Moderately Critical Access Bypass Vulnerability in Fancy File Delete Module

Staff Reporter

Drupal Security Team announced a moderately critical access bypass vulnerability SA-CONTRIB-2022-023 in the Fancy File Delete Module on February 9^th 2022. The Vulnerability is classified moderately critical based on

14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default

The Fancy File Delete module allows files to be deleted properly. The module allows the

View of all managed files with an option to force delete them via VBO custom actions
Manually deleting managed files by FID (and an option to force the delete if you really want to).
Deleting unused files from the default files directory that are not in the file managed table. AKA deleting all the unmanaged files.
Deleting unused files from the whole install that are no longer attached to nodes & are still in the file usage table. AKA deleting all the orphaned files.
Delete files via drush by fid(s)

The access bypass vulnerability was caused because unmanaged files were not sufficiently protected from view under the scenario that an unauthenticated user knows the path to visit the view and can attempt to delete files which results in duplicate files being created.

To mitigate this issue without deploying code, review all views that are based on Fancy File Delete and ensure they have access control set to use the permission "administer unmanaged files entities".

Solution

The Drupal Security Team recommends installing the latest version and checking the views configuration:

If you use the Fancy File Delete module for Drupal ^8.x , upgrade to Fancy File Delete 2.0.7
Review all views that are based on Fancy File Delete and ensure they have access control set to use the permission "administer unmanaged files entities".

2,304 sites report using the Fancy File Delete module.

Source:
https://www.drupal.org/sa-contrib-2022-023
https://www.drupal.org/project/fancy_file_delete

Click here to follow us on LinkedIn

Comment

Note: The vision of this web portal is to help promote news and stories around the Drupal community and promote and celebrate the people and organizations in the community. We strive to create and distribute our content based on these content policy. If you see any omission/variation on this please let us know in the comments below and we will try to address the issue as best we can.

Access Bypass