Thanks to Justin for identifying and describing this issue. With a little more detail inline.
On Wed, Aug 14, 2013 at 7:33 AM, Justin C. Klein Keane <jus...@madirish.net> wrote: <snip> > Mitigating factors: > - ------------------- > In order to inject arbitrary script malicious attackers must have the > ability to manipulate module .info files on a site filesystem, perhaps > via permissions misconfiguration, It feels unclear to me if the permissions mentioned here are Drupal permissions or others. So, to be clear, this would require server file permission misconfiguration. The info files are placed in the same directories as php code. For this vulnerability to be significant it would require permissions like: -rw-rw-rw- 1 deployuser deployuser 243 Jan 7 2013 machine_name.info -rw-rw-r-- 1 deployuser deployuser 434 Jan 7 2013 machine_name.install -rw-rw-r-- 1 deployuser deployuser 3802 Jan 7 2013 machine_name.module Or maybe: -rw-rw-r-- 1 deployuser somegroup 243 Jan 7 2013 machine_name.info -rw-r--r-- 1 deployuser somegroup 434 Jan 7 2013 machine_name.install -rw-r--r-- 1 deployuser somegroup 3802 Jan 7 2013 machine_name.module In the first scenario the attacker would just need a shell on the server. In the second scenario the attacker would need a shell on the server and membership in somegroup. <snip> > feels this issue is already public (https://drupal.org/node/637538), > however the public discussion only concerns the development of the > next major release of Drupal - Drupal 8. There is no mention in the > public discussion, of the fact that this issue faces both current > supported release versions (Drupal 7 and Drupal 6) and likely previous > releases. I updated that issue to include Drupal 7 and Drupal 6 mentions. It's true this affects previous releases, but previous releases are explicitly EOL and full of holes that are not documented. * Drupal 5 EOL Announcement: https://drupal.org/node/1027214 * Drupal 4.7 EOL Announcement: https://drupal.org/node/225729 Regards, Greg _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/