• Advisory ID: DRUPAL-SA-CONTRIB-2013-056
  • Project: Stage File Proxy (third-party module)
  • Version: 7.x
  • Date: 2013-July-10th
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities

Description

This module saves time and disk space by sending requests to your development environment's files directory to the production environment and making a copy of the production file in your development site.

An attacker could make repeated requests to the server, even over a long period, which would degrade the performance of all file handling and potentially prevent certain file operations.

CVE identifier(s) issued

  • CVE-2013-4139

Versions affected

  • Stage File Proxy 7.x-1.x versions prior to 7.x-1.4.

Drupal core is not affected. If you do not use the contributed Stage File Proxy module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Stage File Proxy project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.