Many sites are fully locked down when it comes to accessing PHP directly while allowing users to access standard site configuration. However, this filter bypasses all PHP processing restrictions and can be used to gain higher access to the system very easily.

I considered this a security vulnerability, but as per the security team respsoned:

After careful review, because this vulnerability requires the compromised account to have the 'administer site configuration'
permission, it can be fixed publicly as per http://drupal.org/node/475848.

The security team suggested removing the option, my recommendation would be to add a new permisson that limits its' use to those users that have the permission.

Cheers

Alan

Comments

ufku’s picture

ufku commented
Status: Active » Fixed

This was already in. http://drupal.org/cvs?commit=322788
In addition to that, I've just changed the permission name to a more descriptive one: "administer imce(execute PHP)"

alan d.’s picture

alan d. commented

nice one

thanks guys

Status: Fixed » Closed (fixed)
Issue tags: -Security Advisory follow-up

Automatically closed -- issue fixed for 2 weeks with no activity.

Issue tags: +Security Advisory follow-up

Restoring issue tags, see #2125755: System messages removed all issue tags during D7 upgrade.