Drupal Association members fund grants that make connections all over the world.
- Advisory ID: DRUPAL-SA-CONTRIB-2012-003
- Project: Fill PDF (third-party module)
- Version: 6.x, 7.x
- Date: 2012-JANUARY-04
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Access bypass, Arbitrary code execution
This module enables you to populate fillable PDF templates with data from nodes and webforms.
Access bypass (7.x only)
Incorrectly-ordered arguments in a call to the function that handles the main functionality of the module makes it possible for an attacker to trigger any PDF to be filled, regardless of whether they have access to the node/webform or not, by passing an appropriately-formed query string argument.
This vulnerability is mitigated by the fact that an attacker can only access configured PDF templates, that the attacker must know (or brute-force) the node or webform IDs, and that only information that is configured to be filled into the PDFs (and the filled PDF templates themselves) can be obtained through this exploit.
Arbitrary code execution (6.x and 7.x)
The template importing and exporting used serialized PHP which required the use of an unsafe PHP function to evaluate and import templates, which could lead to execution of unwanted and untrusted code. This vulnerability is mitigated by the fact that the attacker must have the 'administer PDFs' permission.
- Fill PDF 6.x-1.x versions prior to 6.x-1.16.
- Fill PDF 7.x-1.x versions prior to 7.x-1.2.
Drupal core is not affected. If you do not use the contributed Fill PDF module, there is nothing you need to do.
Install the latest version:
- If you use the Fill PDF module for Drupal 6.x, upgrade to Fill PDF 6.x-1.16.
- If you use the Fill PDF module for Drupal 7.x, upgrade to Fill PDF 7.x-1.2.
See also the Fill PDF project page.
- Dave Reid, Drupal Security team member
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.