ImageMagicK Vulnerability Mitigation (CVE-2016–3714)

General discussion on Zend Server for IBM System i
Post Reply
thomasmatthes
Posts: 20
Joined: Thu May 26, 2011 12:29 pm

ImageMagicK Vulnerability Mitigation (CVE-2016–3714)

Post by thomasmatthes » Fri Jun 03, 2016 10:20 am

We are running Zendserver 7.
First of all I created a Virtual Host named Magick, listening to port 10089.
Then I deployed the exploit.zpk as it was described in the documentation.
Running Zendserver GUI -> Applications -> Apps I see the application "Image Tragic" with message "Deployed"
Running Zendserver GUI -> Applications -> Virtual Hosts I see the created Virtual Host "Magick". The status however is ERROR and the message is "Enable deployment configuration has not been applied on this virtual host"
the Zendserver was startet several times...
Any ideas what's going wrong here?

Is it correct that the image.php must be in the document root of the Virtual Host?

User avatar
zvika
Zend Global Support
Posts: 997
Joined: Sun Dec 14, 2008 9:48 am
Contact:

Re: ImageMagicK Vulnerability Mitigation (CVE-2016–3714)

Post by zvika » Sun Jun 05, 2016 8:07 am

Hello
You can indeed deploy image.php yourself in any vhost, default or new one, and browse to it to check the exploit.
If you need assistance or have questions regarding enabling deployment on vhosts, you can open a support ticket to work with us with more details on the installation and problem / errors.
Zvika Dror
Zend Support Team

thomasmatthes
Posts: 20
Joined: Thu May 26, 2011 12:29 pm

Re: ImageMagicK Vulnerability Mitigation (CVE-2016–3714)

Post by thomasmatthes » Mon Jun 06, 2016 7:36 am

Hello,

now, the Virtual Host seems to run.
When i execute the script image.php i get the message
"Test summary: If you get an 'ImagickException' with message 'not authorized' - your server is OK!
Your server appears to be vulnerable..."

I downloaded config.diff.gz, but when the statement "gunzip /PATH/TO/config.diff.gz" was executed, i got an error. Probably the reason is, that there is no programm for unzipping the config.diff.gz.
I unzipped the file manually and i got the file as follows:

diff -u -r config/policy.xml config.new/policy.xml
--- config/policy.xml 2016-05-15 15:50:00.243315104 +0300
+++ config.new/policy.xml 2016-05-15 15:49:43.947315701 +0300
@@ -48,4 +48,13 @@
<!-- <policy domain="resource" name="file" value="768"/> -->
<!-- <policy domain="resource" name="thread" value="8"/> -->
<!-- <policy domain="resource" name="time" value="3600"/> -->
+ <policy domain="coder" rights="none" pattern="EPHEMERAL" />
+ <policy domain="coder" rights="none" pattern="URL" />
+ <policy domain="coder" rights="none" pattern="HTTPS" />
+ <policy domain="coder" rights="none" pattern="MVG" />
+ <policy domain="coder" rights="none" pattern="MSL" />
+ <policy domain="coder" rights="none" pattern="TEXT" />
+ <policy domain="coder" rights="none" pattern="SHOW" />
+ <policy domain="coder" rights="none" pattern="WIN" />
+ <policy domain="coder" rights="none" pattern="PLT" />
</policymap>

when i exexuted the next statement "cat /PATH/TO/config.diff |patch -p1" i got an error that the file was not found.
Indead, the folder config contains no file policy.xml.

Can i create in the config-folder new file policy.xml with the statements from config.diff ???

thomasmatthes
Posts: 20
Joined: Thu May 26, 2011 12:29 pm

Re: ImageMagicK Vulnerability Mitigation (CVE-2016–3714)

Post by thomasmatthes » Tue Jun 14, 2016 2:56 pm

no ideas?

joe6181
Posts: 2
Joined: Tue Jun 30, 2015 9:22 pm

Re: ImageMagicK Vulnerability Mitigation (CVE-2016–3714)

Post by joe6181 » Wed Jun 22, 2016 6:28 am

Hi - I was curious if you ever heard back on this? It seems as though I have come across the same issue.

Post Reply