[Security-news] SA-2009-051 - ImageCache - Multiple vulnerabilities

security-news at drupal.org security-news at drupal.org
Wed Aug 19 21:18:32 UTC 2009


 * Advisory ID: DRUPAL-SA-CONTRIB-2009-051
 * Project: ImageCache (third-party modules)
 * Version: 5.x, 6.x
 * Date: 2009-August-19
 * Security risk: Less critical
 * Exploitable from: Remote
 * Vulnerability: Multiple vulnerabilities

-------- DESCRIPTION ---------------------------------------------------------

ImageCache allows one to setup presets for image processing to create
derivatives. ImageCache will dynamically generate a derivative on access if
it doesn't exist.
.... Cross site scripting

Users with the "administer imagecache" permission are able to execute cross
site scripting [1] attacks because the ImageCache module doesn't properly
escape a number of user-supplied preset variables before output.
.... Access bypass

ImageCache doesn't properly check access to originals when generating
derivative images. When the private filesystem is enabled, and access to
images is restricted, unprivileged users may still access an image if they
know the image's filename.
-------- VERSIONS AFFECTED ---------------------------------------------------

 * ImageCache versions for Drupal 5.x prior to 5.x-2.5
 * ImageCache versions for Drupal 6.x prior to 6.x-2.0-beta10

Drupal core is not affected. If you do not use the contributed ImageCache
module, there is nothing you need to do.
-------- SOLUTION ------------------------------------------------------------

Install the latest version:
 * If you use ImageCache on Drupal 5.x upgrade to 5.x-2.5 [2]
 * If you use ImageCache on Drupal 6.x upgrade to 6.x-2.0-beta10 [3]

Beta software is not recommended for use on production sites. Such releases
are not supported by the security team. Nevertheless, the maintainer elected
to release 6.x-2.0-beta10 fixing the issues described in this announcement.
See also the ImageCache project page [4].
-------- REPORTED BY ---------------------------------------------------------

 * The cross site scripting was reported by Justin Klein Keane [5].
 * The access bypass was reported by Karl Scheirer [6].

-------- FIXED BY ------------------------------------------------------------

Andrew Morton [7] (the module maintainer).
-------- CONTACT -------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.

[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/554086
[3] http://drupal.org/node/554090
[4] http://drupal.org/project/imagecache
[5] http://drupal.org/user/302225
[6] http://drupal.org/user/128191
[7] http://drupal.org/user/34869


More information about the Security-news mailing list