• Advisory ID: DRUPAL-SA-CONTRIB-2009-082
  • Project: FileField (third-party module)
  • Version: 6.x
  • Date: 2009-October-20
  • Security risk: Moderately Critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass

Description

The FileField module allows users to upload files through an AJAX-upload widget that can be added to content types through CCK. In the 3.1 version of FileField, the module would not restrict access to files based on node-access permissions when using Drupal core's private file system.

Versions affected

  • FileField module 6.x-3.1 only

Drupal core is not affected. If you do not use the contributed FileField module, there is nothing you need to do.

Solution

Install the latest version.

See also the FileField module project page.

Reported by

isaac77.

Fixed by

isaac77 and quicksketch the module maintainer.

Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.