• Advisory ID: DRUPAL-SA-CONTRIB-2012-003
  • Project: Fill PDF (third-party module)
  • Version: 6.x, 7.x
  • Date: 2012-JANUARY-04
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass, Arbitrary code execution

Description

CVE: CVE-2012-1625

This module enables you to populate fillable PDF templates with data from nodes and webforms.

Access bypass (7.x only)

Incorrectly-ordered arguments in a call to the function that handles the main functionality of the module makes it possible for an attacker to trigger any PDF to be filled, regardless of whether they have access to the node/webform or not, by passing an appropriately-formed query string argument.

This vulnerability is mitigated by the fact that an attacker can only access configured PDF templates, that the attacker must know (or brute-force) the node or webform IDs, and that only information that is configured to be filled into the PDFs (and the filled PDF templates themselves) can be obtained through this exploit.

Arbitrary code execution (6.x and 7.x)

The template importing and exporting used serialized PHP which required the use of an unsafe PHP function to evaluate and import templates, which could lead to execution of unwanted and untrusted code. This vulnerability is mitigated by the fact that the attacker must have the 'administer PDFs' permission.

Versions affected

  • Fill PDF 6.x-1.x versions prior to 6.x-1.16.
  • Fill PDF 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Fill PDF module, there is nothing you need to do.

Solution

Install the latest version:

See also the Fill PDF project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.