Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Project:
Date:
2019-April-17
Vulnerability:
Denial of Service
Description:
Stage File Proxy is a general solution for getting production files on a development server on demand.
The module doesn't sufficiently validate requested urls, allowing an attacker to send repeated requests for files that do not exist which could exhaust resources on the server where Stage File Proxy is installed.
This vulnerability is mitigated by the fact that an attacker must make repeated requests. The vulnerability only exists on environments where Stage File Proxy is installed (it generally is not installed on production). It only affects sites where the "Hot Link" option is disabled (disabled is the default configuration).
Solution:
Install the latest version:
- If you use the Stage File Proxy module for Drupal 7.x, upgrade to Stage File Proxy 7.x-1.9
Also see the Stage File Proxy project page.
Reported By:
- remydenton
- Axel Rutz
- Drew Webber Provisional Security Team Member
Fixed By:
- remydenton
- Axel Rutz
- Drew Webber Provisional Security Team Member
Coordinated By:
- Greg Knaddison of the Drupal Security Team
