Re: CVE-request: Drupal Finder SA-CONTRIB-2012-017

[Kurt Seifried <kseifried () redhat com>]

On 03/16/2012 01:38 AM, Henri Salo wrote:
> Can we assign CVE-identifier for this vulnerability http://drupal.org/node/1432970 (SA-CONTRIB-2012-017)?

Please use CVE-2012-1561 for this issue.

> Description
> Finder is a Drupal module that allows users to create faceted search forms. The module's autocomplete, checkbox, and 
> radio button functionalities previously did not sanitize the output of fields and raw database values.
>
> In addition, users with the "administer finder" permission were able to execute arbitrary code through a PHP import 
> interface; specific PHP execution permissions were not required.Updated: This issue affected only the 7.x branch of 
> code. The 6.x branch used the permission "administer finder PHP settings" which is sufficiently clear that it allows 
> execution of PHP code.
>
> Versions affected
> Finder 6.x-1.x prior to 6.x-1.26
> Finder 7.x-1.x versions (all)
> Finder 7.x-2.x versions prior to 7.x-2.0-alpha8
> Drupal core is not affected. If you do not use the contributed Finder module, there is nothing you need to do.
>
> Project: Finder (third-party module)
> Date: 2012-February-08
> Security risk: Moderately critical
> Exploitable from: Remote
> Vulnerability: Cross Site Scripting, Arbitrary PHP code execution, Multiple vulnerabilities
>
> http://osvdb.org/show/osvdb/79014
> http://osvdb.org/show/osvdb/79015
> http://secunia.com/advisories/47943/
> http://secunia.com/advisories/47915/
> http://secunia.com/advisories/47941/
>
> - Henri Salo


-- 
Kurt Seifried Red Hat Security Response Team (SRT)