[Security-news] Mailhandler - Critical - Remote Code Execution - SA-CONTRIB-2017-089

security-news at drupal.org security-news at drupal.org
Wed Dec 6 19:16:53 UTC 2017 

View online: https://www.drupal.org/sa-contrib-2017-089

Project: Mailhandler [1]
Version: 7.x-2.10
Date: 2017-December-06
Security risk: *Critical* 17∕25
AC:Complex/A:User/CI:All/II:All/E:Theoretical/TD:All [2]
Vulnerability: Remote Code Execution

Description: 
The Mailhandler module enables you to create nodes by email.

The Mailhandler module does not validate file attachments. By sending a
correctly crafted e-mail to a mailhandler mailbox an attacker can execute
arbitrary code.

The vulnerability applies to any active mailhandler mailbox, whether or not
attachments are mapped to a field.

*Mitigating factors:*

   * For 7.x versions prior to 7.x-2.5, the vulnerability is mitigated by the
     fact that the 'MailhandlerCommandsFiles' plugin must be enabled. For 
later
     versions, the option to disable commands was removed, all commands are
     enabled in any case.
   * The vulnerability is mitigated by the fact that the attacker must pass 
the
     authentication step. The default authentication is that the attacker must
     send the crafted e-mail from a registered e-mail address.
   * The vulnerability is mitigated by the fact that the mailhandler mailbox
     e-mail address must be known by the attacker. This essentially depends on
     the usecase, e.g. Mailcomment module.
   * The vulnerability is mitigated by the fact that the webserver
     configuration must either permit the execution of some file extensions in
     the public filesystem or (Apache) has '.htaccess' support enabled through
     the AllowOverride directive.

Solution: 
Install the latest version:

   * If you use the Mailhandler module for Drupal 7.x, upgrade to Mailhandler
     7.x-2.11 [3]

Also see the Mailhandler [4] project page.

Reported By: 
   * Marc Darcis [5]

Fixed By: 
   * Marc Darcis [6]
   * Nathaniel Catchpole [7]
   * Milos Bovan [8]

Coordinated By: 
   * Greg Knaddison [9] of the Drupal Security Team


[1] https://www.drupal.org/project/mailhandler
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/mailhandler/releases/7.x-2.11
[4] https://www.drupal.org/project/mailhandler
[5] https://www.drupal.org/user/3552485
[6] https://www.drupal.org/user/3552485
[7] https://www.drupal.org/user/35733
[8] https://www.drupal.org/u/mbovan
[9] https://www.drupal.org/u/greggles

More information about the Security-news mailing list