favicon 7.x-2.1

Bug fixes
Unsupported

Changes since 7.x-2.0:

  • #2397833: Fixed cached data cannot be used if favicon_uri variable is used.
  • #2397755 by Dave Reid: Fixed wrong syntax for configure URL in favicon.info causing WSOD on admin/modules page.
  • Using redirect delivery should always cache no matter the file size.

favicon 7.x-2.0

Bug fixes
New features
Unsupported

Changes since 7.x-1.0-rc2:

favicon 7.x-1.0-rc2

Security update
Unsupported

Fixes access bypass XSS vulnerability

The 7.x version of the module does not adequately check that the favicon path provided by the theme is actually a favicon and should be readable by the site. This can allow an attacker to access arbitrary system files by specifying them as the sites's favicon file.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer theme".

Note that since this is a pre release version, no security advisory was issued by the Drupal security team.

favicon 6.x-1.1

Security update
Unsupported

Fixes HTTP header injection vulnerability

The 6.x versions prior to this release use a "Location: " header to redirect to the favicon path which is set in the admin settings for the theme. This uses the header() function from php rather than Drupal's header which is vulnerable to a header injection exploit.

These vulnerabilities are mitigated by the fact that an attacker must have a role with the permission "administer theme".

This is only a problem for web sites running PHP 5.1 and below which is unsupported so no security advisory has been published.

favicon 6.x-1.0

Insecure
Unsupported

First release for the Drupal 6 branch of the Favicon module.

favicon 5.x-1.0

Unsupported

First official release of the small Favicon module.

Subscribe with RSS Subscribe to Releases for Favicon