it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] ImageCache Actions - Critical - Multiple Vulnerabilities - SA-CONTRIB-2019-056
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] ImageCache Actions - Critical - Multiple Vulnerabilities - SA-CONTRIB-2019-056
- Date: Wed, 17 Jul 2019 16:35:31 +0000 (UTC)
- List-archive: <http://lists.drupal.org/pipermail/security-news/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2019-056
Project: ImageCache Actions [1]
Date: 2019-July-17
Security risk: *Critical* 17∕25
AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:All [2]
Vulnerability: Multiple Vulnerabilities
Description:
The imagecache actions module defines a number of additional image effects
that can be used to create image styles. The "Image styles admin" sub module
provides additional functionality to duplicate, export and import image
styles. The module uses unserialize() to import image styles into another
site where unserialize() is known to have security issues when processing
potentially unsafe input.
This vulnerability is mitigated by the fact that the "Image styles admin" sub
module must be enabled and an attacker must have a role with the permission
"'administer image styles'".
Furthermore, the import functionality supports PHP code included in image
effects as part of an image style, which would run on image derivative
generation subject to the PHP module being enabled. This is intended
behaviour for the "Image styles admin" sub module, but the user access
restrictions should reflect the potential risks involved.
The new security release of this module introduces a new "import image
styles" permission which is marked as restricted. In order to use the image
style import functionality, users will need to have a role which has this new
permission in addition to "administer image styles" (which is not marked as
restricted).
Solution:
* If you use the Imagecache Actions module for Drupal 7.x, upgrade to
Imagecache Actions 7.x-1.10 [3].
* Image Effects [4], the D8 successor is *not* vulnerable to this exploit.
Reported By:
* Ruben Hofman [5]
Fixed By:
* Erwin Derksen [6]
* Greg Knaddison [7] of the Drupal Security Team
Coordinated By:
* Greg Knaddison [8] of the Drupal Security Team
* Ivo Van Geertruyen [9] of the Drupal Security Team
* Drew Webber [10] of the Drupal Security Team
[1] https://www.drupal.org/project/imagecache_actions
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/imagecache_actions/releases/7.x-1.10
[4] https://www.drupal.org/project/image_effects
[5] https://www.drupal.org/user/3302721
[6] https://www.drupal.org/user/750928
[7] https://www.drupal.org/user/36762
[8] https://www.drupal.org/user/36762
[9] https://www.drupal.org/user/383424
[10] https://www.drupal.org/user/255969
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecNots] [Security-news] ImageCache Actions - Critical - Multiple Vulnerabilities - SA-CONTRIB-2019-056, security-news, 17.07.2019
Archiv bereitgestellt durch MHonArc 2.6.19.