[Security-news] ImageCache Actions - Critical - Multiple Vulnerabilities - SA-CONTRIB-2019-056
security-news at drupal.org
security-news at drupal.org
Wed Jul 17 16:35:31 UTC 2019
View online: https://www.drupal.org/sa-contrib-2019-056
Project: ImageCache Actions [1]
Date: 2019-July-17
Security risk: *Critical* 17∕25
AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:All [2]
Vulnerability: Multiple Vulnerabilities
Description:
The imagecache actions module defines a number of additional image effects
that can be used to create image styles. The "Image styles admin" sub module
provides additional functionality to duplicate, export and import image
styles. The module uses unserialize() to import image styles into another
site where unserialize() is known to have security issues when processing
potentially unsafe input.
This vulnerability is mitigated by the fact that the "Image styles admin" sub
module must be enabled and an attacker must have a role with the permission
"'administer image styles'".
Furthermore, the import functionality supports PHP code included in image
effects as part of an image style, which would run on image derivative
generation subject to the PHP module being enabled. This is intended
behaviour for the "Image styles admin" sub module, but the user access
restrictions should reflect the potential risks involved.
The new security release of this module introduces a new "import image
styles" permission which is marked as restricted. In order to use the image
style import functionality, users will need to have a role which has this new
permission in addition to "administer image styles" (which is not marked as
restricted).
Solution:
* If you use the Imagecache Actions module for Drupal 7.x, upgrade to
Imagecache Actions 7.x-1.10 [3].
* Image Effects [4], the D8 successor is *not* vulnerable to this exploit.
Reported By:
* Ruben Hofman [5]
Fixed By:
* Erwin Derksen [6]
* Greg Knaddison [7] of the Drupal Security Team
Coordinated By:
* Greg Knaddison [8] of the Drupal Security Team
* Ivo Van Geertruyen [9] of the Drupal Security Team
* Drew Webber [10] of the Drupal Security Team
[1] https://www.drupal.org/project/imagecache_actions
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/imagecache_actions/releases/7.x-1.10
[4] https://www.drupal.org/project/image_effects
[5] https://www.drupal.org/user/3302721
[6] https://www.drupal.org/user/750928
[7] https://www.drupal.org/user/36762
[8] https://www.drupal.org/user/36762
[9] https://www.drupal.org/user/383424
[10] https://www.drupal.org/user/255969
More information about the Security-news
mailing list