[Security-news] SA-CONTRIB-2010-082 - Print - Local file read access
security-news at drupal.org
security-news at drupal.org
Wed Aug 11 20:06:29 UTC 2010
* Advisory ID: DRUPAL-SA-CONTRIB-2010-082
* Project: Printer, e-mail and PDF versions (third-party module)
* Version: 5.x, 6.x
* Date: 2010-August-11
* Security risk: Critical
* Exploitable from: Remote
* Vulnerability: Local file read access
-------- DESCRIPTION
---------------------------------------------------------
The Printer, e-mail and PDF versions ("print") module provides
printer-friendly versions of content, including a PDF version that is
generated by one of three supported generation tools (dompdf, TCPDF and
wkhtmltopdf). When using the wkhtmltopdf PDF generation tool, that tool is
able to access local files in the Drupal server environment. Users with the
ability to create unfiltered HTML in the node content could trick the tool to
access any file accessible by the Web server user and to display its contents
inside the generated PDF. Sites should not grant the ability to post
unfiltered HTML to untrusted roles.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Printer, e-mail and PDF versions 6.x prior to 6.x-1.11
* Printer, e-mail and PDF versions 5.x prior to 5.x-4.10
Drupal core is not affected. If you do not use the contributed Printer,
e-mail and PDF versions module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use Printer, e-mail and PDF versions for Drupal 6.x upgrade to
Printer, e-mail and PDF versions 6.x-1.11 [1]
* If you use Printer, e-mail and PDF versions for Drupal 5.x upgrade to
Printer, e-mail and PDF versions 5.x-4.10 [2]
If you use the wkhtmltopdf PDF generation tool, and it's version is older
than 0.9.6, please upgrade [3] to a more recent version, as the module now
supports only versions 0.9.6 or higher. See also the Printer, e-mail and PDF
versions project page [4].
-------- REPORTED BY
---------------------------------------------------------
* Douglas Bagnall [5]
-------- FIXED BY
------------------------------------------------------------
* João Ventura [6], module maintainer
* James Gilliland [7], module maintainer
-------- CONTACT
-------------------------------------------------------------
The Drupal security team [8] can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://drupal.org/node/880280
[2] http://drupal.org/node/880276
[3] http://code.google.com/p/wkhtmltopdf
[4] http://drupal.org/project/print
[5] http://drupal.org/user/758786
[6] http://drupal.org/user/122464
[7] http://drupal.org/user/48673
[8] http://drupal.org/security-team
More information about the Security-news
mailing list