DDEV is the official local development tool of Drupal. And like Drupal, DDEV depends on the support of the open source community.
By greggles on
- Advisory ID: DRUPAL-SA-CONTRIB-2009-082
- Project: FileField (third-party module)
- Version: 6.x
- Date: 2009-October-20
- Security risk: Moderately Critical
- Exploitable from: Remote
- Vulnerability: Access bypass
Description
The FileField module allows users to upload files through an AJAX-upload widget that can be added to content types through CCK. In the 3.1 version of FileField, the module would not restrict access to files based on node-access permissions when using Drupal core's private file system.
Versions affected
- FileField module 6.x-3.1 only
Drupal core is not affected. If you do not use the contributed FileField module, there is nothing you need to do.
Solution
Install the latest version.
- If you use the FileField module for Drupal 6.x upgrade to FileField module 6.x-3.2
See also the FileField module project page.
Reported by
Fixed by
isaac77 and quicksketch the module maintainer.
Contact
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
