-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello,
in one scenario you allow a Drupal 5.x user to administer content
types - to set up new structures for node content. This permission
doesn't allow the user to create content, to upload material, or to
interact with the filesystem in any way.
On Thu, 29 Jan 2009 09:15:46 EST, "Justin C. Klein Keane" said:
> Two flaws exist in this module. The first flaw allows for an attacker
> to upload arbitrary files to the filesystem. The vulnerability allows
> attackers to upload arbitrary files in place of the 'Default image'
> specified in the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Drupal Imagefield Module Multiple Vulnerabilities
Security Risk: High
Exploitable: Remotely
Vulnerabilities: Arbitrary File Upload, Cross Site Scripting
Discovered by: Justin C. Klein Keane, Andrew Rosborough
Tested: Imagefield 5.x-2.2 on Drupal 5.
