* Advisory ID: DRUPAL-SA-CONTRIB-2010-014 * Project: Node Export (third-party module) * Version: 5.x, 6.x * Date: 2010-February-3 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Arbitrary code execution

-------- DESCRIPTION ---------------------------------------------------------

The Node export module allows users to export and import nodes. Node export does not warn administrators that users with the "access administration pages" permission together with the "import nodes" permission can execute arbitrary PHP statements during the import operation. -------- VERSIONS AFFECTED ---------------------------------------------------

* Node Export for Drupal 5.x prior to 5.x-2.3 * Node Export for Drupal 6.x prior to 6.x-2.19

Drupal core is not affected. If you do not use the Node Export module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------

Upgrade to the latest version: * If you use Node Export for Drupal 5.x upgrade to Node Export 5.x-2.3 [1] * If you use Node Export for Drupal 6.x upgrade to Node Export 6.x-2.19 [2]

Since the "import nodes" permission has been renamed, you will need to grant the permission to import nodes to authorized users again. See also the Node Export page [3]. -------- REPORTED BY ---------------------------------------------------------

* mr.baileys [4] of the Drupal Security Team

-------- FIXED BY ------------------------------------------------------------

* danielb [5], the module maintainer

-------- CONTACT -------------------------------------------------------------

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

[1] http://drupal.org/node/703246 [2] http://drupal.org/node/703244 [3] http://drupal.org/project/node_export [4] http://drupal.org/user/383424 [5] http://drupal.org/user/134005