SA-CONTRIB-2013-004 - Live CSS - Arbitrary Code Execution

This module enables you to save CSS and LESS files on the server via your browser.

The module doesn’t check that the file being saved isn’t a script or executable.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer CSS”.

CVE identifier(s) issued

• CVE-2013-0206

Versions affected

• Live CSS 6.x-2.x versions prior to 6.x-2.1.
• Live CSS 7.x-2.x versions prior to 7.x-2.7.

Drupal core is not affected. If you do not use the contributed Live CSS module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Live CSS module for Drupal 6.x, upgrade to 6.x-2.1.
• If you use the Live CSS module for Drupal 7.x, upgrade to 7.x-2.7.

Also see the Live CSS project page.

Reported by

• Ryan Garrett

Fixed by

• Guy Bedford the module maintainer

Coordinated by

• Greg Knaddison of the Drupal Security Team