* Advisory ID: DRUPAL-SA-CONTRIB-2010-089
* Project: Simplenews content selection (third-party module)
* Version: 6.x
* Date: 2010-August-18
* Security risk: Less critical
* Exploitable from: Remote
* Vulnerability: Cross site scripting
-------- DESCRIPTION
---------------------------------------------------------
This module allows you to select content from your website and send a
newsletter with the selected content. The module does not sanitize some of
the user-supplied data before displaying it, leading to a Cross Site
Scripting (XSS [1]) vulnerability that may lead to a malicious user gaining
full administrative access.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Simplenews Content Selection module 6.x-1.5
Drupal core is not affected. If you do not use the contributed Simplenews
Content Selection [2] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Simplenews Content Selection module for Drupal 6.x upgrade
to Simplenews Content Selection 6.x-1.6 [3]
See also the Simplenews Content Selection project page [4].
-------- REPORTED BY
---------------------------------------------------------
* Henry Sudhof [5].
-------- FIXED BY
------------------------------------------------------------
* De Waele Dieter [6], module maintainer
-------- CONTACT
-------------------------------------------------------------
The Drupal security team [7] can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/project/simplenews_content_selection
[3] http://drupal.org/node/887110
[4] http://drupal.org/project/simplenews_content_selection
[5] http://drupal.org/user/730666
[6] http://drupal.org/user/253145
[7] http://drupal.org/security-team
* Advisory ID: DRUPAL-SA-CONTRIB-2010-088
* Project: Content Construction Kit (CCK) (third-party module)
* Version: 6.x
* Date: 2010-August-11
* Security risk: Less Critical
* Exploitable from: Remote
* Vulnerability: Access Bypass
-------- DESCRIPTION
---------------------------------------------------------
The Content Construction Kit (CCK) project is a set of modules that allows
you to add custom fields to nodes using a web browser. The CCK "Node
Reference" module provides a backend URL that is used for asynchronous
requests by the "autocomplete" widget to locate nodes the user can reference.
In some cases, this was not correctly checking that the user had field level
access to the source field, allowing direct queries to the backend URL to
return node titles and IDs which the user would otherwise be unable to
access. Note that as Drupal 5 CCK does not have any field access control
functionality, this issue only applies to the Drupal 6 version. This advisory
is a follow-up related to advisory SA-CONTRIB-2010-065 [1].
-------- VERSIONS AFFECTED
---------------------------------------------------
* Content Construction Kit (CCK) module for Drupal 6.x versions prior to
6.x-2.8
Drupal core is not affected. If you do not use the contributed Content
Construction Kit (CCK) [2] module, together with any node or field access
module there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Content Construction Kit (CCK) module for Drupal 6.x
upgrade to Content Construction Kit (CCK) 6.x-2.8 [3]
See also the Content Construction Kit (CCK) project page [4].
-------- REPORTED BY
---------------------------------------------------------
* Alexis Wilke [5]
-------- FIXED BY
------------------------------------------------------------
* Marc Ferran (markus_petrux) [6], module co-maintainer
* Peter Wolanin (pwolanin) [7], of the Drupal security team
-------- CONTACT
-------------------------------------------------------------
The Drupal security team [8] can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://drupal.org/node/829566
[2] http://drupal.org/project/cck
[3] http://drupal.org/node/880732
[4] http://drupal.org/project/cck
[5] http://drupal.org/user/356197
[6] http://drupal.org/user/39593
[7] http://drupal.org/user/49851
[8] http://drupal.org/security-team
* Advisory ID: DRUPAL-SA-CONTRIB-2010-087
* Project: GovDelivery Integration (third-party module)
* Version: 6.x
* Date: 2010-Aug-11
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Cross site scripting
-------- DESCRIPTION
---------------------------------------------------------
The GovDelivery module provides integration with the GovDelivery On-Demand
Mailer service, a web service for GovDelivery customers that sends messages
directly based on configured account information. The module replaces the
backend of SMTP library in your Drupal site with calls to the GovDelivery
service, so all mail sent from your site uses the ODM service. The module
does not sanitize some of the user-supplied data before displaying it (for
Drupal 6.x-1.0 only), leading to a Cross Site Scripting (XSS) vulnerability
that may lead to a malicious user gaining full administrative access.
