- Advisory ID: DRUPAL-SA-CONTRIB-2016-015
- Project: Scald File Provider (third-party module)
- Version: 7.x
- Date: 2016-March-09
- Security risk: 18/25 ( Critical) AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:All
- Vulnerability: Arbitrary PHP code execution
Description
When a PDF is uploaded in Scald File, various tools can be executed if they’re installed on the server, to try to generate a thumbnail out of that PDF.
This is mitigated by the need to have the sufficient permissions to upload a file in Scald, and also to have at least one of the thumbnail creation tools installed on the server (pdfdraw, convert or mudraw).
It could also be partially mitigated by using the transliteration module for uploaded files.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
- Scald File module 7.x-1.x versions prior to 7.x-1.2.
Drupal core is not affected. If you do not use the contributed Scald File Provider module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Scald File module for Drupal 7.x, upgrade to Scald File 7.x-1.3
Also see the Scald File Provider project page.
Reported by
Fixed by
Coordinated by
- Michael Hess of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity