Add info on mitigations of image processing vulnerabilities.

blueimp · blueimp · commit 26bcba1f5e54 · 2018-10-26T01:21:31.000+02:00
diff --git a/README.md b/README.md
@@ -1,33 +1,31 @@
 # jQuery File Upload Plugin
 
+## Description
+File Upload widget with multiple file selection, drag&amp;drop support, progress bars, validation and preview images, audio and video for jQuery.  
+Supports cross-domain, chunked and resumable file uploads and client-side image resizing. Works with any server-side platform (PHP, Python, Ruby on Rails, Java, Node.js, Go etc.) that supports standard HTML form file uploads.
+
+## Demo
+[Demo File Upload](https://blueimp.github.io/jQuery-File-Upload/)
+
 ## ⚠️ Security Notice
 Security related releases:
 
+* [v9.25.1](https://github.com/blueimp/jQuery-File-Upload/releases/tag/v9.25.1) Mitigates some [Potential vulnerabilities with PHP+ImageMagick](VULNERABILITIES.md#potential-vulnerabilities-with-php+imagemagick).
 * [v9.24.1](https://github.com/blueimp/jQuery-File-Upload/releases/tag/v9.24.1) Fixes a [Remote code execution vulnerability in the PHP component](VULNERABILITIES.md#remote-code-execution-vulnerability-in-the-php-component).
 * v[9.10.1](https://github.com/blueimp/jQuery-File-Upload/releases/tag/9.10.1) Fixes an [Open redirect vulnerability in the GAE components](VULNERABILITIES.md#open-redirect-vulnerability-in-the-gae-components).
 * Commit [4175032](https://github.com/blueimp/jQuery-File-Upload/commit/41750323a464e848856dc4c5c940663498beb74a) (*fixed in all tagged releases*) Fixes a [Cross-site scripting vulnerability in the Iframe Transport](VULNERABILITIES.md#cross-site-scripting-vulnerability-in-the-iframe-transport).
 
 Please read the [SECURITY](SECURITY.md) document for instructions on how to securely configure your Webserver for file uploads.
 
-## Demo
-[Demo File Upload](https://blueimp.github.io/jQuery-File-Upload/)
-
-## Description
-File Upload widget with multiple file selection, drag&amp;drop support, progress bars, validation and preview images, audio and video for jQuery.  
-Supports cross-domain, chunked and resumable file uploads and client-side image resizing. Works with any server-side platform (PHP, Python, Ruby on Rails, Java, Node.js, Go etc.) that supports standard HTML form file uploads.
-
 ## Setup
-⚠️ **Notice:**  
-Please read the [Security recommendations](SECURITY.md) before setting up the project.
-
 * [How to setup the plugin on your website](https://github.com/blueimp/jQuery-File-Upload/wiki/Setup)
 * [How to use only the basic plugin (minimal setup guide).](https://github.com/blueimp/jQuery-File-Upload/wiki/Basic-plugin)
 
 ## Features
 * **Multiple file upload:**  
   Allows to select multiple files at once and upload them simultaneously.
 * **Drag & Drop support:**  
-  Allows to upload files by dragging them from your desktop or filemanager and dropping them on your browser window.
+  Allows to upload files by dragging them from your desktop or file manager and dropping them on your browser window.
 * **Upload progress bar:**  
   Shows a progress bar indicating the upload progress for individual files and for all uploads combined.
 * **Cancelable uploads:**  
diff --git a/SECURITY.md b/SECURITY.md
@@ -3,6 +3,8 @@ For an in-depth understanding of the potential security risks of providing file
 
 To securely setup the project to serve uploaded files, please refer to the sample [Secure file upload serving configurations](#secure-file-upload-serving-configurations).
 
+To mitigate potential vulnerabilities in image processing libraries, please refer to the [Secure image processing configurations](#secure-image-processing-configurations).
+
 By default, all sample upload handlers allow only upload of image files, which mitigates some attack vectors, but should not be relied on as the only protection.
 
