http://localhost:8080/trac/ticket/759 <p> View online: <a class="ext-link" href="https://www.drupal.org/node/2304561"><span class="icon">​</span>https://www.drupal.org/node/2304561</a> </p> <ul><li>Advisory ID: DRUPAL-SA-CONTRIB-2014-071 </li><li>Project: <a class="missing wiki">FileField?</a> <a class="missing changeset" title="No default repository defined">[1]</a> (third-party module) </li><li>Version: 6.x </li><li>Date: 2014-July-16 </li><li>Security risk: Critical <a class="missing changeset" title="No default repository defined">[2]</a> </li><li>Exploitable from: Remote </li><li>Vulnerability: Access bypass </li></ul><hr /> <hr /> <p> The <a class="missing wiki">FileField?</a> module enables you to define and use fields that contain files. </p> <p> The module doesn't sufficiently check permission to view the attached file when attaching a file that was previously uploaded. This could allow attackers to gain access to private files. </p> <p> This vulnerability is mitigated by the fact that the attacker must have permission to create or edit content with a file field. </p> <hr /> <hr /> <ul><li>/A CVE identifier <a class="missing changeset" title="No default repository defined">[3]</a> will be requested, and added upon issuance, in </li></ul><p> accordance with Drupal Security Team processes./ </p> <hr /> <hr /> <ul><li><a class="missing wiki">FileField?</a> 6.x-3.x versions prior to 6.x-3.13. </li></ul><p> Drupal core is not affected. If you do not use the contributed <a class="missing wiki">FileField?</a> <a class="missing changeset" title="No default repository defined">[4]</a> module, there is nothing you need to do. </p> <hr /> <hr /> <ul><li>If you use the <a class="missing wiki">FileField?</a> module for Drupal 6.x, upgrade to Filefield </li></ul><p> 6.x-3.13 <a class="missing changeset" title="No default repository defined">[5]</a>, and also update to Drupal core 6.32 <a class="missing changeset" title="No default repository defined">[6]</a> (see SA-CORE-2014-003 <a class="missing changeset" title="No default repository defined">[7]</a>). </p> <hr /> <hr /> <ul><li>Ivan Ch <a class="missing changeset" title="No default repository defined">[8]</a> </li></ul><hr /> <hr /> <ul><li>Nate Haug <a class="missing changeset" title="No default repository defined">[9]</a> </li><li>Ivan Ch <a class="missing changeset" title="No default repository defined">[10]</a> </li><li>David Snopek <a class="missing changeset" title="No default repository defined">[11]</a> of the Drupal Security Team. </li></ul><hr /> <hr /> <p> The Drupal security team can be reached at security at drupal.org or via the contact form at <a class="ext-link" href="http://drupal.org/contact"><span class="icon">​</span>http://drupal.org/contact</a> <a class="missing changeset" title="No default repository defined">[12]</a>. </p> <p> Learn more about the Drupal Security team and their policies <a class="missing changeset" title="No default repository defined">[13]</a>, writing secure code for Drupal <a class="missing changeset" title="No default repository defined">[14]</a>, and securing your site <a class="missing changeset" title="No default repository defined">[15]</a>. </p> <p> Follow the Drupal Security Team on Twitter at <a class="ext-link" href="https://twitter.com/drupalsecurity"><span class="icon">​</span>https://twitter.com/drupalsecurity</a> <a class="missing changeset" title="No default repository defined">[16]</a> </p> <p> <a class="missing changeset" title="No default repository defined">[1]</a> <a class="ext-link" href="https://www.drupal.org/project/filefield"><span class="icon">​</span>https://www.drupal.org/project/filefield</a> <a class="missing changeset" title="No default repository defined">[2]</a> <a class="ext-link" href="http://drupal.org/security-team/risk-levels"><span class="icon">​</span>http://drupal.org/security-team/risk-levels</a> <a class="missing changeset" title="No default repository defined">[3]</a> <a class="ext-link" href="http://cve.mitre.org/"><span class="icon">​</span>http://cve.mitre.org/</a> <a class="missing changeset" title="No default repository defined">[4]</a> <a class="ext-link" href="http://drupal.org/project/filefield"><span class="icon">​</span>http://drupal.org/project/filefield</a> <a class="missing changeset" title="No default repository defined">[5]</a> <a class="ext-link" href="https://www.drupal.org/node/2304517"><span class="icon">​</span>https://www.drupal.org/node/2304517</a> <a class="missing changeset" title="No default