- Advisory ID: DRUPAL-SA-CONTRIB-2009-068
- Project: Boost (third-party module)
- Version: 6.x-1.*
- Date: 2009-09-30
- Security risk: Low
- Exploitable from: Remote
- Vulnerability: Filesystem Directory Creation
Description
The Boost module provides a static file-based cache of Drupal pages for anonymous users. A vulnerability in the module allows an attacker to create new directories inside the webroot that the web server can write to. Existing directories cannot be changed using this vulnerability, but it can be used to affect the system by creating enough directories to reach the 35,000 limit.
Versions affected
- Boost module before version 6.x-1.03
Drupal core is not affected. If you do not use the contributed Boost module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Boost module for Drupal 6.x upgrade to Boost module 6.x-1.03
Reported by
Fixed by
Mike Carper the module maintainer.
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.