Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Heine on
- Advisory ID: DRUPAL-SA-2006-023
- Project: IMCE
- Date: 2006-October-02
- Security risk: highly critical
- Exploitable from: remote
- Vulnerability: file handling
Description
IMCE has two vulnerabilities with regards to file handling.
1. By passing relative paths to IMCE's delete function, a malicious user with the "delete files" permission can delete files anywhere in the directory tree (depending on the access permissions of the webserver).
2. IMCE allows the upload of files with double extensions such as example.php.gif. Such files may be executable on certain Apache configurations. Drupal creates a .htaccess file in the files directory to prevent this from happening. On rare configurations where this .htaccess is not effective (for example, emptied by the administrator) an attacker with the "upload files" permission might be able to execute arbitrary code.
Versions affected
Drupal core is not affected. If you do not use the IMCE module there is nothing you need to do.
If you are running IMCE, please check the CVS $Id$ fields on the second line of the file imce.module to determine whether the version you are running is vulnerable. Versions older than the following are vulnerable:
- Drupal 4.7 - $Id: imce.module,v 1.6 2006/09/29 13:50:57 ufku Exp $
Solution
Install the latest version:
See also the IMCE project page.
Reported by
The Drupal security team.
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
