Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Drupal Security Team on
- Advisory ID: DRUPAL-SA-CONTRIB-2010-081
- Project: FileField Sources (third-party module)
- Version: 6.x
- Date: 2010-August-11
- Security risk: Critical
- Exploitable from: Remote
- Vulnerability: Arbitrary Code Execution
Description
The FileField Sources module expands on the abilities of FileField, allowing users to select new or existing files through additional means, including: Reuse of existing files through an autocomplete textfield or IMCE, or transfering files directly from remote servers.
The module does not sanitize the file extemsions of files that have been transfered from remote servers, allowing for the transfering of files that match allowed extensions but actually contain malicious code. This could potentially allow an attacker to transfer scripts to the server and execute them.
This vulerability is usually mitigated by Drupal core's built-in security mechanisms which prevent code execution of uploads that are within the Drupal files directory. This exploit should not affect the majority of Drupal sites. Users would also need the ability to use the FileField Sources module which requires permission to create or edit a node that has a FileField with FileField Sources configured for it.
Versions affected
- FileField Sources module for Drupal 6.x versions prior to 6.x-1.2
Drupal core is not affected. If you do not use the contributed FileField Sources module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the FileField Sources module for Drupal 6.x upgrade to FileField Sources 6.x-1.2
See also the FileField Sources project page.
Reported by
- Apa Sajja
Fixed by
- Nathan Haug, module maintainer
- Greg Knaddison of the Drupal security team
Contact
The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact.