-------- VERSIONS AFFECTED
---------------------------------------------------
* GovDelivery module for Drupal 6.x versions prior to 6.x-1.1
Drupal core is not affected. If you do not use the contributed GovDelivery
Integration [1] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the GovDelivery module for Drupal 6.x upgrade to GovDelivery
6.x-1.1 [2]
See also the GovDelivery Integration project page [3].
-------- REPORTED BY
---------------------------------------------------------
* ben.bunk [4], module co-maintainer
-------- FIXED BY
------------------------------------------------------------
* ben.bunk [5], module co-maintainer
-------- CONTACT
-------------------------------------------------------------
The Drupal security team [6] can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://drupal.org/project/govdelivery
[2] http://drupal.org/node/880684
[3] http://drupal.org/project/govdelivery
[4] http://drupal.org/user/764808
[5] http://drupal.org/user/764808
[6] http://drupal.org/security-team
* Advisory ID: DRUPAL-SA-CONTRIB-2010-086
* Project: Prepopulate (third-party module)
* Version: 5.x and 6.x
* Date: 2010-Aug-11
* Security risk: Moderately Critical
* Exploitable from: Remote
* Vulnerability: Access Bypass
-------- DESCRIPTION
---------------------------------------------------------
The Prepopulate module provides the ability for form fields to be
pre-populated via the request sent for the form. The module is vulnerable to
access bypass which would allow a malicious user to change the value of
fields they would not otherwise have access to alter.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Prepopulate module for Drupal 6.x versions prior to 6.x-2.0 [1]
* Prepopulate module for Drupal 5.x versons prior to 5.x-1.5 [2]
Drupal core is not affected. If you do not use the contributed Prepopulate
[3] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Prepopulate module for Drupal 6.x upgrade to Prepopulate
6.x-2.0 [4]
* If you use the Prepopulate module for Drupal 5.x upgrade to Prepopulate
5.x-1.5 [5]
See also the Prepopulate project page [6].
-------- REPORTED BY
---------------------------------------------------------
* Aren Cambre [7]
-------- FIXED BY
------------------------------------------------------------
* Joshua Brauer (jbrauer [8]) the module maintainer
-------- CONTACT
-------------------------------------------------------------
The Drupal security team [9] can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://drupal.org/node/880652
[2] http://drupal.org/node/880656
[3] http://drupal.org/project/prepopulate
[4] http://drupal.org/node/880652
[5] http://drupal.org/node/880656
[6] http://drupal.org/project/prepopulate
[7] http://drupal.org/user/97356
[8] http://drupal.org/user/253145
[9] http://drupal.org/security-team
* Advisory ID: DRUPAL-SA-CONTRIB-2010-085
* Project: Pathauto (third-party module)
* Version: 5.x, 6.x
* Date: 2010-August-11
* Security risk: Less critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
The Pathauto module automatically generates path aliases for various kinds of
content (nodes, categories, users) without requiring the user to manually
specify the path alias. It also provides additional tokens that can be used
in URL alias patterns and anywhere else that the Token API [1] is used. The
module does not sanitize the text in the [bookpathalias], [catalias], and
[termalias] tokens. Under rare circumstances those tokens could cause a Cross
Site Scripting (XSS [2]) vulnerability that may lead to a malicious user
gaining full administrative access. This vulnerability is mitigated by the
fact that a malicious user must have "create url aliases" permission and then
one of those tokens must be used to display output on an HTML page (for
instance, displaying a message to the user using an action from the
token_actions.module). The normal circumstance of using these tokens as part
of a Pathauto URL alias pattern is not vulnerable.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Pathauto module for Drupal 5.x versions prior to 5.x-2.4
* Pathauto module for Drupal 6.x versions prior to 6.x-1.4
Drupal core is not affected. If you do not use the contributed Pathauto [3]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Pathauto module for Drupal 5.x upgrade to Pathauto 5.x-2.4
[4]
* If you use the Pathauto module for Drupal 6.x upgrade to Pathauto 6.x-1.4
[5]
See also the Pathauto project page [6].
