Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Heine on
- Advisory ID: DRUPAL-SA-2008-054
- Project: Plugin Manager (third-party module)
- Versions: 6.x
- Date: 2008-September-24
- Security risk: Critical
- Exploitable from: Remote
- Vulnerability: Access bypass
Description
The Plugin Manager module provides the methods and graphical interfaces needed to automatically install new modules and themes from the Drupal.org website.
An oversight in the menu permissions code allows any user to uninstall and remove modules installed with the Plugin Manager.
This risk is only present under insecure configurations where the web server has permission to delete files. The recommended file permissions are described in the drupal.org handbook at http://drupal.org/node/244924.
Versions affected
All versions prior to Plugin Manager 6.x-1.2.
Drupal core is not affected. If you do not use the Plugin Manager module, there is nothing you need to do.
Solution
Install Plugin Manager 6.x-1.2.
See also the Plugin Manager project page.
Reported by
Jared Forsyth (jabapyth)
