{"id":2934,"date":"2016-05-06T14:57:43","date_gmt":"2016-05-06T14:57:43","guid":{"rendered":"http:\/\/musilda.cz\/?p=2934"},"modified":"2016-05-06T14:57:43","modified_gmt":"2016-05-06T14:57:43","slug":"zranitelnost-v-knihovne-imagemagick","status":"publish","type":"post","link":"https:\/\/affinite.io\/cs\/zranitelnost-v-knihovne-imagemagick\/","title":{"rendered":"Zranitelnost v knihovn\u011b ImageMagick"},"content":{"rendered":"

Probl\u00e9m nen\u00ed aktu\u00e1ln\u011b ve WordPressu, ale jedn\u00e1 se o pom\u011brn\u011b z\u00e1va\u017en\u00fd probl\u00e9m, kter\u00fd m\u016f\u017ee ovlivnit i weby, na WordPressu b\u011b\u017e\u00edc\u00ed.<\/p>\n

P\u0159ed n\u011bkolika dny, byla zve\u0159ejn\u011bna zranitelnost knihovny ImageMagick, kter\u00e9 m\u016f\u017ee ovlivnit v\u0161echny WordPress weby, kter\u00e9 hostuj\u00ed na serverech s nainstalovanou knihovnou. Pokud m\u00e1te mo\u017enost ovlivnit nastaven\u00ed serveru, m\u011bli by jste u\u010dinit pot\u0159ebn\u00e9 kroky.<\/p>\n

Celkov\u00fd dopad tohoto probl\u00e9mu nen\u00ed zn\u00e1m, ale\u00a0existuje n\u011bkolik krok\u016f , kter\u00e9 m\u016f\u017eete u\u010dinit.<\/p>\n

Jak budou ovlivn\u011bny WordPress weby?<\/h2>\n

V\u0161echny medi\u00e1ln\u00ed soubory, obsahuj\u00edc\u00ed \u0161kodliv\u00e1 data, nahr\u00e1na do administrace, mohou vytv\u00e1\u0159et exploity, pr\u00e1v\u011b pomoc\u00ed knihovny ImageMagick. Co\u017e se t\u00fdk\u00e1 v\u0161ech u\u017eivatel\u016f s opr\u00e1vn\u011bn\u00edm upload_files. V z\u00e1kladu to jsou auto\u0159i, edito\u0159i a administr\u00e1to\u0159i.<\/p>\n

Probl\u00e9m se v\u0161ak nevyskytuje ve WordPressu, ale v knihovn\u011b a proto by jste m\u011bli komunikovat p\u0159edev\u0161\u00edm s poskytovatelem va\u0161eho hostingu. Poskytovatel by se m\u011bl zam\u011b\u0159it p\u0159edev\u0161\u00edm na\u00a0ImageTragick (CVE-2016-3714, CVE-2016-3718 a CVE-2016-3715)<\/a>\u00a0exploit.<\/p>\n

Jak pozn\u00e1m, \u017ee je m\u016fj web zraniteln\u00fd?<\/h2>\n

Probl\u00e9m maj\u00ed pouze weby, jejich\u017e PHP obsahuje roz\u0161\u00ed\u0159en\u00ed PHP Imagick. Jak zjist\u00edte, \u017ee m\u00e1te knihovnu nainstalov\u00e1nu?<\/p>\n

    \n
  1. Zavolejte v k\u00f3du n\u011bjak\u00e9 str\u00e1nky funkci\u00a0phpinfo()<\/code>\u00a0a hledejte \u201cImagick\u201d.<\/li>\n
  2. Spus\u0165te p\u0159\u00edkaz\u00a0<\/span>php -m | grep imagick<\/code>\u00a0v p\u0159\u00edkazov\u00e9 \u0159\u00e1dce.<\/li>\n
  3. Nainstalujte PHP Info WordPress plugin, a hledejte \u201cImagick\u201d.<\/li>\n<\/ol>\n

    Jak mohu odstranit tento probl\u00e9m?<\/h2>\n

    Aktu\u00e1ln\u011b nejlep\u0161\u00ed zn\u00e1m\u00e9 \u0159e\u0161en\u00ed, je \u00a0p\u0159idat soubor policy.xml do va\u0161\u00ed ImageMagick instalace, k omezen\u00ed toho, kdo m\u016f\u017ee knihovnu pou\u017e\u00edvat. Pot\u0159ebn\u00e9 informace najdete na\u00a0https:\/\/imagetragick.com\/<\/a><\/p>\n

    ImageMagick 6.9.3-10<\/h2>\n

    Image Magick vydal 3.5. 2016 update s opravou, ale nen\u00ed zat\u00edm zn\u00e1mo, za oprava byla schopna pokr\u00fdt cel\u00fd rozsah probl\u00e9mu, nakolik tento rozsah nen\u00ed zn\u00e1t. M\u011bli by jste p\u0159edpokl\u00e1dat, \u017ee tomu tak nen\u00ed a pou\u017e\u00edt \u0159e\u0161en\u00ed ve form\u011b privacy.xml souboru.<\/p>\n

    Dal\u0161\u00ed informace<\/h2>\n

    V\u00edce informac\u00ed najdete na imagetragick.com<\/a>, kde budou zve\u0159ej\u0148ov\u00e1ny v\u0161echny d\u016fle\u017eit\u00e9 aktuality.<\/p>\n

    Dokumentaci k pou\u017eit\u00ed souboru policy.xml najdete na\u00a0https:\/\/www.imagemagick.org\/script\/resources.php<\/a><\/p>\n

    \u010cl\u00e1nek byl voln\u011b p\u0159elo\u017een z\u00a0https:\/\/make.wordpress.org\/core\/2016\/05\/06\/imagemagick-vulnerability-information\/<\/a><\/p>\n

     <\/p>\n","protected":false},"excerpt":{"rendered":"

    Probl\u00e9m nen\u00ed aktu\u00e1ln\u011b ve WordPressu, ale jedn\u00e1 se o pom\u011brn\u011b z\u00e1va\u017en\u00fd probl\u00e9m, kter\u00fd m\u016f\u017ee ovlivnit i weby, na WordPressu b\u011b\u017e\u00edc\u00ed. P\u0159ed n\u011bkolika dny, byla zve\u0159ejn\u011bna zranitelnost knihovny ImageMagick, kter\u00e9 m\u016f\u017ee ovlivnit v\u0161echny WordPress weby, kter\u00e9 hostuj\u00ed na serverech s nainstalovanou knihovnou. Pokud m\u00e1te mo\u017enost ovlivnit nastaven\u00ed serveru, m\u011bli by jste u\u010dinit pot\u0159ebn\u00e9 kroky. Celkov\u00fd dopad<\/p>\n","protected":false},"author":1,"featured_media":2935,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,30],"tags":[195,563],"class_list":["post-2934","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-bezpecnost-wordpressu","category-wordpress","tag-imagemagick","tag-zranitelnost"],"_links":{"self":[{"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/posts\/2934"}],"collection":[{"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/comments?post=2934"}],"version-history":[{"count":0,"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/posts\/2934\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/media\/2935"}],"wp:attachment":[{"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/media?parent=2934"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/categories?post=2934"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/tags?post=2934"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}