webmaster, seo adn smo

FileField Sources - Arbitrary Code Execution

dev1961's picture

* Advisory ID: DRUPAL-SA-CONTRIB-2010-081
* Project: FileField Sources (third-party module)
* Version: 6.x
* Date: 2010-May-19
* Security risk: Critical
* Exploitable from: Remote
* Vulnerability: Arbitrary Code Execution

-------- DESCRIPTION
---------------------------------------------------------

The FileField Sources module expands on the abilities of FileField, allowing
users to select new or existing files through additional means, including:
Reuse of existing files through an autocomplete textfield or IMCE, or
transfering files directly from remote servers. The module does not sanitize
the file extemsions of files that have been transfered from remote servers,
allowing for the transfering of files that match allowed extensions but
actually contain malicious code. This could potentially allow an attacker to
transfer scripts to the server and execute them. This vulerability is usually
mitigated by Drupal core's built-in security mechanisms which prevent code
execution of uploads that are within the Drupal files directory. This exploit
should not affect the majority of Drupal sites. Users would also need the
ability to use the FileField Sources module which requires permission to
create or edit a node that has a FileField with FileField Sources configured
for it.
-------- VERSIONS AFFECTED
---------------------------------------------------

* FileField Sources module for Drupal 6.x versions prior to 6.x-1.2

Drupal core is not affected. If you do not use the contributed FileField
Sources [1] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------

Install the latest version:
* If you use the FileField Sources module for Drupal 6.x upgrade to
FileField Sources 6.x-1.2 [2]

See also the FileField Sources project page [3].
-------- REPORTED BY
---------------------------------------------------------

* Apa Sajja

-------- FIXED BY
------------------------------------------------------------

* Nathan Haug [4], module maintainer
* Greg Knaddison [5] of the Drupal security team