Lucene search

K
drupalDrupal Security TeamDRUPAL-SA-CONTRIB-2015-048
HistoryFeb 18, 2015 - 12:00 a.m.

SA-CONTRIB-2015-048 - Avatar Uploader - Arbitrary PHP code execution

2015-02-1800:00:00
Drupal Security Team
www.drupal.org
1

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

EPSS

0.967

Percentile

99.7%

Avatar Uploader module provides an alternative way to upload user pictures.

The module doesn’t sufficiently enforce file extensions when an avatar is uploaded, allowing users to bypass Drupal’s normal file upload protections to install malicious HTML or executable code to the server.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission β€œupload avatar file”, and that the fix for SA-2006-006 - Drupal Core - Execution of arbitrary files in certain Apache configurations should prevent code execution in typical Apache configurations.

CVE identifier(s) issued

  • CVE-2015-2087

Versions affected

  • Avatar Uploader 6.x-1.x versions prior to 6.x-1.3.

Drupal core is not affected. If you do not use the contributed Avatar Uploader module,
there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Avatar Uploader module for Drupal 6.x, upgrade to Avatar Uploader 6.x-1.3

Also see the Avatar Uploader project page.

Reported by

Fixed by

Coordinated by

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

EPSS

0.967

Percentile

99.7%

Related for DRUPAL-SA-CONTRIB-2015-048