CVE-2022-25275: Image Access Vulnerability in Non-public File Systems

A security vulnerability has been identified in the Drupal Image module. This vulnerability, CVE-2022-25275, allows unauthorized access to files not stored in the standard public files directory when generating derivative images using Drupal's image styles system. In this article, we will discuss the vulnerability, its impact, and recommended actions to prevent its exploitation.

Vulnerability Details

The Image module does not correctly check for access to non-public files when generating derivative images using the image styles system. Access is checked for non-public files only if they are stored in the Drupal's "private" file system. However, contributed modules providing support for additional file systems or schemes, such as S3 or other cloud storage, can trigger this vulnerability.

In Drupal 7: $conf['image_allow_insecure_derivatives'] = TRUE;

The recommended and default setting is FALSE, and there is no administrative UI option in Drupal core to change this value.

Possible Exploitation

An attacker who knows the location of non-public images in non-standard file systems can generate derivative images using the Image Styles system even if they do not have the necessary permission to access those files.

Mitigation Strategies

To prevent exploitation of this vulnerability, ensure that the mentioned configuration values are set to FALSE (recommended and default setting).

For Drupal 9, the following code snippet in your settings.php file will ensure the correct configuration:

$config['image.settings']['allow_insecure_derivatives'] = FALSE;

For Drupal 7, add the following code to your settings.php

$conf['image_allow_insecure_derivatives'] = FALSE;

1. Drupal Security Advisory: https://www.drupal.org/sa-core-2022-25275
2. CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25275

Conclusion

By ensuring that your Drupal installation is properly configured, you can effectively safeguard your site against CVE-2022-25275. Adhering to the recommended and default configuration settings for the Image module in Drupal prevents unauthorized access to private files in non-public file systems when generating derivative images.

It is crucial to diligently follow security best practices and keep an eye on security advisories for systems like Drupal. Doing so will help you maintain a secure site and protect your site visitors and content.

Timeline

Published on: 04/26/2023 14:15:00 UTC
Last modified on: 05/09/2023 14:36:00 UTC