Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Project:
Date:
2019-July-17
Vulnerability:
Multiple Vulnerabilities
Description:
The imagecache actions module defines a number of additional image effects that can be used to create image styles. The "Image styles admin" sub module provides additional functionality to duplicate, export and import image styles. The module uses unserialize() to import image styles into another site where unserialize() is known to have security issues when processing potentially unsafe input.
This vulnerability is mitigated by the fact that the "Image styles admin" sub module must be enabled and an attacker must have a role with the permission "'administer image styles'".
Furthermore, the import functionality supports PHP code included in image effects as part of an image style, which would run on image derivative generation subject to the PHP module being enabled. This is intended behaviour for the "Image styles admin" sub module, but the user access restrictions should reflect the potential risks involved.
The new security release of this module introduces a new "import image styles" permission which is marked as restricted. In order to use the image style import functionality, users will need to have a role which has this new permission in addition to "administer image styles" (which is not marked as restricted).
Solution:
- If you use the Imagecache Actions module for Drupal 7.x, upgrade to Imagecache Actions 7.x-1.10.
- Image Effects, the D8 successor is *not* vulnerable to this exploit.
Reported By:
Fixed By:
- Erwin Derksen
- Greg Knaddison of the Drupal Security Team
Coordinated By:
- Greg Knaddison of the Drupal Security Team
- Ivo Van Geertruyen of the Drupal Security Team
- Drew Webber of the Drupal Security Team