-------- SAFE USE OF TOKENS
--------------------------------------------------
The existing [bookpathalias], [termalias], and [catalias] tokens are now
sanitized. New [bookpathalias-raw], [termalias-raw], and [catalias-raw]
companion tokens have been added for the un-sanitized versions of each token
respectfully. This is also a reminder to modules that use the Token API [7]
to display output on an HTML page (such as displaying a message to the user),
that no tokens with the -raw suffix should be used.
-------- REPORTED BY
---------------------------------------------------------
* Dave Reid [8] of the Drupal security team and module co-maintainer
-------- FIXED BY
------------------------------------------------------------
* Dave Reid [9] of the Drupal security team and module co-maintainer
-------- CONTACT
-------------------------------------------------------------
The Drupal security team [10] can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://drupal.org/project/token
[2] http://en.wikipedia.org/wiki/Cross-site_scripting
[3] http://drupal.org/project/pathauto
[4] http://drupal.org/node/880462
[5] http://drupal.org/node/880464
[6] http://drupal.org/project/pathauto
[7] http://drupal.org/project/token
[8] http://drupal.org/user/53892
[9] http://drupal.org/user/53892
[10] http://drupal.org/security-team
* Advisory ID: DRUPAL-SA-CONTRIB-2010-084
* Project: OpenID (third-party module)
* Version: 5.x
* Date: 2010-Aug-11
* Security risk: Critical
* Exploitable from: Remote
* Vulnerability: Authentication bypass
-------- DESCRIPTION
---------------------------------------------------------
The OpenID module provides users the ability to login to sites using an
OpenID account. The OpenID module doesn't implement the all required
verifications from the OpenID 2.0 protocol and is vulnerable to a number of
attacks. Specifically: - OpenID should verify that a "openid.response_nonce"
has not already been used for an assertion by the OpenID provider - OpenID
should verify the value of openid.return_to as obtained from the OpenID
provider - OpenID must verify that all fields that are required to be signed
are signed These specification violations allow malicious sites to harvest
positive assertions from OpenID providers and use them on sites using the
OpenID module to obtain access to preexisting accounts bound to the harvested
OpenIDs. Intercepted assertions from OpenID providers can also be replayed
and used to obtain access to user accounts bound to the intercepted OpenIDs.
-------- VERSIONS AFFECTED
---------------------------------------------------
* OpenID module for Drupal 5.x versions prior to 5.x-1.4
This issue affects the OpenID module for Drupal 5.x only. A separate security
announcement [1] and release is published for the OpenID core module in
Drupal 6.x.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the OpenID module for Drupal 5.x upgrade to OpenID 5.x-1.4 [2]
See also the OpenID project page [3].
-------- REPORTED BY
---------------------------------------------------------
* Johnny Bufu [4]
* Christian Schmidt [5]
* Heine Deelstra [6] of the Drupal security team
-------- FIXED BY
------------------------------------------------------------
* Christian Schmidt [7]
* Heine Deelstra [8] of the Drupal security team
* Damien Tournoud [9] of the Drupal security team
-------- CONTACT
-------------------------------------------------------------
The Drupal security team [10] can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://drupal.org/node/880476
[2] http://drupal.org/node/880496
[3] http://drupal.org/project/openid
[4] http://drupal.org/user/226462
[5] http://drupal.org/user/216078
[6] http://drupal.org/user/17943
[7] http://drupal.org/user/216078
[8] http://drupal.org/user/17943
[9] http://drupal.org/user/22211
[10] http://drupal.org/security-team
* Advisory ID: DRUPAL-SA-CORE-2010-002
* Project: Drupal core
* Version: 5.x, 6.x
* Date: 2010-August-11
* Security risk: Critical
* Exploitable from: Remote
* Vulnerability: Multiple vulnerabilities
-------- DESCRIPTION
---------------------------------------------------------
Multiple vulnerabilities and weaknesses were discovered in Drupal.
