===================================================================== CERT-Renater Note d'Information No. 2013/VULN309 _____________________________________________________________________ DATE : 11/07/2013 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Stage File Proxy for DRUPAL versions 7.x. ====================================================================== http://drupal.org/node/2038807 ______________________________________________________________________ SA-CONTRIB-2013-056 - Stage File Proxy - Denial of Service Posted by Drupal Security Team on July 10, 2013 at 2:16pm Advisory ID: DRUPAL-SA-CONTRIB-2013-056 Project: Stage File Proxy (third-party module) Version: 7.x Date: 2013-July-10th Security risk: Moderately critical Exploitable from: Remote Vulnerability: Multiple vulnerabilities Description This module saves time and disk space by sending requests to your development environment's files directory to the production environment and making a copy of the production file in your development site. An attacker could make repeated requests to the server, even over a long period, which would degrade the performance of all file handling and potentially prevent certain file operations. CVE identifier(s) issued A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes. Versions affected Stage File Proxy 7.x-1.x versions prior to 7.x-1.4. Drupal core is not affected. If you do not use the contributed Stage File Proxy module, there is nothing you need to do. Solution Install the latest version: If you use the Stage File Proxy module for Drupal 7.x, upgrade to Stage File Proxy 7.x-1.4 Also see the Stage File Proxy project page. Reported by Mike Carper Fixed by Stefan M. Kudwien Greg Knaddison the module maintainer Coordinated by Greg Knaddison of the Drupal Security Team Contact and More Information The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact. Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site. Categories: Drupal 7.x ====================================================================== ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================