PROBLEM:
A vulnerability has been reported in the Drag & Drop Gallery module for Drupal, which can be exploited by malicious people to compromise a vulnerable system.
PLATFORM:
Drupal Drag & Drop Gallery Module 6.x
ABSTRACT:
The vulnerability is caused due to the sites/all/modules/dragdrop_gallery/upload.php script improperly validating uploaded files, which can be exploited to execute arbitrary PHP code by uploading a PHP file with e.g. an appended ".gif" file extension.
Reference Links:
Original Advisory
Secunia ID 49698
No Current CVE Reference
IMPACT ASSESSMENT:
High
Discussion:
Successful exploitation requires that Apache is not configured to handle the mime-type for media files with e.g. a ".gif" extension (Configured to handle by default). The vulnerability is confirmed in version 6.x-1.5. Other versions may also be affected.
Impact:
System access from remote
Solution:
Restrict access to the sites/all/modules/dragdrop_gallery/upload.php script (e.g. via .htaccess).