Upgrades and vulnerabilities

WordPress released a recent upgrade to address a security issue[1], and also warned operators of servers using ImageMagick of security issues possible when processing insecure images[2].

What we did about it

GenWeb.io has upgraded to the current stable version (we always do, usually within minutes of the release.) We have also addressed the so-called “ImageTragick”[3] vulnerability in the ways currently suggested by the ImageMagick developers. But, just for your own peace of mind (and ours!), please ensure that your regional site does not allow users, forum posters, or commentors to upload photos. Also, please do not ‘upload’ images using urls as this is another vector for this exploit to be used. If you are using the PressThis tool to republish articles from the internet, this is another way to infect your site.

What the vulnerability was

The issue addressed by WordPress potentially allowed someone to run a script in a visitor’s browser when displaying/streaming certain kinds of media. Obviously could not directly affect your website, but it could get your site blacklisted as a source of malicious scripts even though it wasn’t really your site doing the harm to the visitor. This is completely fixed by the security update.

The issue with ImageMagick potentially allowed remote code execution (RCE) on the server. When images are used in WordPress they are processed in various ways using ImageMagick – to create thumbnails, or change a photo’s dimensions, or in other ways – and during that processing ImageMagick could be convinced to execute instructions on the server. This could in theory do almost anything the webserver has the ability to do, including severely harming your site or the webserver itself. This is not completely fixed by the security update from ImageMagick, and so the vulnerable portions of ImageMagick have been disabled. Most likely this will not affect your site, but be aware of possible issues if you use .svg or .mvg graphics. There are known attempts to use this exploit in the wild, but GenWeb.io sites should no longer be vulnerable.

What this means for you

Nothing, as far as we are aware. When a more-complete fix for ImageMagick is available we will re-enable the possibly vulnerable portions again. In the meantime, if you have any issues with any media on your site (especially media which do not resize correctly) please use the secure contact form to get in touch with us immediately.

[1] WordPress 4.5.2 Security Release
[2] ImagMagick Vulnerability Information
[3] ImageTragick