• Advisory ID: DRUPAL-SA-2008-017
  • Project: Header image (third-party module)
  • Version: 5.x-1.0
  • Date: 2008-February-13
  • Security risk: Not critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass

Description

The Header image module allows sites to display an image on selected pages based on the node id, path, taxonomy, node type, containing book or the result of PHP code. The module contains a vulnerability where access to the module's administration pages is granted to any user, including the anonymous user.

Versions affected

  • All versions prior to header image 5.x-1.1

Drupal core is not affected. If you do not use the contributed Header image module, there is nothing you need to do.

Solution

Install the latest version:

See also the Header image project page.

Reported by

Erik Stielstra, the Header image module maintainer.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.