VULNERABILITIES.md
Mitigated: 2018-10-25 (GMT)
The sample PHP upload handler before
v9.25.1
did not validate file signatures before invoking
ImageMagick (via
Imagick).
Verifying those
magic bytes mitigates
potential vulnerabilities when handling input files other than GIF/JPEG/PNG.
Please also configure ImageMagick to only enable the coders required for
GIF/JPEG/PNG processing, e.g. with the sample
ImageMagick config.
Further information:
Fixed: 2018-10-23 (GMT)
The sample PHP upload handler before
v9.24.1
allowed to upload all file types by default.
This opens up a remote code execution vulnerability, unless the server is
configured to not execute (PHP) files in the upload directory
(server/php/files).
The provided .htaccess file includes instructions
for Apache to disable script execution, however
.htaccess support
is disabled by default since Apache v2.3.9 via
AllowOverride Directive.
You are affected if you:
v9.24.1 on a Webserver that executes files
with .php as part of the file extension (e.g. "example.php.png"), e.g.
Apache with mod_php enabled and the following directive (not a recommended
configuration):
AddHandler php5-script .php
v9.22.1 on a Webserver that executes files
with the file extension .php, e.g. Apache with mod_php enabled and the
following directive:
<FilesMatch \.php$>
SetHandler application/x-httpd-php
</FilesMatch>
server/php/files).v2.3.9+ with the default AllowOverride Directive set
to None or another Webserver with no .htaccess support.How to fix it:
Further information:
Fixed: 2015-06-12 (GMT)
The sample Google App Engine upload handlers before v9.10.1 accepted any URL as redirect target, making it possible to use the Webserver's domain for phishing attacks.
Further information:
Fixed: 2012-08-09 (GMT)
The redirect page for the Iframe Transport before commit 4175032 (fixed in all tagged releases) allowed executing arbitrary JavaScript in the context of the Webserver.
Further information: