Question on security of images run through imagemagick

[archwaytech]

I am a web developer, and I have a question.

I am building a page for a customer where visitors can upload images to the customer's server. Once an image has been uploaded, I will then have imagemagick resize the image and rename it. My development hosting is on godaddy, and my customer's site is on powweb. I am taking the necessary precautions (using captcha, checking mime type, etc.) to try to avoid malicious code from being uploaded. However, a very clever hacker could get around these precautions.

Here is my question. If a visitor uploaded malicious code disguised as an image, would imagemagick recognize that the file is malicious (and not execute the file), or would it cause the code's execution by trying to open and resize the infected file?

I guess what it boils down to is whether or not imagemagick will increase, decrease, or cause no change to the inherent security issues involved in allowing visitors to upload files to the web server.

As a side note: The customer will be downloading the user-uploaded images and scanning them all with AVG before using them on his own computer.

[Bonzo]

I have just run a test on a file with php code but with a .jpg extension:

Code: Select all

<?php 
$array=array(); 
echo "<pre>";
exec("convert input.jpg -resize 500x500 output.jpg 2>&1", $array);  
echo "<br>".print_r($array)."<br>"; 
echo "</pre>";  
?> 

This is the output:
Array
(
[0] => convert.exe: Not a JPEG file: starts with 0x3c 0x3f `delete.jpg' @ error/jpeg.c/JPEGErrorHandler/316.
[1] => convert.exe: missing an image filename `output.jpg' @ error/convert.c/ConvertImageCommand/3017.
)
1

It looks like Imagemagick found it was a "bad" file on loading. If you look up the file specifications nearly all the different file types start with certain codes.

NOTES on JPEG file headers: It appears that one can safely say that all JPEG files start with the three hex digits 0xFF-D8-FF

There are some other php error methods on my site.

[archwaytech]

Thank you, Bonzo. That is very helpful to know.

[fmw42]

I believe that IM uses a "magick" parameter for a given format to check the header for its type. If there is no magick parameter, for a few image formats, then I believe it reverts to the extension or a prefix.

see
http://www.imagemagick.org/RMagick/doc/ ... ml#formats

%m at http://www.imagemagick.org/script/escape.php

However, only the IM developers can really tell you how secure this all is.

I suppose some malicious person could put the header of a real image format at the top of some code. But I could not say how IM would then determine if it was legitimate or not.\

P.S. Perhaps you might repost this to the Developer's forum, which may catch the eye of the IM developers better than in the User's forum

[NicolasRobidoux]

viewtopic.php?f=4&t=20286#p80576

[NicolasRobidoux]

viewtopic.php?f=4&t=20629

[anthony]

Note IM does check of valid images. But many valid images have a specific 'length' or 'end of image' marker that is built in to the image file format. As such IM often will stop at that point. especially on some image file formats that are designed for 'streaming' multiple images.

What may follow that image however will generally be ignored and not even read by ImageMagick.

For Example: I know for example you can append a RAR file to a PNG image, and "unrar" can find and unpack the rar file, even though the file looks and acts like a PNG image otherwise.

See my cryptography notes (though this has nothing to do with ImageMagick or Image processing otherwise.
http://www.ict.griffith.edu.au/anthony/info/crypto/
and specifically File Hiding.
http://www.ict.griffith.edu.au/anthony/ ... ding.hints