Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Hi
This has been run by the security team and it's been ok'd for a public issue as it is already covered under PSA-2011-02.
Basically the upload.php file in the plupload library examples folder allows for upload and execution of arbitrary php.
This patch (to follow) adds a requirements error if the file is still present.
Lee
| Comment | File | Size | Author |
|---|---|---|---|
| #7 | plupload_security_d6.patch | 921 bytes | slashrsm |
| #1 | plupload-examples-1895328.patch | 988 bytes | larowlan |
Comments
Comment #1
larowlanPatch
Comment #2
slashrsm CreditAttribution: slashrsm commentedAdded an entry to README.txt and committed everything to 7.x-1.x and 7.x-2.x. Thanks for reporting this.
Will roll a new release shortly.
Comment #3
slashrsm CreditAttribution: slashrsm commentedShould I mark new release as security update?
Comment #4
larowlanThis will probably need backporting to 6
I will check re security release as there is no advisory
Comment #5
larowlanConfirming it's ok to tag this as a security release, ping me or someone else from security team on irc to get the node published.
Comment #6
slashrsm CreditAttribution: slashrsm commentedRolled a release.
Comment #7
slashrsm CreditAttribution: slashrsm commentedAttached patch was committed against 6.x-1.x. Thanks!
Comment #10
bwaindwain CreditAttribution: bwaindwain as a volunteer commentedAnyone coming here looking for a patch for v2x checkout https://www.drupal.org/project/plupload/issues/1903850#comment-11888767