* Advisory ID: DRUPAL-SA-CONTRIB-2012-003 * Project: Fill PDF [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-JANUARY-04 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass, Arbitrary code execution
-------- DESCRIPTION ---------------------------------------------------------
This module enables you to populate fillable PDF templates with data from nodes and webforms.
.... Access bypass (7.x only)
Incorrectly-ordered arguments in a call to the function that handles the main functionality of the module makes it possible for an attacker to trigger /any/ PDF to be filled, regardless of whether they have access to the node/webform or not, by passing an appropriately-formed query string argument.
This vulnerability is mitigated by the fact that an attacker can only access configured PDF templates, that the attacker must know (or brute-force) the node or webform IDs, and that only information that is configured to be filled into the PDFs (and the filled PDF templates themselves) can be obtained through this exploit.
.... Arbitrary code execution (6.x and 7.x)
The template importing and exporting used serialized PHP which required the use of an unsafe PHP function to evaluate and import templates, which could lead to execution of unwanted and untrusted code. This vulnerability is mitigated by the fact that the attacker must have the 'administer PDFs' permission.
-------- VERSIONS AFFECTED ---------------------------------------------------
* Fill PDF 6.x-1.x versions prior to 6.x-1.16. * Fill PDF 7.x-1.x versions prior to 7.x-1.2.
Drupal core is not affected. If you do not use the contributed Fill PDF [3] module, there is nothing you need to do.
-------- SOLUTION ------------------------------------------------------------
Install the latest version:
* If you use the Fill PDF module for Drupal 6.x, upgrade to Fill PDF 6.x-1.16 [4]. * If you use the Fill PDF module for Drupal 7.x, upgrade to Fill PDF 7.x-1.2 [5].
See also the Fill PDF [6] project page.
-------- REPORTED BY ---------------------------------------------------------
* Access bypass reported by Christian Johansson [7] * Arbitrary code execution reported by Liam Morland [8]
-------- FIXED BY ------------------------------------------------------------
* Kevin Kaland (wizonesolutions) [9], module maintainer * Arbitrary code execution fixed by Liam Morland [10]
-------- COORDINATED BY ------------------------------------------------------
* Dave Reid [11], Drupal Security team member
-------- CONTACT AND MORE INFORMATION ----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12].
Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15].
[1] http://drupal.org/project/fillpdf [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/fillpdf [4] http://drupal.org/node/1394070 [5] http://drupal.org/node/1394066 [6] http://drupal.org/project/fillpdf [7] http://drupal.org/user/204187 [8] http://drupal.org/user/493050 [9] http://drupal.org/user/739994 [10] http://drupal.org/user/493050 [11] http://drupal.org/user/53892 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration