SA-CONTRIB-2013-056 - Stage File Proxy - Denial of Service

This module saves time and disk space by sending requests to your development environment’s files directory to the production environment and making a copy of the production file in your development site.

An attacker could make repeated requests to the server, even over a long period, which would degrade the performance of all file handling and potentially prevent certain file operations.

CVE identifier(s) issued

• CVE-2013-4139

Versions affected

• Stage File Proxy 7.x-1.x versions prior to 7.x-1.4.

Drupal core is not affected. If you do not use the contributed Stage File Proxy module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Stage File Proxy module for Drupal 7.x, upgrade to Stage File Proxy 7.x-1.4

Also see the Stage File Proxy project page.

Reported by

• Mike Carper

Fixed by

• Stefan M. Kudwien
• Greg Knaddison the module maintainer

Coordinated by

• Greg Knaddison of the Drupal Security Team