=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2008/VULN050
_____________________________________________________________________

DATE                      : 15/02/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running HEADER IMAGE module for
                                                            DRUPAL .

======================================================================

- ------------SA-2008-017 - HEADER IMAGE - ACCESS BYPASS------------

   * Advisory ID: DRUPAL-SA-2008-017

   * Project: Header image (third-party module)

   * Version: 5.x-1.0

   * Date: 2008-February-13

   * Security risk: Not critical

   * Exploitable from: Remote

   * Vulnerability: Access bypass

- ------------DESCRIPTION------------

The Header image module allows sites to display an image on selected pages
based on the node id, path, taxonomy, node type, containing book or the 
result
of PHP code. The module contains a vulnerability where access to the 
module's
administration pages is granted to any user, including the anonymous user.

- ------------VERSIONS AFFECTED------------

   * All versions prior to header image 5.x-1.1

Drupal core is not affected. If you do not use the contributed Header image
module, there is nothing you need to do.

- ------------SOLUTION------------

Install the latest version:

   * Header image 5.x-1.1 [ http://drupal.org/node/203444 ].

See also the Header image project page [ 
http://drupal.org/project/headerimage
].

- ------------REPORTED BY------------

Erik Stielstra [ http://drupal.org/user/73854 ], the Header image module
maintainer.

- ------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org 
or via
the form at [ http://drupal.org/contact ].

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================