New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Pixel Flood / lottapixel DoS vulnerability #1680

Closed
groe opened this Issue Jun 16, 2015 · 5 comments

Comments

Projects
None yet
4 participants
@groe

groe commented Jun 16, 2015

I could not find any discussion regarding that topic, so I am opening this issue (sorry if there is already one I missed).

There is a wiki page authored by @sethherr about the Pixel flood attack vector already. I was wondering if the default for all carrierwave apps is to be vulnerable to this? If so, I don't think we can expect everyone to go to the wiki, search for this specific page and apply this fix.

The exploit is actively being used already and is very simple. Anyone can upload a 5kb JPG file and take down any vulnerable server within seconds. I had this happen to one of my servers today and was very surprised by how easy the attack is. If it is not already, being safe from it should be the default.

@groe

This comment has been minimized.

Show comment
Hide comment
@groe

groe Jun 17, 2015

Also, the solution suggest by the imagemagick team would be to define a policy.xml file. See here.

That way we would not have to check the dimensions ourselves.

groe commented Jun 17, 2015

Also, the solution suggest by the imagemagick team would be to define a policy.xml file. See here.

That way we would not have to check the dimensions ourselves.

@bensie

This comment has been minimized.

Show comment
Hide comment
@bensie

bensie Jun 30, 2015

Member

It's up to the application to handle this or it would need to be fixed at the ImageMagick level. So yes, I suppose all CarrierWave apps are potentially vulnerable, but not all apps process images nor do all apps process images with ImageMagick.

Member

bensie commented Jun 30, 2015

It's up to the application to handle this or it would need to be fixed at the ImageMagick level. So yes, I suppose all CarrierWave apps are potentially vulnerable, but not all apps process images nor do all apps process images with ImageMagick.

@bensie bensie closed this Jun 30, 2015

@sethherr

This comment has been minimized.

Show comment
Hide comment
@sethherr

sethherr Jul 1, 2015

Contributor

I second this not being addressed in CarrierWave itself.

The reason I didn't set a policy.xml file is so this fix can be applied only to the uploaders it should be applied to. The default for CarrierWave is to be vulnerable to people uploading malicious files - you have to determine what restrictions CarrierWave should have.

Contributor

sethherr commented Jul 1, 2015

I second this not being addressed in CarrierWave itself.

The reason I didn't set a policy.xml file is so this fix can be applied only to the uploaders it should be applied to. The default for CarrierWave is to be vulnerable to people uploading malicious files - you have to determine what restrictions CarrierWave should have.

@groe

This comment has been minimized.

Show comment
Hide comment
@groe

groe Jul 1, 2015

I agree with you that not all apps use Imagemagick with Carrierwave. However, one common principle for many gems and rails itself has always been "secure by default". If you just add carrierwave with imagemagick to your rails project and don't read all the pages in the wiki nor have any experience with this issue, you app will be vulnerable. And this is the 80% use case for apps where users can upload images.

I am not saying that it is the responsibility of carrierwave to prevent these kinds of attacks. However, we should at least inform users about this more clearly IMO (something in the README like WARNING: If you are processing images without image dimension validation you are vulnerable to DoS attacks. Read more here…).

groe commented Jul 1, 2015

I agree with you that not all apps use Imagemagick with Carrierwave. However, one common principle for many gems and rails itself has always been "secure by default". If you just add carrierwave with imagemagick to your rails project and don't read all the pages in the wiki nor have any experience with this issue, you app will be vulnerable. And this is the 80% use case for apps where users can upload images.

I am not saying that it is the responsibility of carrierwave to prevent these kinds of attacks. However, we should at least inform users about this more clearly IMO (something in the README like WARNING: If you are processing images without image dimension validation you are vulnerable to DoS attacks. Read more here…).

@jayantsharma

This comment has been minimized.

Show comment
Hide comment
@jayantsharma

jayantsharma Aug 9, 2016

This attack just took down my server yesterday. The least that should be done is for this to put up in the README for users, so that they're atleast aware of the vulnerability.

jayantsharma commented Aug 9, 2016

This attack just took down my server yesterday. The least that should be done is for this to put up in the README for users, so that they're atleast aware of the vulnerability.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment