Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Drupal Security Team on
- Advisory ID: DRUPAL-SA-CONTRIB-2010-059
- Project: Panels (third-party module)
- Versions: 6.x
- Date: 2010 May 19
- Security risk: Critical
- Exploitable from: Remote
- Vulnerability: Arbitrary PHP code execution
The Panels module allows a site administrator to create customized layouts for multiple uses. The "Mini panels" module, included with panels, was found to have an arbitrary PHP code execution vulnerability. Users with the 'create mini panels' permission could execute arbitrary PHP code on the server via the import functionality. An additional check for the permission 'use PHP for block visibility' has been added to ensure that the site administrator has already granted users of the import functionality the permission to execute PHP.
Versions Affected
- Versions of Panels for Drupal 6.x prior to 6.x-3.4
Drupal core is not affected. If you do not use the contributed Panels module, there is nothing you need to do.
Solution
Install the latest version:
- If you use Panels for Drupal 6.x upgrade to Panels 6.x-3.4
Reported by
Sam Boyer, co-maintainer of the Panels module.
Fixed by
Sam Boyer.
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
