Legacy ImageMagick Discussions Archive

Use https://github.com/ImageMagick/ImageMagick/discussions instead.
https://www.imagemagick.org/discourse-server/

CVE-2016–3718 SSRF

https://www.imagemagick.org/discourse-server/viewtopic.php?t=29649

Page 1 of 1

CVE-2016–3718 SSRF

Posted: 2016-05-09T07:51:15-07:00
by eriksson
Are there any workarounds available for preventing ImageMagick from fetching http/https resources embedded into svg images?

Code: Select all

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg width="640px" height="480px" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink= "http://www.w3.org/1999/xlink">
<image xlink:href="https://example.com/image.jpg" x="0" y="0" height="640px" width="480px"/>
</svg>
Changing the policy.xml does not seem to prevent this behaviour.

Re: CVE-2016–3718 SSRF

Posted: 2016-05-09T11:35:33-07:00
by magick
ImageMagick has an internal SVG renderer which is blocked per https://www.imagemagick.org/discourse-s ... =4&t=29588. Specifically the MVG coder. It also has other renderers depending on your environment. It might utilize RSVG or inkscape. These delegate libraries or programs likely are fetching your https URI's. You may need to contact the developers for these projects for additional help. You can of course configure policy.xml to deny the right to use SVG.

Re: CVE-2016–3718 SSRF

Posted: 2016-05-09T11:54:40-07:00
by eriksson
Thanks, I am running ImageMagick in a Windows environment so I guess it is using rsvg by default.

I'll investigate this further.
All times are UTC-07:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited