Hi
This has been run by the security team and it's been ok'd for a public issue as it is already covered under PSA-2011-02.
Basically the upload.php file in the plupload library examples folder allows for upload and execution of arbitrary php.
This patch (to follow) adds a requirements error if the file is still present.

Lee

Files: 

Comments

Status:Active» Needs review
StatusFileSize
new988 bytes

Patch

Status:Needs review» Fixed

Added an entry to README.txt and committed everything to 7.x-1.x and 7.x-2.x. Thanks for reporting this.

Will roll a new release shortly.

Should I mark new release as security update?

This will probably need backporting to 6
I will check re security release as there is no advisory

Confirming it's ok to tag this as a security release, ping me or someone else from security team on irc to get the node published.

Version:7.x-1.x-dev» 6.x-1.x-dev
Status:Fixed» Patch (to be ported)

Rolled a release.

Status:Patch (to be ported)» Fixed
StatusFileSize
new921 bytes

Attached patch was committed against 6.x-1.x. Thanks!

Status:Fixed» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

  • Commit 4d6c7e8 on 7.x-1.x, 8.x-1.x authored by larowlan, committed by slashrsm: Issue #1895328 by larowlan, slashrsm: Fixed Security exploit in plupload...
  • Commit f96f8b2 on 7.x-1.x, 7.x-2.x, 8.x-1.x authored by larowlan, committed by slashrsm: Issue #1895328 by larowlan, slashrsm: Fixed Security exploit in plupload...