#VU465 Arbitrary PHP code execution in Drupal - CVE-2012-5653

Cybersecurity Help s.r.o.

Published: 2016-09-15

Vulnerability identifier: #VU465

Vulnerability risk: Low

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2012-5653

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Drupal
Web applications / CMS

Vendor: Drupal

Description
The vulnerability allows a remote user to cause arbitrary code execution on the target system.
The weakness exists due to improper munging of uploaded files name. The vulnerability allows attacker with server permission to upload a specially named file that can bypass the filename munging and cause arbitrary code execution.
Successful exploitation of the weakness results in arbitrary code execution on the vulnerable system.

Mitigation
Update 6.x to 6.27.
https://www.drupal.org/drupal-6.27-release-notes
Update 7.x to 7.18.
https://www.drupal.org/drupal-7.18-release-notes

Vulnerable software versions

Drupal: 6.0 - 6.26, 7.0 - 7.17

External links
https://www.drupal.org/SA-CORE-2012-004

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Arbitrary PHP code execution in Drupal Drupal

Fedora EPEL 5 update for drupal6, drupal7

Fedora EPEL 6 update for drupal6, drupal7