Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Drupal Security Team on
- Advisory ID: DRUPAL-SA-CONTRIB-2012-022
- Project: CDN (third-party module)
- Version: 6.x, 7.x
- Date: 2012-February-15
- Security risk: Critical
- Exploitable from: Remote
- Vulnerability: Access bypass
Description
CVE: CVE-2012-1645
The CDN module provides easy Content Delivery Network integration for Drupal sites. It alters file URLs, so that files are downloaded from a CDN instead of your web server.
When running in Origin Pull mode together with the "Far Future expiration" option, the module contains a vulnerability that allows anyone to view the contents of any *.php file within the site, including settings.php.
This vulnerability is mitigated by the fact that the site owner must have enabled the "Far Future expiration" option, and must be using the latest version of the module.
Versions affected
- CDN version 6.x-2.2
- CDN version 7.x-2.2
Drupal core is not affected. If you do not use the contributed CDN module, there is nothing you need to do.
Solution
Install the latest version:
See also the CDN project page.
Reported by
- Ivo Van Geertruyen of the Drupal Security Team
Fixed by
- Wim Leers the module maintainer
- Ivo Van Geertruyen of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
