[Security-news] SA-CONTRIB-2010-030: Mime Mail - Arbitrary code execution
security-news at drupal.org
security-news at drupal.org
Wed Mar 24 22:03:24 UTC 2010
* Advisory ID: DRUPAL-SA-CONTRIB-2010-030
* Project: Mime Mail (third-party module)
* Version: 5.x
* Date: 2010-March-24
* Security risk: Highly critical
* Exploitable from: Remote
* Vulnerability: Arbitrary code execution
-------- DESCRIPTION
---------------------------------------------------------
The Mime Mail module is an helper module providing support for MIME mails,
for use by other modules. Due to improper use of the PCRE regular expression
engine, users with the ability to send HTML email with the Mime Mail module
were able to execute arbitrary PHP code on the server.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Mime Mail for Drupal 5.x prior to 5.x-1.1
*Note that Mime Mail version 6.x-1.0-alpha1 and earlier versions for Drupal
6.x are also affected. However, the security team does not provide support
for alpha releases.* Drupal core is not affected. If you do not use the
contributed Mime Mail module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Upgrade to the latest version:
* If you use Mime Mail for Drupal 5.x upgrade to Mime Mail 5.x-1.1 [1]
See also the Mime Mail project page [2].
-------- REPORTED BY
---------------------------------------------------------
* Martin Barbella [3]
* Damien Tournoud [4] of the Drupal Security Team [5].
-------- FIXED BY
------------------------------------------------------------
* Peter Wolanin [6] of the Drupal Security Team [7].
-------- CONTACT
-------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.
[1] http://drupal.org/node/752166
[2] http://drupal.org/project/mimemail
[3] http://drupal.org/user/633600
[4] http://drupal.org/user/22211
[5] http://drupal.org/security-team
[6] http://drupal.org/user/49851
[7] http://drupal.org/security-team
More information about the Security-news
mailing list