Ticket #759 (new maintenance)
[Security-news] SA-CONTRIB-2014-071 - FileField - Access bypass
Reported by: | paul | Owned by: | ed |
---|---|---|---|
Priority: | major | Milestone: | Maintenance |
Component: | Unassigned | Keywords: | |
Cc: | Estimated Number of Hours: | 0.0 | |
Add Hours to Ticket: | 0 | Billable?: | yes |
Total Hours: | 0.25 |
Description
View online: https://www.drupal.org/node/2304561
- Advisory ID: DRUPAL-SA-CONTRIB-2014-071
- Project: FileField? [1] (third-party module)
- Version: 6.x
- Date: 2014-July-16
- Security risk: Critical [2]
- Exploitable from: Remote
- Vulnerability: Access bypass
The FileField? module enables you to define and use fields that contain files.
The module doesn't sufficiently check permission to view the attached file
when attaching a file that was previously uploaded. This could allow
attackers to gain access to private files.
This vulnerability is mitigated by the fact that the attacker must have
permission to create or edit content with a file field.
- /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
- FileField? 6.x-3.x versions prior to 6.x-3.13.
Drupal core is not affected. If you do not use the contributed FileField? [4]
module, there is nothing you need to do.
- If you use the FileField? module for Drupal 6.x, upgrade to Filefield
6.x-3.13 [5], and also update to Drupal core 6.32 [6] (see
SA-CORE-2014-003 [7]).
- Ivan Ch [8]
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [12].
Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [16]
[1] https://www.drupal.org/project/filefield
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/filefield
[5] https://www.drupal.org/node/2304517
[6] https://www.drupal.org/drupal-6.32-release-notes
[7] https://www.drupal.org/SA-CORE-2014-003
[8] https://www.drupal.org/user/556138
[9] https://www.drupal.org/user/35821
[10] https://www.drupal.org/user/556138
[11] https://www.drupal.org/user/266527
[12] http://drupal.org/contact
[13] http://drupal.org/security-team
[14] http://drupal.org/writing-secure-code
[15] http://drupal.org/security/secure-configuration
[16] https://twitter.com/drupalsecurity
_
Security-news mailing list
Security-news@…
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
Change History
comment:1 Changed 2 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.125
- Total Hours changed from 0.0 to 0.125
comment:2 Changed 2 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.125
- Total Hours changed from 0.125 to 0.25
I'll pick this up in the morning.
comment:3 in reply to: ↑ description Changed 2 years ago by chris
- Milestone set to Maintenance
Replying to paul:
This could allow attackers to gain access to private files.
I don't think we have any private files? However if there was a bot designed to exploit this bug and search for private files it wouldn't know this...
I'll pick this up in the morning.