repository defined">[6]</a> <a class="ext-link" href="https://www.drupal.org/drupal-6.32-release-notes"><span class="icon">​</span>https://www.drupal.org/drupal-6.32-release-notes</a> <a class="missing changeset" title="No default repository defined">[7]</a> <a class="ext-link" href="https://www.drupal.org/SA-CORE-2014-003"><span class="icon">​</span>https://www.drupal.org/SA-CORE-2014-003</a> <a class="missing changeset" title="No default repository defined">[8]</a> <a class="ext-link" href="https://www.drupal.org/user/556138"><span class="icon">​</span>https://www.drupal.org/user/556138</a> <a class="missing changeset" title="No default repository defined">[9]</a> <a class="ext-link" href="https://www.drupal.org/user/35821"><span class="icon">​</span>https://www.drupal.org/user/35821</a> <a class="missing changeset" title="No default repository defined">[10]</a> <a class="ext-link" href="https://www.drupal.org/user/556138"><span class="icon">​</span>https://www.drupal.org/user/556138</a> <a class="missing changeset" title="No default repository defined">[11]</a> <a class="ext-link" href="https://www.drupal.org/user/266527"><span class="icon">​</span>https://www.drupal.org/user/266527</a> <a class="missing changeset" title="No default repository defined">[12]</a> <a class="ext-link" href="http://drupal.org/contact"><span class="icon">​</span>http://drupal.org/contact</a> <a class="missing changeset" title="No default repository defined">[13]</a> <a class="ext-link" href="http://drupal.org/security-team"><span class="icon">​</span>http://drupal.org/security-team</a> <a class="missing changeset" title="No default repository defined">[14]</a> <a class="ext-link" href="http://drupal.org/writing-secure-code"><span class="icon">​</span>http://drupal.org/writing-secure-code</a> <a class="missing changeset" title="No default repository defined">[15]</a> <a class="ext-link" href="http://drupal.org/security/secure-configuration"><span class="icon">​</span>http://drupal.org/security/secure-configuration</a> <a class="missing changeset" title="No default repository defined">[16]</a> <a class="ext-link" href="https://twitter.com/drupalsecurity"><span class="icon">​</span>https://twitter.com/drupalsecurity</a> </p> <p> <span class="underline"></span><span class="underline"></span><span class="underline"></span><span class="underline"></span><span class="underline"></span><span class="underline"></span><span class="underline"></span><span class="underline"></span><span class="underline"></span><span class="underline"></span><span class="underline"></span><span class="underline">_ Security-news mailing list Security-news@… Unsubscribe at <a class="ext-link" href="https://lists.drupal.org/mailman/listinfo/security-news"><span class="icon">​</span>https://lists.drupal.org/mailman/listinfo/security-news</a> </span></p> en-us /trac/chrome/site/TransitionNetwork-Logo-Web-Small.jpg http://localhost:8080/trac/ticket/759 Trac 0.12.5 paul Wed, 16 Jul 2014 22:00:39 GMT http://localhost:8080/trac/ticket/759#comment:1 http://localhost:8080/trac/ticket/759#comment:1 <ul> <li><strong>hours</strong> changed from <em>0.0</em> to <em>0.125</em> </li> <li><strong>totalhours</strong> changed from <em>0.0</em> to <em>0.125</em> </li> </ul> <p> I'll pick this up in the morning. </p> Ticket paul Wed, 16 Jul 2014 22:02:06 GMT http://localhost:8080/trac/ticket/759#comment:2 http://localhost:8080/trac/ticket/759#comment:2 <ul> <li><strong>hours</strong> changed from <em>0.0</em> to <em>0.125</em> </li> <li><strong>totalhours</strong> changed from <em>0.125</em> to <em>0.25</em> </li> </ul> <p> I'll pick this up in the morning. </p> Ticket chris Tue, 29 Jul 2014 10:52:33 GMT http://localhost:8080/trac/ticket/759#comment:3 http://localhost:8080/trac/ticket/759#comment:3 <ul> <li><strong>milestone</strong> set to <em>Maintenance</em> </li> </ul> <p> Replying to <a class="new ticket" href="http://localhost:8080/trac/ticket/759" title="maintenance: [Security-news] SA-CONTRIB-2014-071 - FileField - Access bypass (new)">paul</a>: </p> <blockquote class="citation"> <p> This could allow attackers to gain access to private files. </p> </blockquote> <p> I don't think we have any private files? However if there was a bot designed to exploit this bug and search for private files it wouldn't know this... </p> Ticket paul Thu, 31 Jul 2014 21:52:26 GMT http://localhost:8080/trac/ticket/759#comment:4 http://localhost:8080/trac/ticket/759#comment:4 <p> Module updated. No problems to report. </p> Ticket