- Advisory ID: DRUPAL-SA-CONTRIB-2010-040
- Project: FileField (third-party module)
- Version: 6.x
- Date: 2010-May-5
- Security risk: Moderately Critical
- Exploitable from: Remote
- Vulnerability: Access Bypass
Description
FileField provides a file upload field for CCK, allowing files to be attached to a node. FileField intends to set a default extension of "txt" for all new fields, but may actually save an empty string allowing all extensions if an administrator does not save the field configuration page after creating a new field. Execution of code in uploaded files is normally prevented by .htaccess rules, regardless of file extension. Any FileField that has been initially saved or edited with any extensions specified is not affected. This vulnerability is mitigated by the attacker needing permission to create or edit content with an unconfigured FileField.
Versions affected
- FileField for Drupal 6.x versions prior to 6.x-3.3
Drupal core is not affected. If you do not use the contributed FileField module, there is nothing you need to do.
Solution
Install the latest version.
- If you use FileField for Drupal 6.x upgrade to FileField 6.x-3.3
Reported by
- David Rothstein of the Drupal Security Team
Fixed by
- Nathan Haug the module maintainer
Contact
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.