.... OpenID authentication bypass
The OpenID module provides users the ability to login to sites using an
OpenID account. The OpenID module doesn't implement all the required
verifications from the OpenID 2.0 protocol and is vulnerable to a number of
attacks. Specifically: - OpenID should verify that a "openid.response_nonce"
has not already been used for an assertion by the OpenID provider - OpenID
should verify the value of openid.return_to as obtained from the OpenID
provider - OpenID must verify that all fields that are required to be signed
are signed These specification violations allow malicious sites to harvest
positive assertions from OpenID providers and use them on sites using the
OpenID module to obtain access to preexisting accounts bound to the harvested
OpenIDs. Intercepted assertions from OpenID providers can also be replayed
and used to obtain access to user accounts bound to the intercepted OpenIDs.
This issue affects Drupal 6.x only. A separate security announcement and
release [1] is published for the contributed OpenID module for Drupal 5.x.
.... File download access bypass
The upload module allows users to upload files and provides access checking
for file downloads. The module looks up files for download in the database
and serves them for download after access checking. However, it does not
account for the fact that certain database configurations will not consider
case differences in file names. If a malicious user uploads a file which only
differs in letter case, access will be granted for the earlier upload
regardless of actual file access to that. This issue affects Drupal 5.x and
6.x.
.... Comment unpublishing bypass
The comment module allows users to leave comments on content on the site. The
module supports unpublishing comments by privileged users. Users with the
"post comments without approval" permission however could craft a URL which
allows them to republish previously unpublished comments. This issue affects
Drupal 5.x and 6.x.
.... Actions cross site scripting
The actions feature combined with Drupal's trigger module allows users to
configure certain actions to happen when users register, content is
submitted, and so on; through a web based interface. Users with "administer
actions permission" can enter action descriptions and messages which are not
properly filtered on output. Users with content and taxonomy tag submission
permissions can create nodes and taxonomy terms which are not properly
sanitized for inclusion in action messages and inject arbitrary HTML and
script code into Drupal pages. Such a cross-site scripting attack may lead to
the malicious user gaining administrative access. Wikipedia has more
information about cross-site scripting [2] (XSS). This issue affects Drupal
6.x only.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Drupal 6.x before version 6.18 or 6.19.
* Drupal 5.x before version 5.23.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you are running Drupal 6.x then upgrade to Drupal 6.18 [3] or Drupal
6.19 [4].
* If you are running Drupal 5.x then upgrade to Drupal 5.23 [5].
Drupal 5 will no longer be maintained when Drupal 7 is released [6].
Upgrading to Drupal 6 [7] is recommended. The security team starts a new
practice of releasing both a pure security update without other bugfixes and
a security update combined with other bug fixes and improvements. You can
choose to either only include the security update for an immediate fix (which
might require less quality assurance and testing) or more fixes and
improvements alongside the security fixes by choosing between Drupal 6.18 and
Drupal 6.19. Read the announcement [8] for more information.
-------- REPORTED BY
---------------------------------------------------------
The OpenID authentication bypass issues were reported by Johnny Bufu [9],
Christian Schmidt [10] and Heine Deelstra [11] (*). The file download access
bypass was reported by Dylan Tack [12] (*). The comment unpublish bypass
issue was reported by Heine Deelstra [13] (*). The actions module cross site
scripting was reported by Justin Klein Keane [14] and Heine Deelstra [15]
(*). (*) Member of the Drupal security team.
-------- FIXED BY
------------------------------------------------------------
The OpenID authentication issues were fixed by Christian Schmidt [16], Heine
Deelstra [17] (*) and Damien Tournoud [18] (*). The file download access
bypass was fixed by Dave Reid [19] (*) and Neil Drumm [20] (*). The comment
unpublish bypass issue was fixed by Heine Deelstra [21] (*). The actions
module cross site scripting was fixed by Justin Klein Keane [22] and Heine
Deelstra [23] (*). (*) Member of the Drupal security team.
