Drupal File Field Paths Information Disclosure Vulnerability

A vulnerability allowing information disclosure has been identified in the File (Field) Paths module for Drupal 7, specifically in versions 7.x prior to 7.1.3. This issue arises from improper handling of file URIs after files are moved, leading to inconsistencies that can be exploited by authenticated users. When multiple users upload files with the same name, the module overwrites the file URI incorrectly. As a result, modules that utilize the hook_node_insert() function, such as those handling email attachments, may receive incorrect file URIs, bypassing standard access controls on private files and inadvertently disclosing other users' private files.

Impact

Exploitation of this vulnerability can lead to unauthorized access to private files, causing potential data breaches and violations of user privacy.

Reproduction

To reproduce this vulnerability, create a Drupal 7 installation and upload a File Field Paths module version that is vulnerable, such as 7.1.2. After enabling the module and its dependencies, set up private file storage and configure the module to organize files automatically. Then, upload files with colliding names under different user roles that have access to private files. The module will incorrectly overwrite the file URIs, allowing access to the wrong private files through the hook_node_insert() function.

Remediation

Users can upgrade to File Field Paths version 7.x-1.3, available in both .tar.gz and .zip formats. Those using Drupal 7 can also sign up for HeroDevs' Never-Ending Support, which includes access to the patched version of this module.