• Advisory ID: DRUPAL-SA-CONTRIB-2012-108
  • Project: Drag & Drop Gallery (third-party module)
  • Version: 6.x
  • Date: 2012-July-11
  • Security risk: Highly critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting, Access bypass, Cross Site Request Forgery, SQL Injection, Arbitrary PHP code execution

Description

Important note: Most of the vulnerabilities discussed below can be exploited when the Drag & Drop Gallery module is disabled on a Drupal site. See Solution below for details.

The Drag & Drop Gallery creates a gallery node type that allows you add images to the gallery by dragging and dropping images from your local file system.

The file handling the actual uploads contains a number of bugs. The combination of these bugs allows unauthenticated user to upload PHP-executable files to arbitrary locations. A script exploiting this vulnerability has been published.

A succesful exploit requires the webserver to be configured in such a way that it either ignores the .htaccess in the files directory or is able to write to certain web-accessible directories that do not have this .htaccess protection.

The module also contains other vulnerabilities such as Cross site scripting (XSS), SQL-injection, Access bypass and Cross site request forgery (CSRF). Though less severe, these vulnerabilities can also be used to get administrator level access to the site.

Arbitrary PHP Code Execution
CVE: CVE-2012-4472

Cross Site Scripting
CVE: CVE-2012-4476

Access Bypass
CVE: CVE-2012-4477

Cross Site Request Forgery
CVE: CVE-2012-4478

SQL Injection
CVE: CVE-2012-4479

Versions affected

  • Drag & Drop Gallery 6.x versions

Drupal core is not affected. If you do not use the contributed Drag & Drop Gallery module, there is nothing you need to do.

Solution

There is no version of the module that fixes these vulnerabilites. Disable and remove the module from your system.

Important note: Most vulnerabilities can still be exploited when the module is disabled.

Please join the issue in the public queue to fix the problems.

Also see the Drag & Drop Gallery project page.

Reported by

The vulnerability was publicly disclosed. An exploit exists.

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.