Hírolvasó

Fast Autocomplete - Moderately critical - Access bypass - SA-CONTRIB-2021-005

Biztonsági figyelmeztetések (contrib) - 2021. március 17. 19.36
Project: Fast AutocompleteVersion: 8.x-1.78.x-1.68.x-1.58.x-1.48.x-1.38.x-1.28.x-1.18.x-1.0Date: 2021-March-17Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

The Fast Autocomplete module provides fast IMDB-like suggestions below a text input field. Suggestions are stored as JSON files in the public files folder so that they can be provided to the browser relatively fast without the need for Drupal to be bootstrapped.

The module doesn't correctly generate certain hashes when the configuration option "Perform search as anonymous user only" is switched from the default on value to off.

This enables a malicious user to read search results generated by users with other roles, disclosing search results the user normally has no access to.

Solution: 

Install the latest version:

Alternatively, re-enable the setting "Perform search as anonymous user only" to only display anonymous search results and delete the generated files by using the "Delete json files" option in all Fast Autocomplete configurations.

Fast Autocomplete for Drupal 7.x is not affected.

Reported By: Fixed By: Coordinated By: 

Webform - Moderately critical - Access bypass - SA-CONTRIB-2021-004

Biztonsági figyelmeztetések (contrib) - 2021. március 3. 17.49
Project: WebformDate: 2021-March-03Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:None/II:None/E:Exploit/TD:DefaultVulnerability: Access bypassDescription: 

The Webform module for Drupal 8/9 includes a default Contact webform, which sends a notification email to the site owner and a confirmation email to the email address supplied via the form.

The confirmation email can be used as an open mail relay to send an email to any email address.

This vulnerability is mitigated by the fact that the site owner's email address is also receiving a notification email, which should alert the site owner to the exploitation. If the site owner's mailbox is not monitored, the open mail relay can be more easily exploited.

With the Webform module's latest release, the default Contact's confirmation email will only be sent to an authenticated user's email address. Anonymous users will no longer receive a confirmation email.

If anonymous users need to receive a confirmation email, we recommend you add SPAM protection to the form and update the email handler.

Solution: 

Install the latest version:

If you are using a previous release of the Webform module you can immediately do one of several options.

  1. Delete the default Contact form. (/form/contact)
  2. Delete the default Contact form's confirmation email handler.(/admin/structure/webform/manage/contact/handlers)
  3. Update the default Contact form's confirmation email to only email the current user's email address using the [current-user:mail] token. (/admin/structure/webform/manage/contact/handlers/email_confirmation/edit)
  4. Add SPAM protection to the default Contact form.
Reported By: Fixed By: Coordinated By: 

Subgroup - Less critical - Access bypass - SA-CONTRIB-2021-003

Biztonsági figyelmeztetések (contrib) - 2021. január 27. 18.53
Project: SubgroupVersion: 1.0.x-devDate: 2021-January-27Security risk: Less critical 9∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: 

This module enables you to add groups to other groups in a tree structure where access can be inherited up or down the tree.

When you configure Subgroup to have a tree with at least three levels, users may inadvertently get permissions in a group that is an uncle or cousin of the source group, rather than a direct ancestor or descendant. Trees with only multiple nodes at the lowest tier (or nowhere) are unaffected.

Solution: 

Install the latest version, Subgroup 1.0.1, and clear your caches.

Reported By: Fixed By: Coordinated By: 

Open Social - Moderately critical - Access bypass - SA-CONTRIB-2021-002

Biztonsági figyelmeztetések (contrib) - 2021. január 27. 18.27
Project: Open SocialVersion: 8.x-9.x-dev8.x-8.x-devDate: 2021-January-27Security risk: Moderately critical 10∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

The Social User Export module enables users within Open Social to create an export of users and download this to a CSV file.

The module doesn't sufficiently check access when building the CSV file, allowing logged-in users without the manage members permission to be able to export all data from a selected user in certain scenarios.

This vulnerability is mitigated by the fact that an attacker must have the authenticated user role and the site must have the configuration set in such a way a logged in user is able to export users.

Solution: 

Install the latest version:

  • If you use Open Social major version 8, upgrade to 8.x-8.10
  • If you use Open Social major version 9, upgrade to 8.x-9.8
Reported By: Fixed By: Coordinated By: 

Open Social - Moderately critical - Access bypass - SA-CONTRIB-2021-001

Biztonsági figyelmeztetések (contrib) - 2021. január 27. 18.17
Project: Open SocialVersion: 8.x-9.x-dev8.x-8.x-devDate: 2021-January-27Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

The optional Social Auth Extra module enables you to use the single sign-on methods provided by Open Social e.g. Facebook, LinkedIn, Google and Twitter.

The module doesn't implement a proper cache strategy for anonymous users allowing the registration form to be cached with disclosed information in certain scenarios. The information is usually only available for logged-in users of the community.

This vulnerability is mitigated by the fact that social_auth_extra needs to be enabled, one of the single sign-on methods needs to be configured. There is no impact for regular registration without single sign-on.

Removing the single sign-on providers from configuration will allow this vulnerability to be blocked.

Solution: 

Install the latest version:

  • If you use Open Social major version 8, upgrade to 8.x-8.10
  • If you use Open Social major version 9, upgrade to 8.x-9.8
Reported By: Fixed By: Coordinated By: 

Drupal core - Critical - Third-party libraries - SA-CORE-2021-001

Biztonsági figyelmeztetések (core) - 2021. január 20. 18.10
Project: Drupal coreDate: 2021-January-20Security risk: Critical 18∕25 AC:Complex/A:User/CI:All/II:All/E:Exploit/TD:UncommonVulnerability: Third-party librariesDescription: 

The Drupal project uses the pear Archive_Tar library, which has released a security update that impacts Drupal. For more information please see:

Exploits may be possible if Drupal is configured to allow .tar, .tar.gz, .bz2, or .tlz file uploads and processes them.

Solution: 

Install the latest version:

Versions of Drupal 8 prior to 8.9.x are end-of-life and do not receive security coverage.

Disable uploads of .tar, .tar.gz, .bz2, or .tlz files to mitigate the vulnerability.

Reported By: Fixed By: