[Security-news] ImageCache Actions - Critical - Multiple Vulnerabilities - SA-CONTRIB-2019-056

security-news at drupal.org security-news at drupal.org
Wed Jul 17 16:35:31 UTC 2019


View online: https://www.drupal.org/sa-contrib-2019-056

Project: ImageCache Actions [1]
Date: 2019-July-17
Security risk: *Critical* 17∕25
AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:All [2]
Vulnerability: Multiple Vulnerabilities

Description: 
The imagecache actions module defines a number of additional image effects
that can be used to create image styles. The "Image styles admin" sub module
provides additional functionality to duplicate, export and import image
styles. The module uses unserialize() to import image styles into another
site where unserialize() is known to have security issues when processing
potentially unsafe input.

This vulnerability is mitigated by the fact that the "Image styles admin" sub
module must be enabled and an attacker must have a role with the permission
"'administer image styles'".

Furthermore, the import functionality supports PHP code included in image
effects as part of an image style, which would run on image derivative
generation subject to the PHP module being enabled. This is intended
behaviour for the "Image styles admin" sub module, but the user access
restrictions should reflect the potential risks involved.

The new security release of this module introduces a new "import image
styles" permission which is marked as restricted. In order to use the image
style import functionality, users will need to have a role which has this new
permission in addition to "administer image styles" (which is not marked as
restricted).


Solution: 
   * If you use the Imagecache Actions module for Drupal 7.x, upgrade to
     Imagecache Actions 7.x-1.10 [3].
   * Image Effects [4], the D8 successor is *not* vulnerable to this exploit.

Reported By: 
   * Ruben Hofman [5]

Fixed By: 
   * Erwin Derksen [6]
   * Greg Knaddison [7] of the Drupal Security Team

Coordinated By: 
   * Greg Knaddison [8] of the Drupal Security Team
   * Ivo Van Geertruyen [9] of the Drupal Security Team
   * Drew Webber [10] of the Drupal Security Team


[1] https://www.drupal.org/project/imagecache_actions
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/imagecache_actions/releases/7.x-1.10
[4] https://www.drupal.org/project/image_effects
[5] https://www.drupal.org/user/3302721
[6] https://www.drupal.org/user/750928
[7] https://www.drupal.org/user/36762
[8] https://www.drupal.org/user/36762
[9] https://www.drupal.org/user/383424
[10] https://www.drupal.org/user/255969



More information about the Security-news mailing list