[Security-news] SA-CONTRIB-2012-003 - Fill PDF - Multiple Vulnerabilities
security-news at drupal.org
security-news at drupal.org
Wed Jan 4 23:07:08 UTC 2012
* Advisory ID: DRUPAL-SA-CONTRIB-2012-003
* Project: Fill PDF [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2012-JANUARY-04
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Access bypass, Arbitrary code execution
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to populate fillable PDF templates with data from
nodes and webforms.
.... Access bypass (7.x only)
Incorrectly-ordered arguments in a call to the function that handles the main
functionality of the module makes it possible for an attacker to trigger
/any/ PDF to be filled, regardless of whether they have access to the
node/webform or not, by passing an appropriately-formed query string
argument.
This vulnerability is mitigated by the fact that an attacker can only access
configured PDF templates, that the attacker must know (or brute-force) the
node or webform IDs, and that only information that is configured to be
filled into the PDFs (and the filled PDF templates themselves) can be
obtained through this exploit.
.... Arbitrary code execution (6.x and 7.x)
The template importing and exporting used serialized PHP which required the
use of an unsafe PHP function to evaluate and import templates, which could
lead to execution of unwanted and untrusted code. This vulnerability is
mitigated by the fact that the attacker must have the 'administer PDFs'
permission.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Fill PDF 6.x-1.x versions prior to 6.x-1.16.
* Fill PDF 7.x-1.x versions prior to 7.x-1.2.
Drupal core is not affected. If you do not use the contributed Fill PDF [3]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Fill PDF module for Drupal 6.x, upgrade to Fill PDF
6.x-1.16 [4].
* If you use the Fill PDF module for Drupal 7.x, upgrade to Fill PDF 7.x-1.2
[5].
See also the Fill PDF [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Access bypass reported by Christian Johansson [7]
* Arbitrary code execution reported by Liam Morland [8]
-------- FIXED BY
------------------------------------------------------------
* Kevin Kaland (wizonesolutions) [9], module maintainer
* Arbitrary code execution fixed by Liam Morland [10]
-------- COORDINATED BY
------------------------------------------------------
* Dave Reid [11], Drupal Security team member
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [12].
Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].
[1] http://drupal.org/project/fillpdf
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/project/fillpdf
[4] http://drupal.org/node/1394070
[5] http://drupal.org/node/1394066
[6] http://drupal.org/project/fillpdf
[7] http://drupal.org/user/204187
[8] http://drupal.org/user/493050
[9] http://drupal.org/user/739994
[10] http://drupal.org/user/493050
[11] http://drupal.org/user/53892
[12] http://drupal.org/contact
[13] http://drupal.org/security-team
[14] http://drupal.org/writing-secure-code
[15] http://drupal.org/security/secure-configuration
More information about the Security-news
mailing list