- Advisory ID: DRUPAL-SA-CONTRIB-2012-108
- Project: Drag & Drop Gallery (third-party module)
- Version: 6.x
- Date: 2012-July-11
- Security risk: Highly critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting, Access bypass, Cross Site Request Forgery, SQL Injection, Arbitrary PHP code execution
Important note: Most of the vulnerabilities discussed below can be exploited when the Drag & Drop Gallery module is disabled on a Drupal site. See Solution below for details.
The Drag & Drop Gallery creates a gallery node type that allows you add images to the gallery by dragging and dropping images from your local file system.
The file handling the actual uploads contains a number of bugs. The combination of these bugs allows unauthenticated user to upload PHP-executable files to arbitrary locations. A script exploiting this vulnerability has been published.
A succesful exploit requires the webserver to be configured in such a way that it either ignores the .htaccess in the files directory or is able to write to certain web-accessible directories that do not have this .htaccess protection.
The module also contains other vulnerabilities such as Cross site scripting (XSS), SQL-injection, Access bypass and Cross site request forgery (CSRF). Though less severe, these vulnerabilities can also be used to get administrator level access to the site.
Arbitrary PHP Code Execution
Cross Site Scripting
Cross Site Request Forgery
- Drag & Drop Gallery 6.x versions
Drupal core is not affected. If you do not use the contributed Drag & Drop Gallery module, there is nothing you need to do.
There is no version of the module that fixes these vulnerabilites. Disable and remove the module from your system.
Important note: Most vulnerabilities can still be exploited when the module is disabled.
Please join the issue in the public queue to fix the problems.
Also see the Drag & Drop Gallery project page.
The vulnerability was publicly disclosed. An exploit exists.
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.