Advisory ID: DRUPAL-SA-CONTRIB-2010-059

• Project: Panels (third-party module)
• Versions: 6.x
• Date: 2010 May 19
• Security risk: Critical
• Exploitable from: Remote
• Vulnerability: Arbitrary PHP code execution
• The Panels module allows a site administrator to create customized layouts
  for multiple uses. The "Mini panels" module, included with panels, was found
  to have an arbitrary PHP code execution vulnerability. Users with the 'create
  mini panels' permission could execute arbitrary PHP code on the server via
  the import functionality. An additional check for the permission 'use PHP for
  block visibility' has been added to ensure that the site administrator has
  already granted users of the import functionality the permission to execute
  PHP.
• VERSIONS AFFECTED
• Versions of Panels for Drupal 6.x prior to 6.x-3.4

Drupal core is not affected. If you do not use the contributed Panels module,
there is nothing you need to do.
SOLUTION

Install the latest version:
* If you use Panels for Drupal 6.x upgrade to Panels 6.x-3.4 [1]

REPORTED BY

Sam Boyer [2], co-maintainer of the Panels module.
FIXED BY

Sam Boyer.