VYPR
← All advisories
Unrated severityNVD Advisory· Published Sep 16, 2009· Updated Apr 23, 2026

CVE-2009-3207

CVE-2009-3207

Description

The ImageCache module 5.x before 5.x-2.5 and 6.x before 6.x-2.0-beta10, a module for Drupal, when the private file system is used, does not properly perform access control for derivative images, which allows remote attackers to view arbitrary images via a request that specifies an image's filename.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

ImageCache module for Drupal fails to verify file access permissions when generating derivative images with a private file system, allowing unauthorized viewing.

Vulnerability

The ImageCache module versions 5.x before 5.x-2.5 and 6.x before 6.x-2.0-beta10, for Drupal, do not properly enforce access controls for derivative images when the private file system is configured. When a derivative image is requested, the module checks only whether the user has permission to use the preset, but does not verify whether the user has access to the original image file. This allows an attacker to bypass hook_file_download() restrictions by directly requesting derivative URLs [1][2][3][4].

Exploitation

An attacker can view arbitrary images by crafting a request that includes the image's filename and a valid preset name, for example example.com/files/imagecache/extra_large/image.png. No authentication is required if the site allows anonymous access to presets; the attacker only needs to know the filename and an existing preset. The module's private file handler (imagecache_cache_private()) does not invoke module_invoke_all('file_download') for the original file, thus bypassing any custom download permissions [2][3].

Impact

Successful exploitation allows an unprivileged remote attacker to view any image file stored on the Drupal site that is accessible via the private file system, including those that should be restricted to specific roles or users. This can lead to unauthorized disclosure of confidential or sensitive information stored as images. The type of information exposed depends on the site's content [2][3].

Mitigation

Users should upgrade to the patched versions: 5.x-2.5 for Drupal 5.x and 6.x-2.0-beta10 for Drupal 6.x. The fix adds a call to hook_file_download() for the original file when generating derivatives, ensuring that access control is enforced. No workaround is available if upgrading is not possible. The advisory was published on 2009-August-19 [2][4]. This CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.

References
  1. imagecache 6.x-2.0-beta10
  2. SA-CONTRIB-2009-051 - ImageCache - Multiple vulnerabilities
  3. Security hole with private file system?
  4. imagecache 5.x-2.5

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

32
  • Drewish/Imagecache32 versions
    cpe:2.3:a:drewish:imagecache:5.x-1.0:*:*:*:*:*:*:*+ 31 more
    • cpe:2.3:a:drewish:imagecache:5.x-1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:5.x-1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:5.x-1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:5.x-1.3:*:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:5.x-1.4:*:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:5.x-1.5:*:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:5.x-1.6:*:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:5.x-1.7:*:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:5.x-1.x:dev:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:5.x-2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:5.x-2.0:alpha:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:5.x-2.0:beta:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:5.x-2.0:rc1:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:5.x-2.0:rc2:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:5.x-2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:5.x-2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:5.x-2.3:*:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:5.x-2.4:*:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:5.x-2.x:dev:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:6.x-1.0:alpha1:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:6.x-1.0:alpha2:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:6.x-2.0:beta1:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:6.x-2.0:beta2:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:6.x-2.0:beta3:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:6.x-2.0:beta4:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:6.x-2.0:beta5:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:6.x-2.0:beta6:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:6.x-2.0:beta7:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:6.x-2.0:beta8:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:6.x-2.0:beta9:*:*:*:*:*:*
    • cpe:2.3:a:drewish:imagecache:6.x-2.x-dev:*:*:*:*:*:*:*
    • (no CPE)range: >=5.0 <5.x-2.5 || >=6.0 <6.x-2.0-beta10

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

6

News mentions

0

No linked articles in our index yet.