Vigil@nce - Drupal: file reading via Htmlarea
May 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use a special image name in Htmlarea of Drupal, in
order to upload a file outside the storage directory.
– Impacted products: Drupal
– Severity: 2/4
– Creation date: 13/05/2013
DESCRIPTION OF THE VULNERABILITY
The Htmlarea module is used to format text.
However, an attacker can use a special image name in Htmlarea of
Drupal, in order to upload a file outside the storage directory.
Technical details are unknown.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Drupal-file-reading-via-Htmlarea-12782