ARender vs ImageTragick
You may have heard about the recent problem of Imagemagick allowing third parties to execute code, delete files, rendering remote machines useless by overloading them etc…
This issue actually concerns ARender because we use ImageMagick as dependency. We are on the lookout for the disclosure of this vulnerability since its release.
One of the points of resolution of the problem is to verify that the files sent are as announced pictures (not executable commands in plain text renammed to look like pictures). ARender is based on a detection library that exactly does this task.
So we tried to upload some image files on ARender causing security concerns and not surprisingly, ARender detects them as “plain text” files and thus will simply convert text to image and display it in ARender.
Here is the example of rendition in ARender (we scrambled the text causing security breaches), imagemagick was never called for these files:
For more information about this vulnerability, visit the following CVE: https://www.cvedetails.com/cve/CVE-2016-3714/
From our side, even if ARender resist this attack, we already changed the Imagemagick version bundled in ARender for Windows to provide the best possible security for our users and we changed the prerequisites to reflect this change.