[Frugalware-security] [ FSA-671 ] drupal6-filefield

Miklos Vajna vmiklos at frugalware.org
Mon May 17 00:04:47 CEST 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Frugalware Security Advisory                           FSA-671

Date: 2010-05-17
Package: drupal6-filefield
Vulnerable versions: <= 6.x_3.2-1
Unaffected versions: >= 6.x_3.3-1locris1
Related bugreport: http://bugs.frugalware.org/task/4207
CVE: No CVE references, see http://drupal.org/node/791050.

Description
===========

A security issue has been reported in the FileField module for Drupal, which potentially can be exploited by malicious users to compromise a vulnerable system.
The security issue exists due to improper creation of a default extension for a new file field when the field configuration page is not saved and can be exploited to upload arbitrary files to a directory inside the webroot.
Successful exploitation may allow execution of arbitrary PHP code but requires "create" or "edit" permission for the file field.

Updated Packages
================

Check if you have drupal6-filefield installed:

	# pacman-g2 -Q drupal6-filefield

If found, then you should upgrade to the latest version:

	# pacman-g2 -Sy drupal6-filefield

Availability
============

The latest revision of this advisory is available at
http://frugalware.org/security/671

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: See http://ftp.frugalware.org/pub/README.GPG for info

iEYEARECAAYFAkvwa/8ACgkQZ7NElSD1Vhm0nACgnHZLf1VxG/QPq1wlqzyqjfNl
MpQAnA7iH19qdTKPa+LVCXz+zvcSteAC
=rlsV
-----END PGP SIGNATURE-----


More information about the Frugalware-security mailing list