[Security-news] SA-CONTRIB-2010-014 - Node Export - Arbitrary code execution

security-news at drupal.org security-news at drupal.org
Wed Feb 3 19:05:49 UTC 2010


  * Advisory ID: DRUPAL-SA-CONTRIB-2010-014
  * Project: Node Export (third-party module)
  * Version: 5.x, 6.x
  * Date: 2010-February-3
  * Security risk: Less critical
  * Exploitable from: Remote
  * Vulnerability: Arbitrary code execution

-------- DESCRIPTION  
---------------------------------------------------------

The Node export module allows users to export and import nodes. Node export
does not warn administrators that users with the "access administration
pages" permission together with the "import nodes" permission can execute
arbitrary PHP statements during the import operation.
-------- VERSIONS AFFECTED  
---------------------------------------------------

  * Node Export for Drupal 5.x prior to 5.x-2.3
  * Node Export for Drupal 6.x prior to 6.x-2.19

Drupal core is not affected. If you do not use the Node Export module, there
is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------

Upgrade to the latest version:
  * If you use Node Export for Drupal 5.x upgrade to Node Export 5.x-2.3 [1]
  * If you use Node Export for Drupal 6.x upgrade to Node Export 6.x-2.19 [2]

Since the "import nodes" permission has been renamed, you will need to grant
the permission to import nodes to authorized users again. See also the Node
Export page [3].
-------- REPORTED BY  
---------------------------------------------------------

  * mr.baileys [4] of the Drupal Security Team

-------- FIXED BY  
------------------------------------------------------------

  * danielb [5], the module maintainer

-------- CONTACT  
-------------------------------------------------------------

The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.

[1] http://drupal.org/node/703246
[2] http://drupal.org/node/703244
[3] http://drupal.org/project/node_export
[4] http://drupal.org/user/383424
[5] http://drupal.org/user/134005



More information about the Security-news mailing list