webmaster, seo adn smo

SA-CONTRIB-2010-059: Panels - Arbitrary PHP code execution

dev1961's picture

Advisory ID: DRUPAL-SA-CONTRIB-2010-059

  • Project: Panels (third-party module)
  • Versions: 6.x
  • Date: 2010 May 19
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Arbitrary PHP code execution
  • The Panels module allows a site administrator to create customized layouts
    for multiple uses. The "Mini panels" module, included with panels, was found
    to have an arbitrary PHP code execution vulnerability. Users with the 'create
    mini panels' permission could execute arbitrary PHP code on the server via
    the import functionality. An additional check for the permission 'use PHP for
    block visibility' has been added to ensure that the site administrator has
    already granted users of the import functionality the permission to execute
    PHP.
  • VERSIONS AFFECTED
  • Versions of Panels for Drupal 6.x prior to 6.x-3.4

Drupal core is not affected. If you do not use the contributed Panels module,
there is nothing you need to do.
SOLUTION

Install the latest version:
* If you use Panels for Drupal 6.x upgrade to Panels 6.x-3.4 [1]

REPORTED BY

Sam Boyer [2], co-maintainer of the Panels module.
FIXED BY

Sam Boyer.