it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-030: Mime Mail - Arbitrary code execution
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-030: Mime Mail - Arbitrary code execution
- Date: Wed, 24 Mar 2010 22:03:24 +0000 (UTC)
- List-archive: <https://service.piratenpartei.de/pipermail/it-securitynotifies>
- List-id: Sicherheitsankündigungen <it-securitynotifies.lists.piratenpartei.de>
* Advisory ID: DRUPAL-SA-CONTRIB-2010-030
* Project: Mime Mail (third-party module)
* Version: 5.x
* Date: 2010-March-24
* Security risk: Highly critical
* Exploitable from: Remote
* Vulnerability: Arbitrary code execution
-------- DESCRIPTION
---------------------------------------------------------
The Mime Mail module is an helper module providing support for MIME mails,
for use by other modules. Due to improper use of the PCRE regular expression
engine, users with the ability to send HTML email with the Mime Mail module
were able to execute arbitrary PHP code on the server.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Mime Mail for Drupal 5.x prior to 5.x-1.1
*Note that Mime Mail version 6.x-1.0-alpha1 and earlier versions for Drupal
6.x are also affected. However, the security team does not provide support
for alpha releases.* Drupal core is not affected. If you do not use the
contributed Mime Mail module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Upgrade to the latest version:
* If you use Mime Mail for Drupal 5.x upgrade to Mime Mail 5.x-1.1 [1]
See also the Mime Mail project page [2].
-------- REPORTED BY
---------------------------------------------------------
* Martin Barbella [3]
* Damien Tournoud [4] of the Drupal Security Team [5].
-------- FIXED BY
------------------------------------------------------------
* Peter Wolanin [6] of the Drupal Security Team [7].
-------- CONTACT
-------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.
[1] http://drupal.org/node/752166
[2] http://drupal.org/project/mimemail
[3] http://drupal.org/user/633600
[4] http://drupal.org/user/22211
[5] http://drupal.org/security-team
[6] http://drupal.org/user/49851
[7] http://drupal.org/security-team
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
http://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-030: Mime Mail - Arbitrary code execution, security-news, 24.03.2010
Archiv bereitgestellt durch MHonArc 2.6.19.