Project: 
Version: 
7.x-2.10
Date: 
2017-December-06
Vulnerability: 
Remote Code Execution
Description: 

The Mailhandler module enables you to create nodes by email.

The Mailhandler module does not validate file attachments. By sending a correctly crafted e-mail to a mailhandler mailbox an attacker can execute arbitrary code.

The vulnerability applies to any active mailhandler mailbox, whether or not attachments are mapped to a field.

Mitigating factors:

  • For 7.x versions prior to 7.x-2.5, the vulnerability is mitigated by the fact that the 'MailhandlerCommandsFiles' plugin must be enabled. For later versions, the option to disable commands was removed, all commands are enabled in any case.
  • The vulnerability is mitigated by the fact that the attacker must pass the authentication step. The default authentication is that the attacker must send the crafted e-mail from a registered e-mail address.
  • The vulnerability is mitigated by the fact that the mailhandler mailbox e-mail address must be known by the attacker. This essentially depends on the usecase, e.g. Mailcomment module.
  • The vulnerability is mitigated by the fact that the webserver configuration must either permit the execution of some file extensions in the public filesystem or (Apache) has '.htaccess' support enabled through the AllowOverride directive.
Solution: 

Install the latest version:

Also see the Mailhandler project page.

Reported By: 
Coordinated By: