[Security-news] SA-CONTRIB-2009-068 - Boost - Filesystem Directory Creation
security-news at drupal.org
security-news at drupal.org
Wed Sep 30 20:50:27 UTC 2009
* Advisory ID: DRUPAL-SA-CONTRIB-2009-068
* Project: Boost (third-party module)
* Version: 6.x-1.*
* Date: 2009-09-30
* Security risk: Low
* Exploitable from: Remote
* Vulnerability: Filesystem Directory Creation
-------- DESCRIPTION
---------------------------------------------------------
The Boost module provides a static file-based cache of Drupal pages for
anonymous users. A vulnerability in the module allows an attacker to create
new directories inside the webroot that the web server can write to. Existing
directories cannot be changed using this vulnerability, but it can be used to
affect the system by creating enough directories to reach the 35,000 limit.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Boost module before version 6.x-1.03
Drupal core is not affected. If you do not use the contributed Boost module,
there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Boost module for Drupal 6.x upgrade to Boost module
6.x-1.03 [1]
-------- REPORTED BY
---------------------------------------------------------
Hans Rossel [2]
-------- FIXED BY
------------------------------------------------------------
Mike Carper [3] the module maintainer.
-------- CONTACT
-------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org [4]
or via the form at http://drupal.org/contact [5].
[1] http://drupal.org/node/592470
[2] http://drupal.org/user/39422
[3] http://drupal.org/user/282446
[4] http://drupal.org
[5] http://drupal.org/contact
More information about the Security-news
mailing list