Scald File - Critical - Remote Code Execution - SA-CONTRIB-2016-015 - Security-news

10 Mar 2016


      View online: https://www.drupal.org/node/2684601
* Advisory ID: DRUPAL-SA-CONTRIB-2016-015
   * Project: Scald File Provider [1]     (third-party module)
   * Version: 7.x
   * Date: 2016-March-09
   * Security risk: 18/25 ( Critical)
     AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:All [2]
   * Vulnerability: Arbitrary PHP code execution
-------- DESCRIPTION
---------------------------------------------------------
When a PDF is uploaded in Scald File, various tools can be executed if
they're installed on the server, to try to generate a thumbnail out of that
PDF.
This is mitigated by the need to have the sufficient permissions to upload a
file in Scald, and also to have at least one of the thumbnail creation tools
installed on the server (pdfdraw, convert or mudraw).
It could also be partially mitigated by using the transliteration module for
uploaded files.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
     accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Scald File module 7.x-1.x versions prior to 7.x-1.2.
Drupal core is not affected. If you do not use the contributed Scald File
Provider [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Scald File module for Drupal 7.x, upgrade to Scald File
     7.x-1.3 [5]
Also see the Scald File Provider [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* DeFr [7]
-------- FIXED BY
------------------------------------------------------------
* DeFr [8]
-------- COORDINATED BY
------------------------------------------------------
* Michael Hess [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and  securing your site [13].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [14]
[1] https://www.drupal.org/project/scald_file
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/scald_file
[5] https://www.drupal.org/node/2678810
[6] https://www.drupal.org/project/scald_file
[7] https://www.drupal.org/u/defr
[8] https://www.drupal.org/u/defr
[9] https://www.drupal.org/u/mlhess
[10] https://www.drupal.org/contact
[11] https://www.drupal.org/security-team
[12] https://www.drupal.org/writing-secure-code
[13] https://www.drupal.org/security/secure-configuration
[14] https://twitter.com/drupalsecurity