Hírolvasó

Project: Forum AccessDate: 2023-August-23Security risk: Critical 17∕25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Arbitrary PHP code executionAffected versions: <1.0.0Description: 

This module changes your forum administration page to allow you to set forums private. You can control what user roles can view, edit, delete, and post to each forum. You can also give each forum a list of users who have administrative access on that forum (AKA moderators). This module requires the ACL module.

The module processes user input in a way that could be unsafe. This can lead to Remote Code Execution via Object Injection.

This vulnerability is mitigated by the fact that an attacker needs the "administer forums" permission.

This Security Advisory is being released in coordination with SA-CONTRIB-2023-034 for the ACL module, on which Forum Access depends.

Solution: 

Install the latest version:

• If you use the Forum Access module for Drupal 7.x, upgrade to Forum Access 7.x-1.6
• If you use the Forum Access module 8.x-1.0-beta3 or below, upgrade to Forum Access 8.x-1.0

The ACL module (a dependency) must also be updated.

Reported By: 

• Drew Webber of the Drupal Security Team

Fixed By: 

• Drew Webber of the Drupal Security Team
• Hans Salvisberg
• Jen Lampton Provisional Member of the Drupal Security Team

Coordinated By: 

• Drew Webber of the Drupal Security Team
• Damien McKenna of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team
• Michael Hess of the Drupal Security Team

Project: ACLDate: 2023-August-23Security risk: Critical 17∕25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Arbitrary PHP code executionAffected versions: <1.0.0Description: 

The ACL module, short for Access Control Lists, is an API for other modules to create lists of users and give them access to nodes.

The module processes user input in a way that could be unsafe. This can lead to Remote Code Execution via Object Injection.

As this is an API module, it is only exploitable if a "client" module exposes the vulnerability. Details of some contributed client modules are given below. Custom modules using ACL could also expose the vulnerability.

This vulnerability is mitigated by the fact that an attacker typically needs an "admin"-type permission provided by one of ACL's client modules.

Known client modules include:

• Forum Access
• Flexi Access
• Content Access

Coordinated Security Advisories are being released for those client modules that have Security coverage.

Solution: 

Install the latest version:

• If you use the ACL module for Drupal 7.x, upgrade to ACL 7.x-1.4
• If you use the ACL module 8.x-1.0-beta3 or below, upgrade to ACL 8.x-1.0

Any client modules that depend on ACL should also be updated.

Reported By: 

• Drew Webber of the Drupal Security Team
• Samuel Mortenson

Fixed By: 

• Drew Webber of the Drupal Security Team
• Hans Salvisberg
• Jen Lampton Provisional Member of the Drupal Security Team
• xeM8VfDh

Coordinated By: 

• Drew Webber of the Drupal Security Team
• Damien McKenna of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team
• Michael Hess of the Drupal Security Team