• Advisory ID: DRUPAL-SA-CONTRIB-2010-030
  • Project: Mime Mail (third-party module)
  • Version: 5.x
  • Date: 2010-March-24
  • Security risk: Highly critical
  • Exploitable from: Remote
  • Vulnerability: Arbitrary code execution

Description

The Mime Mail module is an helper module providing support for MIME mails, for use by other modules.

Due to improper use of the PCRE regular expression engine, users with the ability to send HTML email with the Mime Mail module were able to execute arbitrary PHP code on the server.

Versions affected

  • Mime Mail for Drupal 5.x prior to 5.x-1.1

Note that Mime Mail version 6.x-1.0-alpha1 and earlier versions for Drupal 6.x are also affected. However, the security team does not provide support for alpha releases.

Drupal core is not affected. If you do not use the contributed Mime Mail module, there is nothing you need to do.

Solution

Upgrade to the latest version:

See also the Mime Mail project page.

Reported by

Fixed by

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.