[IT-SecNots] [Security-news] Imagecache External - Critical - Insecure session token management - SA-CONTRIB-2019-065

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2019-065

Project: Imagecache External [1]
Date: 2019-August-21
Security risk: *Critical* 15∕25
AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Insecure session token management

Description: 
This module that allows you to store external images on your server and apply
your own Image Styles.

The module exposes cookies to external sites when making external image
requests.

This vulnerability is mitigated by using the whitelisted host feature to
restrict external image requests from trusted sources.

Solution: 
Install the latest version:

  * If you use the Imagecache External 8.x-1.0 version, upgrade to Imagecache
    External 8.x-1.1 version [3]

Also see the Imagecache External [4] project page.

Reported By: 
  * Jason Want  [5]
  * Heine Deelstra  [6] of the Drupal Security Team

Fixed By: 
  * Heine Deelstra  [7] of the Drupal Security Team
  * Baris Wanschers  [8]

Coordinated By: 
  * Greg Knaddison [9] of the Drupal Security Team


[1] https://www.drupal.org/project/imagecache_external
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/imagecache_external/releases/8.x-1.1
[4] https://www.drupal.org/project/imagecache_external
[5] https://www.drupal.org/user/589890
[6] https://www.drupal.org/user/17943
[7] https://www.drupal.org/user/17943
[8] https://www.drupal.org/user/107229
[9] https://www.drupal.org/user/36762

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news