 Please also have a look at the [list of fixed vulnerabilities](VULNERABILITIES.md) in jQuery File Upload, which relates mostly to the sample server-side upload handlers and how they have been configured.
@@ -109,3 +111,23 @@ location ^~ /path/to/project/server/php/files {
     }
 }
 ```
+
+## Secure image processing configurations
+The following configuration mitigates [potential image processing vulnerabilities with ImageMagick](VULNERABILITIES.md#potential-vulnerabilities-with-php+imagemagick) by limiting the attack vectors to a small subset of image types (`GIF/JPEG/PNG`).
+
+Please also consider using alternative, safer image processing libraries like [libvips](https://github.com/libvips/libvips) or [imageflow](https://github.com/imazen/imageflow).
+
+## ImageMagick config
+It is recommended to disable all non-required ImageMagick coders via [policy.xml](https://wiki.debian.org/imagemagick/security).  
+To do so, locate the ImageMagick `policy.xml` configuration file and add the following policies:
+
+```xml
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- ... -->
+<policymap>
+  <!-- ... -->
+  <policy domain="delegate" rights="none" pattern="*" />
+  <policy domain="coder" rights="none" pattern="*" />
+  <policy domain="coder" rights="read | write" pattern="{GIF,JPEG,PNG}" />
+</policymap>
+```
diff --git a/VULNERABILITIES.md b/VULNERABILITIES.md
@@ -1,7 +1,21 @@
 # ⚠️ List of fixed vulnerabilities
 
+## Potential vulnerabilities with PHP+ImageMagick
+> Mitigated: 2018-10-25 (GMT)
+
+The sample [PHP upload handler](server/php/UploadHandler.php) before [v9.25.1](https://github.com/blueimp/jQuery-File-Upload/releases/tag/v9.25.1) did not validate file signatures before invoking [ImageMagick](https://www.imagemagick.org/) (via [Imagick](http://php.net/manual/en/book.imagick.php)).  
+Verifying those [magic bytes](https://en.wikipedia.org/wiki/List_of_file_signatures) mitigates potential vulnerabilities when handling input files other than `GIF/JPEG/PNG`.
+
+Please also configure ImageMagick to only enable the coders required for `GIF/JPEG/PNG` processing, e.g. with the sample [ImageMagick config](SECURITY.md#imagemagick-config).
+
+**Further information:**
+* Commit containing the mitigation: [fe44d34](https://github.com/blueimp/jQuery-File-Upload/commit/fe44d34be43be32c6b8d507932f318dababb25dd)
+* [ImageTragick](https://imagetragick.com/)
+* [CERT Vulnerability Note VU#332928](https://www.kb.cert.org/vuls/id/332928)
+* [ImageMagick CVE entries](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=imagemagick)
+
 ## Remote code execution vulnerability in the PHP component
-> Fixed: 2018-10-23
+> Fixed: 2018-10-23 (GMT)
 
 The sample [PHP upload handler](server/php/UploadHandler.php) before [v9.24.1](https://github.com/blueimp/jQuery-File-Upload/releases/tag/v9.24.1) allowed to upload all file types by default.  
 This opens up a remote code execution vulnerability, unless the server is configured to not execute (PHP) files in the upload directory (`server/php/files`).  
@@ -33,7 +47,7 @@ The provided [.htaccess](server/php/files/.htaccess) file includes instructions
 * [OWASP - Unrestricted File Upload](https://www.owasp.org/index.php/Unrestricted_File_Upload)
 
 ## Open redirect vulnerability in the GAE components
-> Fixed: 2015-06-12
+> Fixed: 2015-06-12 (GMT)
 
 The sample Google App Engine upload handlers before v[9.10.1](https://github.com/blueimp/jQuery-File-Upload/releases/tag/9.10.1) accepted any URL as redirect target, making it possible to use the Webserver's domain for phishing attacks.
 
@@ -42,7 +56,7 @@ The sample Google App Engine upload handlers before v[9.10.1](https://github.com
 * [OWASP - Unvalidated Redirects and Forwards Cheat Sheet](https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet)
 
 ## Cross-site scripting vulnerability in the Iframe Transport
-> Fixed: 2012-08-09
+> Fixed: 2012-08-09 (GMT)
 
 The [redirect page](cors/result.html) for the [Iframe Transport](js/jquery.iframe-transport.js) before commit [4175032](https://github.com/blueimp/jQuery-File-Upload/commit/41750323a464e848856dc4c5c940663498beb74a) (*fixed in all tagged releases*) allowed executing arbitrary JavaScript in the context of the Webserver.
 
