Information Exposure in source drupal.

Created on 20 February 2020, almost 5 years ago
Updated 2 November 2024, about 1 month ago

Description

- Function moveUploadedFile() in \core\lib\Drupal\Core\File\FileSystem.php in Drupal 8.8.2 and earlier obtain sensitive information via upload file, which reveals the installation path in an error message.

Steps To Reproduce:

1: access domain.com/drupal/node/1 and upload picture with name "anyname<>.jpg"

2: access domain.com/drupal/admin/reports/dblog to see the error message

🐛 Bug report
Status

Closed: outdated

Version

11.0 🔥

Component

file system

Created by

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • 🇳🇿New Zealand quietone

    I tested this on Drupal 11.x today and was not able to reproduce the problem. I did force moveUploadedFile() to return FALSE, which then logged this error, which does not include the path to drupal.

    Upload error. Could not move uploaded file anyname<>.jpg to destination public://2024-11/anyname<>.jpg.

    Therefor, closing this as outdated.

Production build 0.71.5 2024