File (Field) Paths - Moderately critical - Access bypass - SA-CONTRIB-2022-065
Project: File (Field) PathsDate: 2022-December-14Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: The File (Field) Paths module extends the default functionality of Drupal's core File module, by adding the ability to use entity-based tokens in destination paths and file names.
The module's default configuration could temporarily expose private files to anonymous visitors.
Important note: to fix the problem, database updates must be run in addition to updating the module.
It's possible to make a configuration change to mitigate this problem in the admin UI at /admin/config/media/file-system/filefield-paths - the temp file location should use either the temporary:// or private:// stream wrapper if uploaded files should not be exposed publicly.
This vulnerability is mitigated by the fact that an attacker must be able to guess the temporary path used for file upload.Solution: Install the latest version:
- If you use the File (Field) Paths module for Drupal 7.x, upgrade to File (Field) Paths 7.x-1.2
Reported By:
- Hayato Goto
- Drew Webber of the Drupal Security Team
- Steve Bink
Fixed By:
- Hayato Goto
- David Snopek of the Drupal Security Team
- Vijay Mani provisional member of the Drupal Security Team
- Drew Webber of the Drupal Security Team
- Oleh Vehera
- Damien McKenna of the Drupal Security Team
Coordinated By:
- David Snopek of the Drupal Security Team
- Drew Webber of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
