Ticket #759 (new maintenance)

Opened 2 years ago

Last modified 2 years ago

[Security-news] SA-CONTRIB-2014-071 - FileField - Access bypass

Reported by: paul Owned by: ed
Priority: major Milestone: Maintenance
Component: Unassigned Keywords:
Cc: Estimated Number of Hours: 0.0
Add Hours to Ticket: 0 Billable?: yes
Total Hours: 0.25

Description

View online: https://www.drupal.org/node/2304561

  • Advisory ID: DRUPAL-SA-CONTRIB-2014-071
  • Project: FileField? [1] (third-party module)
  • Version: 6.x
  • Date: 2014-July-16
  • Security risk: Critical [2]
  • Exploitable from: Remote
  • Vulnerability: Access bypass

The FileField? module enables you to define and use fields that contain files.

The module doesn't sufficiently check permission to view the attached file
when attaching a file that was previously uploaded. This could allow
attackers to gain access to private files.

This vulnerability is mitigated by the fact that the attacker must have
permission to create or edit content with a file field.

  • /A CVE identifier [3] will be requested, and added upon issuance, in

accordance with Drupal Security Team processes./

Drupal core is not affected. If you do not use the contributed FileField? [4]
module, there is nothing you need to do.

  • If you use the FileField? module for Drupal 6.x, upgrade to Filefield

6.x-3.13 [5], and also update to Drupal core 6.32 [6] (see
SA-CORE-2014-003 [7]).

  • Nate Haug [9]
  • Ivan Ch [10]
  • David Snopek [11] of the Drupal Security Team.

The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [12].

Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].

Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [16]

[1] https://www.drupal.org/project/filefield
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/filefield
[5] https://www.drupal.org/node/2304517
[6] https://www.drupal.org/drupal-6.32-release-notes
[7] https://www.drupal.org/SA-CORE-2014-003
[8] https://www.drupal.org/user/556138
[9] https://www.drupal.org/user/35821
[10] https://www.drupal.org/user/556138
[11] https://www.drupal.org/user/266527
[12] http://drupal.org/contact
[13] http://drupal.org/security-team
[14] http://drupal.org/writing-secure-code
[15] http://drupal.org/security/secure-configuration
[16] https://twitter.com/drupalsecurity

_
Security-news mailing list
Security-news@…
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

Change History

comment:1 Changed 2 years ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.125
  • Total Hours changed from 0.0 to 0.125

I'll pick this up in the morning.

comment:2 Changed 2 years ago by paul

  • Add Hours to Ticket changed from 0.0 to 0.125
  • Total Hours changed from 0.125 to 0.25

I'll pick this up in the morning.

comment:3 in reply to: ↑ description Changed 2 years ago by chris

  • Milestone set to Maintenance

Replying to paul:

This could allow attackers to gain access to private files.

I don't think we have any private files? However if there was a bot designed to exploit this bug and search for private files it wouldn't know this...

Last edited 2 years ago by chris (previous) (diff)

comment:4 Changed 2 years ago by paul

Module updated. No problems to report.

Note: See TracTickets for help on using tickets.