-------- CONTACT
-------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://drupal.org/node/880480
[2] http://en.wikipedia.org/wiki/Cross-site_scripting
[3] http://ftp.drupal.org/files/projects/drupal-6.18.tar.gz
[4] http://ftp.drupal.org/files/projects/drupal-6.19.tar.gz
[5] http://ftp.drupal.org/files/projects/drupal-5.23.tar.gz
[6] http://drupal.org/node/725382
[7] http://drupal.org/upgrade
[8] http://drupal.org/drupal-6.19
[9] http://drupal.org/user/226462
[10] http://drupal.org/user/216078
[11] http://drupal.org/user/17943
[12] http://drupal.org/user/96647
[13] http://drupal.org/user/17943
[14] http://drupal.org/user/302225
[15] http://drupal.org/user/17943
[16] http://drupal.org/user/216078
[17] http://drupal.org/user/17943
[18] http://drupal.org/user/22211
[19] http://drupal.org/user/53892
[20] http://drupal.org/user/3064
[21] http://drupal.org/user/17943
[22] http://drupal.org/user/302225
[23] http://drupal.org/user/17943
* Advisory ID: DRUPAL-SA-CONTRIB-2010-083
* Project: UC2Checkout, UCPaypal, UC Cart LInks (third-party modules in the
Ubercart Project)
* Version: 5.x, 6.x
* Date: 2010-Aug-11
* Security risk: Critical
* Exploitable from: Remote
* Vulnerability: Access Bypass, Cross Site Request Forgery
-------- DESCRIPTION
---------------------------------------------------------
The Ubercart module for Drupal provides e-commerce features. Several modules
within Ubercart were vulnerable to various security issues.
1) The 2Checkout gateway module did not properly verify the payment
notification information. A malicious user could use a specially crafted
HTTP request to simulate payment and order completion on arbitrary
orders. If the 2Checkout gateway module is not installed then your site
is not at risk to this vulnerability.
2) The Paypal module's WPS payment method did not properly verify the
payment notification information. A malicious user could alter HTML form
data to send payment to a different Paypal account and still check out on
the site. If you do not use the Paypal WPS payment method then your site
is not at risk to this vulnerability.
3) The Ubercart Cart Links module is vulnerable to both an Access Bypass and
Cross Site Request Forgery where a malicious user could both trick other
users into adding or removing items from their cart and add items to a
cart which are not published on the site. If you do not use Ubercart Cart
Links module your site is not at risk to this vulnerability.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Ubercart module for Drupal 5.x versions prior to 5.x-1.10
* Ubercart module for Drupal 6.x versions prior to 6.x-2.4
Drupal core is not affected. If you do not use the contributed Ubercart [1]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Ubercart module for Drupal 5.x upgrade to Ubercart 5.x-1.10
[2]
* If you use the Ubercart module for Drupal 6.x upgrade to Ubercart 6.x-2.4
[3]
See also the Ubercart project page [4].
