File (Field) Paths - Critical - Remote Code Execution - SA-CONTRIB-2018-056

Project: File (Field) Paths
Date: 2018-August-15
Security risk: *Critical* 15∕25
Vulnerability: Remote Code Execution

Description

This module enables you to automatically sort and rename your uploaded files
using token based replacement patterns to maintain a nice clean filesystem.

The module doesn't sufficiently sanitize the path while a new file is
uploading, allowing a remote attacker to execute arbitrary PHP code.

This vulnerability is mitigated by the fact that an attacker must have access
to a form containing a widget processed by this module.

Solution

Install the latest version:

* If you use the filefield_paths module for Drupal 7.x, upgrade to filefield_paths 7.x-1.1

Add new comment