full-disclosure-uk January 2009 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] Drupal Imagefield Modu

Re: [Full-disclosure] Drupal Imagefield Module Multiple Vulnerabilities

From: <Valdis.Kletnieks_at_nospam>
Date: Thu Jan 29 2009 - 16:17:38 GMT
To: "Justin C. Klein Keane" <justin@madirish.net>


On Thu, 29 Jan 2009 09:15:46 EST, "Justin C. Klein Keane" said:

> Two flaws exist in this module. The first flaw allows for an attacker
> to upload arbitrary files to the filesystem. The vulnerability allows
> attackers to upload arbitrary files in place of the 'Default image'
> specified in the Imagefield specifications for a content type field.
....
> Attackers must be authenticated with an account that has 'administer
> content types' permissions.

Umm.. what's the risk here? Does the flaw allow the attacker to upload files that wouldn't be permitted even as the authorized account? Seems if they can administer content types, they can drop pretty much whatever they want onto the server (possibly limited as to where in the tree though), and all this does is let them drop stuff outside said tree?



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/