------------SA-2008-004 - FILESHARE - ARBITRARY CODE EXECUTION------------
* Advisory ID: DRUPAL-SA-2008-004
* Project: Fileshare (third-party module)
* Version: 4.7.x, 5.x
* Date: 2008-January-10
* Security risk: Highly critical
* Exploitable from: Remote
* Vulnerability: Arbitrary code execution
------------DESCRIPTION------------
The fileshare module is used to create nodes that allow browsing, uploading, downloading and deleting of files from a fileshare directory that is created by Drupal and linked to the node.
Users who are able to create fileshare nodes are able to execute arbitrary code on the server.
------------VERSIONS AFFECTED------------
All versions of Fileshare.
Drupal core is not affected. If you do not use the contributed Fileshare module, there is nothing you need to do.
------------SOLUTION------------
Disable the Fileshare module and remove the module from your filesystem. There is no fixed version of Fileshare available. The project has been removed from Drupal.org.
------------REPORTED BY------------
Magne Eimot.
------------CONTACT------------
The security contact for Drupal can be reached at security at drupal.org or via the form at [
http://drupal.org/contact ].