|Main Archive Page > Month Archives > full-disclosure-uk archives|
-----BEGIN PGP SIGNED MESSAGE-----
in one scenario you allow a Drupal 5.x user to administer content types - to set up new structures for node content. This permission doesn't allow the user to create content, to upload material, or to interact with the filesystem in any way. With the Imagefield module installed this user can move non-image files onto the filesystem. 'Administer content types' privilege only lets a user set up new structures for content nodes, not create content, or even upload material to the filesystem, except for the 'default image' used in the content type. The flaw allows such a user to upload any number of files, opening avenues to trigger local file inclusion vulnerabilities, hosting malware, phishing, etc., etc. The route to exploitation might be oblique, but ideally it shouldn't exist at all.
Justin C. Klein Keane
> On Thu, 29 Jan 2009 09:15:46 EST, "Justin C. Klein Keane" said:
>> Two flaws exist in this module. The first flaw allows for an attacker >> to upload arbitrary files to the filesystem. The vulnerability allows >> attackers to upload arbitrary files in place of the 'Default image' >> specified in the Imagefield specifications for a content type field.
>> Attackers must be authenticated with an account that has 'administer >> content types' permissions.
> Umm.. what's the risk here? Does the flaw allow the attacker to upload
> files that wouldn't be permitted even as the authorized account? Seems if
> they can administer content types, they can drop pretty much whatever they
> want onto the server (possibly limited as to where in the tree though), and
> all this does is let them drop stuff outside said tree?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----