* Advisory ID: DRUPAL-SA-CONTRIB-2010-081 * Project: FileField Sources (third-party module) * Version: 6.x * Date: 2010-May-19 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Arbitrary Code Execution
-------- DESCRIPTION ---------------------------------------------------------
The FileField Sources module expands on the abilities of FileField, allowing users to select new or existing files through additional means, including: Reuse of existing files through an autocomplete textfield or IMCE, or transfering files directly from remote servers. The module does not sanitize the file extemsions of files that have been transfered from remote servers, allowing for the transfering of files that match allowed extensions but actually contain malicious code. This could potentially allow an attacker to transfer scripts to the server and execute them. This vulerability is usually mitigated by Drupal core's built-in security mechanisms which prevent code execution of uploads that are within the Drupal files directory. This exploit should not affect the majority of Drupal sites. Users would also need the ability to use the FileField Sources module which requires permission to create or edit a node that has a FileField with FileField Sources configured for it. -------- VERSIONS AFFECTED ---------------------------------------------------
* FileField Sources module for Drupal 6.x versions prior to 6.x-1.2
Drupal core is not affected. If you do not use the contributed FileField Sources [1] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------
Install the latest version: * If you use the FileField Sources module for Drupal 6.x upgrade to FileField Sources 6.x-1.2 [2]
See also the FileField Sources project page [3]. -------- REPORTED BY ---------------------------------------------------------
* Apa Sajja
-------- FIXED BY ------------------------------------------------------------
* Nathan Haug [4], module maintainer * Greg Knaddison [5] of the Drupal security team
-------- CONTACT -------------------------------------------------------------
The Drupal security team [6] can be reached at security at drupal.org or via the form at http://drupal.org/contact.
[1] http://drupal.org/project/filefield_sources [2] http://drupal.org/node/880248 [3] http://drupal.org/project/filefield_sources [4] http://drupal.org/user/35821 [5] http://drupal.org/user/36762 [6] http://drupal.org/security-team