CVE-2012-1645
Description
The CDN module 6.x-2.2 and 7.x-2.2 for Drupal, when running in Origin Pull mode with the "Far Future expiration" option enabled, allows remote attackers to read arbitrary PHP files via unspecified vectors, as demonstrated by reading settings.php.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: secalert@redhat.com — https://drupal.org/node/1441502
Vendor advisory: secalert@redhat.com — http://secunia.com/advisories/48032
Vendor advisory: secalert@redhat.com — http://drupalcode.org/project/cdn.git/commitdiff/eca85e6
Vendor advisory: secalert@redhat.com — http://drupalcode.org/project/cdn.git/commitdiff/cd2a5ff
Vendor advisory: secalert@redhat.com — http://drupal.org/node/1441482
References
- http://drupal.org/node/1441480
- http://drupal.org/node/1441482
- http://drupalcode.org/project/cdn.git/commitdiff/cd2a5ff
- http://drupalcode.org/project/cdn.git/commitdiff/eca85e6
- http://secunia.com/advisories/48032
- http://www.openwall.com/lists/oss-security/2012/04/07/1
- http://www.osvdb.org/79317
- https://drupal.org/node/1441502
- http://drupal.org/node/1441480
- http://drupal.org/node/1441482
- http://drupalcode.org/project/cdn.git/commitdiff/cd2a5ff
- http://drupalcode.org/project/cdn.git/commitdiff/eca85e6
- http://secunia.com/advisories/48032
- http://www.openwall.com/lists/oss-security/2012/04/07/1
- http://www.osvdb.org/79317
- https://drupal.org/node/1441502
CWEs
CWE-200
Verify integrity in audit chain (admin only). AS-IS.