• Advisory ID: DRUPAL-SA-2008-013
  • Project: Project issue tracking (third-party module)
  • Version: 4.7.x-1.x, 4.7.x-2.x, 5.x-1.x, 5.x-2.x
  • Date: 2008-January-30
  • Security risk: Highly critical
  • Exploitable from: Remote
  • Vulnerability: Arbitrary file upload

Description

The Project issue tracking module has a vulnerability where new issues are not properly validated. If the core Upload module is enabled on issue nodes (the recommended configuration for the 5.x-2.* series), this vulnerability can be used to attach malicious files to new issues, regardless of the allowed list of file extensions. Using these files an attacker can always perform cross site scripting attacks, and depending on the server configuration, they might be able to execute arbitrary code.

Furthermore, the Project issue tracking module (in all versions prior to 5.x-2.0) provides its own file upload mechanism and list of allowed file extensions. This list includes HTML by default. Such files can be used to execute arbitrary script code in the context of the affected site when a user views the file.

Wikipedia has more information about cross site scripting (XSS).

Important note: Configuration change needed

Installing the new version will not remove the .html extensions from an already configured Project issue tracking module. Visit Administer » Project administration » Project issue settings (admin/project/project-issue-settings) on Drupal 5.x or administer » settings » project_issue (admin/settings/project_issue) on Drupal 4.7.x to remove html from the allowed extensions lists.

The steps above will stop malicious files from being uploaded, but will do nothing to protect your site against files that have already been uploaded. Make sure to carefully inspect the file system path and check for files with extensions that should be forbidden. We recommend you remove any HTML file you did not upload yourself. You should look for script tags, CSS includes, Javascript includes, and onerror="" attributes if you need to review files individually.

Versions affected

Project issue tracking (project_issue) versions:

  • 5.x-2.x-dev from before 2008-01-30
  • 5.x-1.2 and earlier
  • 4.7.x-2.6 and earlier
  • 4.7.x-1.6 and earlier

Drupal core is not affected. If you do not use the contributed Project issue tracking module, there is nothing you need to do.

Solution

Install the latest version:

See also the Project issue tracking project page.

Reported by

Derek Wright of the Drupal Security Team.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.