets only read and no code executed which might reside somewhere in the image. But note that in the past there were bugs in image handling code which lead to code execution, for example this bug in libjpeg. Thus to be on the safer side you should do your image manipulation within a restricted environment like some kind of sandbox.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • 7
    The production servers should only hold production code / verified and safe files/databases. Send/process everything else into another machine (uploads, user-generated files, third-party databases). – Mindwin Apr 13 '16 at 19:21