Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Drupal Security Team on
- Advisory ID: DRUPAL-SA-CONTRIB-2010-049
- Project: Wordpress Import (third-party module)
- Version: 6.x
- Date: 2010-May-19
- Security risk: Highly Critical
- Exploitable from: Remote
- Vulnerability: Access bypass
Description
The Wordpress Import module provides the ability to import nodes from a Wordpress WXR export file. The form to import a WXR file does not use the correct access permission and allows any user to upload arbitrary files and import data from a remote WRX file.
Versions affected
- Wordpress Import for Drupal 6.x versions prior to 6.x-2.1 including all versions of 6.x-1.x.
Drupal core is not affected. If you do not use the contributed Wordpress Import module, there is nothing you need to do.
Solution
Install the latest version and revoke the "import wordpress blog" permission from untrusted roles.
- If you use Wordpress Import 6.x-2.x or 6.x-1.x upgrade to Wordpress Import 6.x-2.1. The Wordpress Import 6.x-1.x branch is no longer maintained.
Important note: Only give fully trusted users the "import wordpress blog" permission. Wordpress Import 6.x-2.1 still allows a user with that permission to upload arbitrary files.
Reported by
Fixed by
Contact
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
