Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Heine on
- Advisory ID: SA-2008-032
- Project: Magic Tabs (third-party module)
- Versions: 5.x
- Date: 2008-June-11
- Security risk: Highly critical
- Exploitable from: Remote
- Vulnerability: Arbitrary code execution
Description
Magic Tabs provides an implementation of tabs filled via AJAX requests.
Malicious users are able to run arbitrary PHP code via URL arguments to Magic Tabs as it does not provide a whitelist of callbacks.
Versions affected
- Magic Tabs for Drupal 5.x prior to Magic Tabs 5.x-1.1
Drupal core is not affected. If you do not use the contributed Magic Tabs module, there is nothing you need to do.
Solution
Install the latest version:
- If you currently use Magic Tabs 5.x, upgrade to Magic Tabs 5.x-1.1
See also the Magic Tabs project page.
Reported by
The Magic Tabs maintainer Yuval Hager (yhager).
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.