* Advisory ID: DRUPAL-SA-CONTRIB-2010-082 * Project: Printer, e-mail and PDF versions (third-party module) * Version: 5.x, 6.x * Date: 2010-August-11 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Local file read access
-------- DESCRIPTION ---------------------------------------------------------
The Printer, e-mail and PDF versions ("print") module provides printer-friendly versions of content, including a PDF version that is generated by one of three supported generation tools (dompdf, TCPDF and wkhtmltopdf). When using the wkhtmltopdf PDF generation tool, that tool is able to access local files in the Drupal server environment. Users with the ability to create unfiltered HTML in the node content could trick the tool to access any file accessible by the Web server user and to display its contents inside the generated PDF. Sites should not grant the ability to post unfiltered HTML to untrusted roles. -------- VERSIONS AFFECTED ---------------------------------------------------
* Printer, e-mail and PDF versions 6.x prior to 6.x-1.11 * Printer, e-mail and PDF versions 5.x prior to 5.x-4.10
Drupal core is not affected. If you do not use the contributed Printer, e-mail and PDF versions module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------
Install the latest version: * If you use Printer, e-mail and PDF versions for Drupal 6.x upgrade to Printer, e-mail and PDF versions 6.x-1.11 [1] * If you use Printer, e-mail and PDF versions for Drupal 5.x upgrade to Printer, e-mail and PDF versions 5.x-4.10 [2]
If you use the wkhtmltopdf PDF generation tool, and it's version is older than 0.9.6, please upgrade [3] to a more recent version, as the module now supports only versions 0.9.6 or higher. See also the Printer, e-mail and PDF versions project page [4]. -------- REPORTED BY ---------------------------------------------------------
* Douglas Bagnall [5]
-------- FIXED BY ------------------------------------------------------------
* João Ventura [6], module maintainer * James Gilliland [7], module maintainer
-------- CONTACT -------------------------------------------------------------
The Drupal security team [8] can be reached at security at drupal.org or via the form at http://drupal.org/contact.
[1] http://drupal.org/node/880280 [2] http://drupal.org/node/880276 [3] http://code.google.com/p/wkhtmltopdf [4] http://drupal.org/project/print [5] http://drupal.org/user/758786 [6] http://drupal.org/user/122464 [7] http://drupal.org/user/48673 [8] http://drupal.org/security-team