Hírolvasó

Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2020-013

Biztonsági figyelmeztetések (core) - 2020. november 26. 00.57
Project: Drupal coreDate: 2020-November-25Security risk: Critical 18∕25 AC:Complex/A:User/CI:All/II:All/E:Exploit/TD:UncommonVulnerability: Arbitrary PHP code executionCVE IDs: CVE-2020-28949CVE-2020-28948Description: 

The Drupal project uses the PEAR Archive_Tar library. The PEAR Archive_Tar library has released a security update that impacts Drupal. For more information please see:

Multiple vulnerabilities are possible if Drupal is configured to allow .tar, .tar.gz, .bz2 or .tlz file uploads and processes them.

To mitigate this issue, prevent untrusted users from uploading .tar, .tar.gz, .bz2 or .tlz files.

This is a different issue than SA-CORE-2019-12, similar configuration changes may mitigate the problem until you are able to patch.

Solution: 

Install the latest version:

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage.

According to the regular security release window schedule, November 25th would not typically be a core security window. However, this release is necessary because there are known exploits for one of core's dependencies and some configurations of Drupal are vulnerable.

Reported By: Fixed By: 

SAML SP 2.0 Single Sign On (SSO) - SAML Service Provider - Critical - Access bypass - SA-CONTRIB-2020-038

Biztonsági figyelmeztetések (contrib) - 2020. november 18. 18.27
Project: SAML SP 2.0 Single Sign On (SSO) - SAML Service ProviderDate: 2020-November-18Security risk: Critical 16∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

This module enables your users residing at a SAML 2.0 compliant Identity Provider to login to your Drupal website.

The module has two Authentication Bypass vulnerabilities.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Ink Filepicker - Critical - Unsupported - SA-CONTRIB-2020-037

Biztonsági figyelmeztetések (contrib) - 2020. november 18. 18.22
Project: Ink FilepickerDate: 2020-November-18Security risk: Critical 17∕25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: UnsupportedDescription: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer.

It looks like the 3rd party service that this module integrates with may have been retired.

If you would like to maintain this project nevertheless, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#procedure---own-project---unsupported in full.

Media: oEmbed - Critical - Remote Code Execution - SA-CONTRIB-2020-036

Biztonsági figyelmeztetések (contrib) - 2020. november 18. 18.19
Project: Media: oEmbedDate: 2020-November-18Security risk: Critical 17∕25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Remote Code ExecutionDescription: 

Media oEmbed does not properly sanitize certain filenames as described in SA-CORE-2020-012.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Drupal core - Critical - Remote code execution - SA-CORE-2020-012

Biztonsági figyelmeztetések (core) - 2020. november 18. 18.18
Project: Drupal coreDate: 2020-November-18Security risk: Critical 17∕25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Remote code executionCVE IDs: CVE-2020-13671Description: 

Update November 18: Documented longer list of dangerous file extensions

Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations.

Solution: 

Install the latest version:

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage.

Additionally, it's recommended that you audit all previously uploaded files to check for malicious extensions. Look specifically for files that include more than one extension, like filename.php.txt or filename.html.gif, without an underscore (_) in the extension. Pay specific attention to the following file extensions, which should be considered dangerous even when followed by one or more additional extensions:

  • phar
  • php
  • pl
  • py
  • cgi
  • asp
  • js
  • html
  • htm
  • phtml

This list is not exhaustive, so evaluate security concerns for other unmunged extensions on a case-by-case basis.

Reported By: Fixed By: 

Examples for Developers - Critical - Remote Code Execution - SA-CONTRIB-2020-035

Biztonsági figyelmeztetések (contrib) - 2020. november 18. 18.15
Project: Examples for DevelopersDate: 2020-November-18Security risk: Critical 17∕25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Remote Code ExecutionDescription: 

The File Example submodule within the Examples project does not properly sanitize certain filenames as described in SA-CORE-2020-012, along with other related vulnerabilities.

Therefore, File Example so is being removed from Examples until a version demonstrating file security best practices can added back in the future.

