Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Drupal Security Team on
- Advisory ID: DRUPAL-SA-CONTRIB-2010-027
- Project: Email Input Filter (third-party module)
- Version: 5.x, 6.x
- Date: 2010-March-17
- Security risk: Critical
- Exploitable from: Remote
- Vulnerability: Arbitrary code execution
Description
Email Input Filter converts email style markup into web friendly format. Arbitrary code execution vulnerability in this module allows a remote attacker with the ability to create content using an input format with the email input filter enabled to execute arbitrary PHP code on an affected system.
In order to exploit this vulnerability, an input format must be created using the e-mail input filter, and an attacker must be able to post some form of content using that input format.
Versions affected
- Email Input Filter 6.x-1.x prior to 6.x-1.1
- Email Input Filter 5.x-1.x all versions
Drupal core is not affected. If you do not use the contributed Email Input Filter module, there is nothing you need to do.
Solution
Upgrade to the latest version:
- If you use Email Input Filter 6.x-1.x upgrade to Email Input Filter 6.x-1.1
- If you use Email Input Filter 5.x-1.x, disable the module or upgrade to Drupal 6.x. The Drupal 5.x version is now unsupported.
See also the Email Input Filter project page.
Reported by
Fixed by
- Mark Burton, the Email Input Filter module maintainer.
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
