Drupal Association members fund grants that make connections all over the world.
- Advisory ID: DRUPAL-SA-CONTRIB-2010-030
- Project: Mime Mail (third-party module)
- Version: 5.x
- Date: 2010-March-24
- Security risk: Highly critical
- Exploitable from: Remote
- Vulnerability: Arbitrary code execution
The Mime Mail module is an helper module providing support for MIME mails, for use by other modules.
Due to improper use of the PCRE regular expression engine, users with the ability to send HTML email with the Mime Mail module were able to execute arbitrary PHP code on the server.
- Mime Mail for Drupal 5.x prior to 5.x-1.1
Note that Mime Mail version 6.x-1.0-alpha1 and earlier versions for Drupal 6.x are also affected. However, the security team does not provide support for alpha releases.
Drupal core is not affected. If you do not use the contributed Mime Mail module, there is nothing you need to do.
Upgrade to the latest version:
- If you use Mime Mail for Drupal 5.x upgrade to Mime Mail 5.x-1.1
See also the Mime Mail project page.
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.