Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
See https://www.drupal.org/sa-contrib-2018-063
This vulnerability has a lower risk in Drupal 6 than in Drupal 7! This is because you can't pass shell commands to execute using the HTTP basic auth user/pass - you need to either (1) have an admin permission to put those commands into Drupal variables, or (2) have permission to put <script>
in nodes while also using the dompdf generation tool.
Comment | File | Size | Author |
---|---|---|---|
#4 | interdiff.txt | 547 bytes | dsnopek |
#4 | SA-CONTRIB-2018-063.patch | 2.08 KB | dsnopek |
Comments
Comment #2
dsnopekUpdated the issue summary about risk.
And patch is attached for review!
Comment #3
dsnopekCommitted to d6lts repo
Comment #4
dsnopekAn error was found in this patch, which actually fails to prevent part of the security issue. Here's an updated patch and interdiff.
FYI, this part of the security issue (and really the D6 variant of the issue in general) is only exploitable by folks who have the 'administer print' permission, which should only be trusted users anyway.
Comment #5
dsnopekCommitted to repo!