* Advisory ID: DRUPAL-SA-CONTRIB-2010-030 * Project: Mime Mail (third-party module) * Version: 5.x * Date: 2010-March-24 * Security risk: Highly critical * Exploitable from: Remote * Vulnerability: Arbitrary code execution
-------- DESCRIPTION ---------------------------------------------------------
The Mime Mail module is an helper module providing support for MIME mails, for use by other modules. Due to improper use of the PCRE regular expression engine, users with the ability to send HTML email with the Mime Mail module were able to execute arbitrary PHP code on the server. -------- VERSIONS AFFECTED ---------------------------------------------------
* Mime Mail for Drupal 5.x prior to 5.x-1.1
*Note that Mime Mail version 6.x-1.0-alpha1 and earlier versions for Drupal 6.x are also affected. However, the security team does not provide support for alpha releases.* Drupal core is not affected. If you do not use the contributed Mime Mail module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------
Upgrade to the latest version: * If you use Mime Mail for Drupal 5.x upgrade to Mime Mail 5.x-1.1 [1]
See also the Mime Mail project page [2]. -------- REPORTED BY ---------------------------------------------------------
* Martin Barbella [3] * Damien Tournoud [4] of the Drupal Security Team [5].
-------- FIXED BY ------------------------------------------------------------
* Peter Wolanin [6] of the Drupal Security Team [7].
-------- CONTACT -------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
[1] http://drupal.org/node/752166 [2] http://drupal.org/project/mimemail [3] http://drupal.org/user/633600 [4] http://drupal.org/user/22211 [5] http://drupal.org/security-team [6] http://drupal.org/user/49851 [7] http://drupal.org/security-team