[IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-059: Panels - Arbitrary PHP code execution

[security-news AT drupal.org]

  * Advisory ID: DRUPAL-SA-CONTRIB-2010-059
  * Project: Panels (third-party module)
  * Versions: 6.x
  * Date: 2010 May 19
  * Security risk: Critical
  * Exploitable from: Remote
  * Vulnerability: Arbitrary PHP code execution

The Panels module allows a site administrator to create customized layouts
for multiple uses. The "Mini panels" module, included with panels, was found
to have an arbitrary PHP code execution vulnerability. Users with the 'create
mini panels' permission could execute arbitrary PHP code on the server via
the import functionality. An additional check for the permission 'use PHP for
block visibility' has been added to ensure that the site administrator has
already granted users of the import functionality the permission to execute
PHP.
-------- VERSIONS AFFECTED  
---------------------------------------------------

  * Versions of Panels for Drupal 6.x prior to 6.x-3.4

Drupal core is not affected. If you do not use the contributed Panels module,
there is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------

Install the latest version:
  * If you use Panels for Drupal 6.x upgrade to Panels 6.x-3.4 [1]

-------- REPORTED BY  
---------------------------------------------------------

Sam Boyer [2], co-maintainer of the Panels module.
-------- FIXED BY  
------------------------------------------------------------

Sam Boyer.
-------- CONTACT  
-------------------------------------------------------------

The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.

[1] http://drupal.org/node/803916
[2] http://drupal.org/user/146719

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
http://lists.drupal.org/mailman/listinfo/security-news