Your submission was sent successfully! Close

CVE-2010-3092

Published: 21 September 2010

The upload module in Drupal 5.x before 5.23 and 6.x before 6.18 does not properly support case-insensitive filename handling in a database configuration, which allows remote authenticated users to bypass the intended restrictions on downloading a file by uploading a different file with a similar name.

Priority

Low

Status

Package Release Status
drupal5
Launchpad, Ubuntu, Debian
Upstream
Released (5.23)
Patches:
Debdiff: https://bugs.launchpad.net/ubuntu/+source/drupal6/+bug/539056
drupal6
Launchpad, Ubuntu, Debian
Upstream
Released (6.18, 6.16-1)
Patches:
Debdiff: https://bugs.launchpad.net/ubuntu/+source/drupal6/+bug/539056