-------- REPORTED BY
---------------------------------------------------------
* Greg Knaddison [5] of the Drupal Security Team
* Guy Paddock [6]
* Nathan Phillip Brink [7]
-------- FIXED BY
------------------------------------------------------------
* Lyle Mantooth [8], the module maintainer
* Greg Knaddison [9] of the Drupal Security Team
-------- CONTACT
-------------------------------------------------------------
The Drupal security team [10] can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://drupal.org/project/ubercart
[2] http://drupal.org/node/880378
[3] http://drupal.org/node/880390
[4] http://drupal.org/project/ubercart
[5] http://drupal.org/user/UID
[6] http://drupal.org/user/156932
[7] http://drupal.org/user/829476
[8] http://drupal.org/user/86683
[9] http://drupal.org/user/UID
[10] http://drupal.org/security-team
* Advisory ID: DRUPAL-SA-CONTRIB-2010-082
* Project: Printer, e-mail and PDF versions (third-party module)
* Version: 5.x, 6.x
* Date: 2010-August-11
* Security risk: Critical
* Exploitable from: Remote
* Vulnerability: Local file read access
-------- DESCRIPTION
---------------------------------------------------------
The Printer, e-mail and PDF versions ("print") module provides
printer-friendly versions of content, including a PDF version that is
generated by one of three supported generation tools (dompdf, TCPDF and
wkhtmltopdf). When using the wkhtmltopdf PDF generation tool, that tool is
able to access local files in the Drupal server environment. Users with the
ability to create unfiltered HTML in the node content could trick the tool to
access any file accessible by the Web server user and to display its contents
inside the generated PDF. Sites should not grant the ability to post
unfiltered HTML to untrusted roles.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Printer, e-mail and PDF versions 6.x prior to 6.x-1.11
* Printer, e-mail and PDF versions 5.x prior to 5.x-4.10
Drupal core is not affected. If you do not use the contributed Printer,
e-mail and PDF versions module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use Printer, e-mail and PDF versions for Drupal 6.x upgrade to
Printer, e-mail and PDF versions 6.x-1.11 [1]
* If you use Printer, e-mail and PDF versions for Drupal 5.x upgrade to
Printer, e-mail and PDF versions 5.x-4.10 [2]
If you use the wkhtmltopdf PDF generation tool, and it's version is older
than 0.9.6, please upgrade [3] to a more recent version, as the module now
supports only versions 0.9.6 or higher. See also the Printer, e-mail and PDF
versions project page [4].
-------- REPORTED BY
---------------------------------------------------------
* Douglas Bagnall [5]
-------- FIXED BY
------------------------------------------------------------
* João Ventura [6], module maintainer
* James Gilliland [7], module maintainer
-------- CONTACT
-------------------------------------------------------------
The Drupal security team [8] can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://drupal.org/node/880280
[2] http://drupal.org/node/880276
[3] http://code.google.com/p/wkhtmltopdf
[4] http://drupal.org/project/print
[5] http://drupal.org/user/758786
[6] http://drupal.org/user/122464
[7] http://drupal.org/user/48673
[8] http://drupal.org/security-team
* Advisory ID: DRUPAL-SA-CONTRIB-2010-081
* Project: FileField Sources (third-party module)
* Version: 6.x
* Date: 2010-May-19
* Security risk: Critical
* Exploitable from: Remote
* Vulnerability: Arbitrary Code Execution
-------- DESCRIPTION
---------------------------------------------------------
The FileField Sources module expands on the abilities of FileField, allowing
users to select new or existing files through additional means, including:
Reuse of existing files through an autocomplete textfield or IMCE, or
transfering files directly from remote servers. The module does not sanitize
the file extemsions of files that have been transfered from remote servers,
allowing for the transfering of files that match allowed extensions but
actually contain malicious code. This could potentially allow an attacker to
transfer scripts to the server and execute them. This vulerability is usually
mitigated by Drupal core's built-in security mechanisms which prevent code
execution of uploads that are within the Drupal files directory. This exploit
should not affect the majority of Drupal sites. Users would also need the
ability to use the FileField Sources module which requires permission to
create or edit a node that has a FileField with FileField Sources configured
for it.
-------- VERSIONS AFFECTED
---------------------------------------------------
* FileField Sources module for Drupal 6.x versions prior to 6.x-1.2
Drupal core is not affected. If you do not use the contributed FileField
Sources [1] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the FileField Sources module for Drupal 6.x upgrade to
FileField Sources 6.x-1.2 [2]
See also the FileField Sources project page [3].
-------- REPORTED BY
---------------------------------------------------------
* Apa Sajja
-------- FIXED BY
------------------------------------------------------------
* Nathan Haug [4], module maintainer
* Greg Knaddison [5] of the Drupal security team
-------- CONTACT
-------------------------------------------------------------
The Drupal security team [6] can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://drupal.org/project/filefield_sources
[2] http://drupal.org/node/880248
[3] http://drupal.org/project/filefield_sources
[4] http://drupal.org/user/35821
[5] http://drupal.org/user/36762
[6] http://drupal.org/security-team