Drupal Association members fund grants that make connections all over the world.
- Advisory ID: DRUPAL-SA-CONTRIB-2009-051
- Project: ImageCache (third-party modules)
- Version: 5.x, 6.x
- Date: 2009-August-19
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Multiple vulnerabilities
ImageCache allows one to setup presets for image processing to create derivatives. ImageCache will dynamically generate a derivative on access if it doesn't exist.
Cross site scripting
Users with the "administer imagecache" permission are able to execute cross site scripting attacks because the ImageCache module doesn't properly escape a number of user-supplied preset variables before output.
ImageCache doesn't properly check access to originals when generating derivative images. When the private filesystem is enabled, and access to images is restricted, unprivileged users may still access an image if they know the image's filename.
- ImageCache versions for Drupal 5.x prior to 5.x-2.5
- ImageCache versions for Drupal 6.x prior to 6.x-2.0-beta10
Drupal core is not affected. If you do not use the contributed ImageCache module, there is nothing you need to do.
Install the latest version:
- If you use ImageCache on Drupal 5.x upgrade to 5.x-2.5
- If you use ImageCache on Drupal 6.x upgrade to 6.x-2.0-beta10
Beta software is not recommended for use on production sites. Such releases are not supported by the security team. Nevertheless, the maintainer elected to release 6.x-2.0-beta10 fixing the issues described in this announcement.
See also the ImageCache project page.
- The cross site scripting was reported by Justin Klein Keane.
- The access bypass was reported by Karl Scheirer.
Andrew Morton (the module maintainer).
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.