Solution: 

Any sites that have File Example submodule installed should uninstall it immediately

Then, install the latest version of Examples:

Reported By: Fixed By: Coordinated By: 

Drupal OAuth Server ( OAuth Provider) - Single Sign On ( SSO ) - Moderately critical - SQL Injection - SA-CONTRIB-2020-034

Biztonsági figyelmeztetések (contrib) - 2020. október 14. 16.38
Project: Drupal OAuth Server ( OAuth Provider) - Single Sign On ( SSO )Date: 2020-October-14Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:DefaultVulnerability: SQL InjectionDescription: 

This module enables you login into any OAuth 2.0 compliant application using Drupal credentials.

The 8.x branch of the module is vulnerable to SQL injection.

Solution: 

Install the latest version:

  • If you use the Drupal OAuth Server module for Drupal 8.x, upgrade to 8.x-1.1
Reported By: Fixed By: Coordinated By: 

Drupal core - Moderately critical - Information disclosure - SA-CORE-2020-011

Biztonsági figyelmeztetések (core) - 2020. szeptember 16. 18.45
Project: Drupal coreDate: 2020-September-16Security risk: Moderately critical 12∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Information disclosureCVE IDs: CVE-2020-13670Description: 

A vulnerability exists in the File module which allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file.

Solution: 

Install the latest version:

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.10.

Reported By: Fixed By: 

Drupal core - Moderately critical - Access bypass - SA-CORE-2020-008

Biztonsági figyelmeztetések (core) - 2020. szeptember 16. 18.32
Project: Drupal coreDate: 2020-September-16Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassCVE IDs: CVE-2020-13667Description: 

The experimental Workspaces module allows you to create multiple workspaces on your site in which draft content can be edited before being published to the live workspace.

The Workspaces module doesn't sufficiently check access permissions when switching workspaces, leading to an access bypass vulnerability. An attacker might be able to see content before the site owner intends people to see the content.

This vulnerability is mitigated by the fact that sites are only vulnerable if they have installed the experimental Workspaces module.

Solution: 

Install the latest version:

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.10.

Once a site running Workspaces is upgraded, authenticated users may continue to see unauthorized workspace content that they accessed previously until they are logged out.

If it is important for the unintended access to stop immediately, you may wish to end all active user sessions on your site (for example, by truncating the sessions table). Be aware that this will immediately log all users out and can cause side effects like lost user input.

Reported By: Fixed By: 

Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2020-010

Biztonsági figyelmeztetések (core) - 2020. szeptember 16. 18.31
Project: Drupal coreDate: 2020-September-16Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross-site scriptingCVE IDs: CVE-2020-13669Description: 

Drupal core's built-in CKEditor image caption functionality is vulnerable to XSS.

Solution: 

Install the latest version:

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.10.

Reported By: Fixed By: 

Drupal core - Critical - Cross-site scripting - SA-CORE-2020-009

Biztonsági figyelmeztetések (core) - 2020. szeptember 16. 18.11
Project: Drupal coreDate: 2020-September-16Security risk: Critical 15∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross-site scriptingCVE IDs: CVE-2020-13668Description: 

Drupal 8 and 9 have a reflected cross-site scripting (XSS) vulnerability under certain circumstances.

An attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability.

Solution: 

Install the latest version:

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.10.

In addition to updating Drupal core, sites that override \Drupal\Core\Form\FormBuilder's renderPlaceholderFormAction() and/or buildFormAction() methods in contrib and/or custom code should ensure that appropriate sanitization is applied for URLs.

Reported By: Fixed By: 

Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2020-007

Biztonsági figyelmeztetések (core) - 2020. szeptember 16. 17.48
Project: Drupal coreDate: 2020-September-16Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-site scriptingCVE IDs: CVE-2020-13666Description: 

The Drupal AJAX API does not disable JSONP by default, which can lead to cross-site scripting.

Solution: 

Install the latest version:

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.10.

If you were previously relying on Drupal's AJAX API to perform trusted JSONP requests, you'll either need to override the AJAX options to set "jsonp: true", or you'll need to use the jQuery AJAX API directly.

If you are using jQuery's AJAX API for user-provided URLs in a contrib or custom module, you should review your code and set "jsonp: false" where this is appropriate.

Drupal 7 sites should also pass such URLs through the new Drupal.sanitizeAjaxUrl() function.

Reported By: Fixed By: