- Advisory ID: DRUPAL-SA-CONTRIB-2012-108
- Project: Drag & Drop Gallery (third-party module)
- Version: 6.x
- Date: 2012-July-11
- Security risk: Highly critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting, Access bypass, Cross Site Request Forgery, SQL Injection, Arbitrary PHP code execution
Description
Important note: Most of the vulnerabilities discussed below can be exploited when the Drag & Drop Gallery module is disabled on a Drupal site. See Solution below for details.
The Drag & Drop Gallery creates a gallery node type that allows you add images to the gallery by dragging and dropping images from your local file system.
The file handling the actual uploads contains a number of bugs. The combination of these bugs allows unauthenticated user to upload PHP-executable files to arbitrary locations. A script exploiting this vulnerability has been published.
A succesful exploit requires the webserver to be configured in such a way that it either ignores the .htaccess in the files directory or is able to write to certain web-accessible directories that do not have this .htaccess protection.
The module also contains other vulnerabilities such as Cross site scripting (XSS), SQL-injection, Access bypass and Cross site request forgery (CSRF). Though less severe, these vulnerabilities can also be used to get administrator level access to the site.
Arbitrary PHP Code Execution
CVE: CVE-2012-4472
Cross Site Scripting
CVE: CVE-2012-4476
Access Bypass
CVE: CVE-2012-4477
Cross Site Request Forgery
CVE: CVE-2012-4478
SQL Injection
CVE: CVE-2012-4479
Versions affected
- Drag & Drop Gallery 6.x versions
Drupal core is not affected. If you do not use the contributed Drag & Drop Gallery module, there is nothing you need to do.
Solution
There is no version of the module that fixes these vulnerabilites. Disable and remove the module from your system.
Important note: Most vulnerabilities can still be exploited when the module is disabled.
Please join the issue in the public queue to fix the problems.
Also see the Drag & Drop Gallery project page.
Reported by
The vulnerability was publicly disclosed. An exploit exists.
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
