SA-CONTRIB-2010-059: Panels - Arbitrary PHP code execution | Develop Site
Advisory ID: DRUPAL-SA-CONTRIB-2010-059
- Project: Panels (third-party module)
- Versions: 6.x
- Date: 2010 May 19
- Security risk: Critical
- Exploitable from: Remote
- Vulnerability: Arbitrary PHP code execution
- The Panels module allows a site administrator to create customized layouts
for multiple uses. The "Mini panels" module, included with panels, was found
to have an arbitrary PHP code execution vulnerability. Users with the 'create
mini panels' permission could execute arbitrary PHP code on the server via
the import functionality. An additional check for the permission 'use PHP for
block visibility' has been added to ensure that the site administrator has
already granted users of the import functionality the permission to execute
PHP. - VERSIONS AFFECTED
- Versions of Panels for Drupal 6.x prior to 6.x-3.4
Drupal core is not affected. If you do not use the contributed Panels module,
there is nothing you need to do.
SOLUTION
Install the latest version:
* If you use Panels for Drupal 6.x upgrade to Panels 6.x-3.4 [1]
REPORTED BY
Sam Boyer [2], co-maintainer of the Panels module.
FIXED BY
Sam Boyer.
Englisch