SA-CONTRIB-2010-016 - Graphviz Filter - arbitrary code execution

• Advisory ID: DRUPAL-SA-CONTRIB-2010-016
• Project: Graphviz Filter (third-party module)
• Version: 6.x, 5.x
• Date: 2010 February 10
• Security risk: Highly critical
• Exploitable from: Remote
• Vulnerability: Arbitrary code execution

Description

Graphviz Filter does not properly filter user input via @command option in node body, leading to a possible Arbitrary Shell Code Execution vulnerability. This vulnerability allows a remote attacker with the ability to create content using a Graphviz input filter to execute an arbitrary shell code on affected system.

Versions affected

• Graphviz 6.x-1.x prior to 6.x-1.6
• Graphviz 5.x-1.x prior to 5.x-1.3

Drupal core is not affected. If you do not use the contributed Graphviz Filter module, there is nothing you need to do.

Solution

Install the latest version:

• If you use Graphviz Filter 6.x-1.x, upgrade to Graphviz Filter 6.x-1.6.
• If you use Graphviz Filter 5.x-1.x, upgrade to Graphviz Filter 5.x-1.3.

See also the Graphviz Filter project page.

Reported by

• Clemens Tolboom.

Fixed by

• Karim Ratib, the Graphviz Filter module maintainer.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.