[Security-news] File (Field) Paths - Moderately critical - Access bypass - SA-CONTRIB-2022-065
security-news at drupal.org
security-news at drupal.org
Wed Dec 14 17:55:46 UTC 2022
View online: https://www.drupal.org/sa-contrib-2022-065
Project: File (Field) Paths [1]
Date: 2022-December-14
Security risk: *Moderately critical* 12∕25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass
Description:
The File (Field) Paths module extends the default functionality of Drupal's
core File module, by adding the ability to use entity-based tokens in
destination paths and file names.
The module's default configuration could temporarily expose private files to
anonymous visitors.
*Important note:* to fix the problem, database updates must be run in
addition to updating the module.
It's possible to make a configuration change to mitigate this problem in the
admin UI at /admin/config/media/file-system/filefield-paths - the temp file
location should use either the temporary:// or private:// stream wrapper if
uploaded files should not be exposed publicly.
This vulnerability is mitigated by the fact that an attacker must be able to
guess the temporary path used for file upload.
Solution:
Install the latest version:
* If you use the File (Field) Paths module for Drupal 7.x, upgrade to File
(Field) Paths 7.x-1.2 [3]
Reported By:
* Hayato Goto [4]
* Drew Webber [5] of the Drupal Security Team
* Steve Bink [6]
Fixed By:
* Hayato Goto [7]
* David Snopek [8] of the Drupal Security Team
* Vijay Mani [9] provisional member of the Drupal Security Team
* Drew Webber [10] of the Drupal Security Team
* Oleh Vehera [11]
* Damien McKenna [12] of the Drupal Security Team
Coordinated By:
* David Snopek [13] of the Drupal Security Team
* Drew Webber [14] of the Drupal Security Team
* Greg Knaddison [15] of the Drupal Security Team
[1] https://www.drupal.org/project/filefield_paths
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/filefield_paths/releases/7.x-1.2
[4] https://www.drupal.org/user/2844385
[5] https://www.drupal.org/user/255969
[6] https://www.drupal.org/user/3427991
[7] https://www.drupal.org/user/2844385
[8] https://www.drupal.org/user/266527
[9] https://www.drupal.org/user/93488
[10] https://www.drupal.org/user/255969
[11] https://www.drupal.org/user/3260314
[12] https://www.drupal.org/user/108450
[13] https://www.drupal.org/u/dsnopek
[14] https://www.drupal.org/u/mcdruid
[15] https://www.drupal.org/user/36762
More information about the Security-news
mailing list