===================================================================== CERT-Renater Note d'Information No. 2010/VULN153 _____________________________________________________________________ DATE : 06/05/2010 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running FileField for DRUPAL, ImageField for DRUPAL. ====================================================================== http://drupal.org/node/791050 http://drupal.org/node/791054 ______________________________________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2010-40 * Project: FileField (third-party module) * Version: 6.x * Date: 2010-May-5 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Access Bypass - -------- DESCRIPTION - --------------------------------------------------------- FileField provides a file upload field for CCK, allowing files to be attached to a node. FileField intends to set a default extension of "txt" for all new fields, but may actually save an empty string allowing all extensions if an administrator does not save the field configuration page after creating a new field. Execution of code in uploaded files is normally prevented by .htaccess rules, regardless of file extension. Any FileField that has been initially saved or edited with any extensions specified is not affected. This vulnerability is mitigated by the attacker needing permission to create or edit content with an unconfigured FileField. - -------- VERSIONS AFFECTED - --------------------------------------------------- * FileField for Drupal 6.x versions prior to 6.x-3.3 Drupal core is not affected. If you do not use the contributed FileField [1] module, there is nothing you need to do. - -------- SOLUTION - ------------------------------------------------------------ Install the latest version. * If you use FileField for Drupal 6.x upgrade to FileField 6.x-3.3 [2] - -------- REPORTED BY - --------------------------------------------------------- * David Rothstein [3] of the Drupal Security Team - -------- FIXED BY - ------------------------------------------------------------ * Nathan Haug [4] the module maintainer - -------- CONTACT - ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/project/filefield [2] http://drupal.org/node/791032 [3] http://drupal.org/user/124982 [4] http://drupal.org/user/35821 ___________________________________________________________________ _______________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2010-41 * Project: ImageField (third-party module) * Version: 6.x * Date: 2010-May-5 * Security risk: Less Critical * Exploitable from: Remote * Vulnerability: Access Bypass - -------- DESCRIPTION - --------------------------------------------------------- ImageField provides a file upload field for CCK, allowing files to be attached to a node. ImageField intends to set a default extension of "png jpg gif" for all new fields, but may actually save an empty string allowing all of the "png jpg gif" extensions if an administrator does not save the field configuration page after creating a new field. Any ImageField that has been initially saved or edited with any extensions specified is not affected. This vulnerability is mitigated by the attacker needing permission to create or edit content with an unconfigured ImageField. ImageField also creates thumbnails after uploading a new image. A second vulnerability is that this thumbnail is not properly checked for access if using the Private Downloads setting, allowing users that may not have access to view the full size image to still view the administrative thumbnail. - -------- VERSIONS AFFECTED - --------------------------------------------------- * ImageField for Drupal 6.x versions prior to 6.x-3.3 Drupal core is not affected. If you do not use the contributed ImageField [1] module, there is nothing you need to do. - -------- SOLUTION - ------------------------------------------------------------ Install the latest version. * If you use ImageField for Drupal 6.x upgrade to ImageField 6.x-3.3 [2] - -------- REPORTED BY - --------------------------------------------------------- * vb1 [3] - -------- FIXED BY - ------------------------------------------------------------ * Nathan Haug [4] the module maintainer - -------- CONTACT - ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/project/imagefield [2] http://drupal.org/node/791030 [3] http://drupal.org/user/690402 [4] http://drupal.org/user/35821 ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================