By Heine on
  • Advisory ID: DRUPAL-SA-2008-015
  • Project: Comment upload (third-party module)
  • Version: 4.7.x, 5.x
  • Date: 2008-January-30
  • Security risk: Highly critical
  • Exploitable from: Remote
  • Vulnerability: Arbitrary file upload

Description

Comment upload enables file attachments for comments. To do so it uses and subverts various functions from the upload module that are present in Drupal core. In certain, common cases, comment upload passes incorrect data to the upload validation functions, resulting in a validation bypass, which enables a user with the "upload files" permission to upload files with arbitrary extensions.
Using these files an attacker can perform cross site scripting attacks, and depending on the server configuration, may also be able to execute arbitrary code.

Important note

The steps above will stop malicious files from being uploaded, but will do nothing to protect your site against files that have already been uploaded. Make sure to carefully inspect the file system path and check for files with extensions that should be forbidden. We recommend you remove any HTML file you did not upload yourself. You should look for script tags, CSS includes, Javascript includes, and onerror="" attributes if you need to review files individually.

Versions affected

  • Comment upload for Drupal 4.7.x prior to 4.7.x-0.1
  • Comment upload for Drupal 5.x prior to 5.x-0.1

Drupal core is not affected. If you do not use the contributed comment upload module, there is nothing you need to do.

Solution

Install the latest version:

See also the Comment upload project page.

Reported by

webernet reported an issue that was traced back by the security team to comment upload.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.