CVE-2008-0577

Currently unrated

Key Information:

Vendor: Drupal
Status: Project Issue Tracking Module
Vendor: CVE Published:; 5 February 2008

Summary

The Project Issue Tracking module 5.x-2.x-dev before 20080130 in the 5.x-2.x series, 5.x-1.2 and earlier in the 5.x-1.x series, 4.7.x-2.6 and earlier in the 4.7.x-2.x series, and 4.7.x-1.6 and earlier in the 4.7.x-1.x series for Drupal (1) does not restrict the extensions of attached files when the Upload module is enabled for issue nodes, which allows remote attackers to upload and possibly execute arbitrary files; and (2) accepts the .html extension within the bundled file-upload functionality, which allows remote attackers to upload files containing arbitrary web script or HTML.

References

http://www.vupen.com/english/advisories/2008/0376/references

vdb-entryx_refsource_VUPEN

http://drupal.org/node/216063

x_refsource_CONFIRM

http://secunia.com/advisories/28731

third-party-advisoryx_refsource_SECUNIA

Timeline

Vulnerability published
Feb 5, 2008
Vulnerability Reserved
Feb 4, 2008