====================================================================

                              CERT-Renater

                 Note d'Information No. 2017/VULN411
_____________________________________________________________________

DATE                : 28/12/2017

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running me aliases for Drupal  versions
                                   prior to 7.x-1.3.

=====================================================================
https://www.drupal.org/sa-contrib-2017-097
_____________________________________________________________________

me aliases - Highly critical - Arbitrary code execution -
SA-CONTRIB-2017-097

Project: me aliases
Date: 2017-December-20
Security risk: Highly critical 20/25
AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:All
Vulnerability: Arbitrary code execution


Description:

'me' module provides shortcut paths to current user's pages, eg
user/me, blog/me, user/me/edit, tracker/me etc.

The way 'me' module handles URL arguments allows an attacker to execute
arbitrary code strings.


Solution:

Install the latest version:

  * If you use the 'me' module for Drupal 7.x, upgrade to 'me' 7.x-1.3


Reported By:
 ross.linscott
Fixed By:
 Camilo Bravo
 nohup
 Michael Hess of the Drupal Security Team
Coordinated By:
 Michael Hess of the Drupal Security Team

==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================