- Advisory ID: DRUPAL-SA-CONTRIB-2014-074
- Project: Storage API (third-party module)
- Version: 7.x
- Date: 2014-July-30
- Security risk: (Less Critical)
- Vulnerability: Arbitrary PHP code execution
Description
Storage API is a low-level framework for managed file storage and serving.
The module creates an .htaccess file in the files directory to prevent code execution, but copied the Drupal core file and wasn't updated to include the improved file contents after SA-CORE-2013-003.
This vulnerability is mitigated by the fact that it only relates to a defense in depth mechanism, and sites would only be vulnerable if they are hosted on a server which contains code that does not use protections similar to those found in Drupal's file API to manage uploads in a safe manner.
CVE identifier(s) issued
- CVE-2014-5170
Versions affected
Drupal core is not affected. If you do not use the contributed module,
there is nothing you need to do.
Solution
Install the latest version:
- If you use the Storage API module for Drupal 7.x, upgrade to Storage API 7.x-1.6
Reported by
Reported publicly outside the Drupal Security Team reporting process.
Fixed by
- Jonathan Brown and Brady the module maintainers
Coordinated by
- Klaus Purer of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
