Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-027: Email Input Filter - Arbitrary code execution

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-027: Email Input Filter - Arbitrary code execution


Chronologisch Thread 
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-027: Email Input Filter - Arbitrary code execution
  • Date: Wed, 17 Mar 2010 20:48:19 +0000 (UTC)
  • List-archive: <https://service.piratenpartei.de/pipermail/it-securitynotifies>
  • List-id: Sicherheitsankündigungen <it-securitynotifies.lists.piratenpartei.de>

* Advisory ID: DRUPAL-SA-CONTRIB-2010-027
* Project: Email Input Filter (third-party module)
* Version: 5.x, 6.x
* Date: 2010-March-17
* Security risk: Critical
* Exploitable from: Remote
* Vulnerability: Arbitrary code execution

-------- DESCRIPTION
---------------------------------------------------------

Email Input Filter converts email style markup into web friendly format.
Arbitrary code execution vulnerability in this module allows a remote
attacker with the ability to create content using an input format with the
email input filter enabled to execute arbitrary PHP code on an affected
system. In order to exploit this vulnerability, an input format must be
created using the e-mail input filter, and an attacker must be able to post
some form of content using that input format.
-------- VERSIONS AFFECTED
---------------------------------------------------

* Email Input Filter 6.x-1.x prior to 6.x-1.1
* Email Input Filter 5.x-1.x all versions

Drupal core is not affected. If you do not use the contributed Email Input
Filter module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------

Upgrade to the latest version:
* If you use Email Input Filter 6.x-1.x upgrade to Email Input Filter
6.x-1.1 [1]
* If you use Email Input Filter 5.x-1.x, disable the module or upgrade to
Drupal 6.x. The Drupal 5.x version is now unsupported.

See also the Email Input Filter project page [2].
-------- REPORTED BY
---------------------------------------------------------

* Martin Barbella [3]

-------- FIXED BY
------------------------------------------------------------

* Mark Burton [4], the Email Input Filter module maintainer.

-------- CONTACT
-------------------------------------------------------------

The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.

[1] http://drupal.org/node/745318
[2] http://drupal.org/project/emailFilter
[3] http://drupal.org/user/633600
[4] http://drupal.org/user/114447

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
http://lists.drupal.org/mailman/listinfo/security-news



  • [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-027: Email Input Filter - Arbitrary code execution, security-news, 17.03.2010

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang