SA-CONTRIB-2009-001 - Project release - Multiple vulnerabilities

By dww on 7 Jan 2009 at 19:18 UTC

Description

The Project release module is a component within the broader Project module. This announcement covers the following two issues:

Project release enables file attachments to create a specific version of code to be downloaded by users. This module uses its own code to upload files so the files are not validated by Drupal core's Upload module. The lack of validation in Project release's upload mechanism enables a user with the "maintain projects" permission to upload files with arbitrary extensions. Using these files an attacker can perform cross site scripting attacks, and depending on the server configuration, may also be able to execute arbitrary code.
Any projects that are associated with a CVS repository using the CVS integration module are not vulnerable, though you are still encouraged to upgrade.

Important note

The steps above will stop malicious files from being uploaded, but will do nothing to protect your site against files that have already been uploaded. Make sure to carefully inspect the file system path and check for files with extensions that should be forbidden. We recommend you remove any HTML file you did not upload yourself. You should look for script tags, CSS includes, Javascript includes, and onerror="" attributes if you need to review files individually.
The Project release module allows users to create releases of a project which are then available for download. Users may be able to inject arbitrary code on error pages produced by the Project release module by using a malformed URL.
Wikipedia has more information about cross site scripting (XSS).