The imagecache actions module defines a number of additional image effects that can be used to create image styles. The "Image styles admin" sub module provides additional functionality to duplicate, export and import image styles. The module uses unserialize() to import image styles into another site where unserialize() is known to have security issues when processing potentially unsafe input.
This vulnerability is mitigated by the fact that the "Image styles admin" sub module must be enabled and an attacker must have a role with the permission "'administer image styles'".
Furthermore, the import functionality supports PHP code included in image effects as part of an image style, which would run on image derivative generation subject to the PHP module being enabled. This is intended behaviour for the "Image styles admin" sub module, but the user access restrictions should reflect the potential risks involved.
The new security release of this module introduces a new "import image styles" permission which is marked as restricted. In order to use the image style import functionality, users will need to have a role which has this new permission in addition to "administer image styles" (which is not marked as restricted).
- If you use the Imagecache Actions module for Drupal 7.x, upgrade to Imagecache Actions 7.x-1.10.
- Image Effects, the D8 successor is *not* vulnerable to this exploit.
- Erwin Derksen
- Greg Knaddison of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- Ivo Van Geertruyen of the Drupal Security Team
- Drew Webber of the Drupal Security Team