[Frugalware-security] [ FSA-682 ] drupal-filefield

Miklos Vajna vmiklos at frugalware.org
Tue Aug 10 17:36:18 CEST 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Frugalware Security Advisory                           FSA-682

Date: 2010-08-10
Package: drupal-filefield
Vulnerable versions: <= 5.x_2.4-1
Unaffected versions: >= 5.x_2.5-1locris1
Related bugreport: http://bugs.frugalware.org/task/4244
CVE: No CVE, see http://drupal.org/node/829808.

Description
===========

A vulnerability has been reported in the FileField module for Drupal, which can be exploited by malicious users to conduct script insertion attacks.
Input passed e.g. via the "filepath" parameter is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which is executed in a user's browser session in context of an affected site when the malicious data is being viewed.
Successful exploitation requires permission to create or edit content with a FileField and that the administrator has configured a vulnerable display format or uses a special token.

Updated Packages
================

Check if you have drupal-filefield installed:

	# pacman-g2 -Q drupal-filefield

If found, then you should upgrade to the latest version:

	# pacman-g2 -Sy drupal-filefield

Availability
============

The latest revision of this advisory is available at
http://frugalware.org/security/682

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: See http://ftp.frugalware.org/pub/README.GPG for info

iEYEARECAAYFAkxhcfIACgkQZ7NElSD1VhkejgCfV/l6lHpzbixuocBIm6LuMvmG
KCsAn3yBxQ9K+9HQd2gP+F2IDe1fFfP7
=kSPu
-----END PGP SIGNATURE-----


More information about the Frugalware-security mailing list