• Advisory ID: DRUPAL-SA-CONTRIB-2009-051
  • Project: ImageCache (third-party modules)
  • Version: 5.x, 6.x
  • Date: 2009-August-19
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities


ImageCache allows one to setup presets for image processing to create derivatives. ImageCache will dynamically generate a derivative on access if it doesn't exist.

Cross site scripting

Users with the "administer imagecache" permission are able to execute cross site scripting attacks because the ImageCache module doesn't properly escape a number of user-supplied preset variables before output.

Access bypass

ImageCache doesn't properly check access to originals when generating derivative images. When the private filesystem is enabled, and access to images is restricted, unprivileged users may still access an image if they know the image's filename.

Versions affected

  • ImageCache versions for Drupal 5.x prior to 5.x-2.5
  • ImageCache versions for Drupal 6.x prior to 6.x-2.0-beta10

Drupal core is not affected. If you do not use the contributed ImageCache module, there is nothing you need to do.


Install the latest version:

  • If you use ImageCache on Drupal 5.x upgrade to 5.x-2.5
  • If you use ImageCache on Drupal 6.x upgrade to 6.x-2.0-beta10

Beta software is not recommended for use on production sites. Such releases are not supported by the security team. Nevertheless, the maintainer elected to release 6.x-2.0-beta10 fixing the issues described in this announcement.

See also the ImageCache project page.

Reported by

Fixed by

Andrew Morton (the module maintainer).


The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.