Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2018.3236
Drupal Core - Multiple Vulnerabilities - SA-CORE-2018-006
23 October 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Drupal
Publisher: Drupal
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Provide Misleading Information -- Existing Account
Unauthorised Access -- Existing Account
Resolution: Patch/Upgrade
Original Bulletin:
https://www.drupal.org/SA-CORE-2018-006
- --------------------------BEGIN INCLUDED TEXT--------------------
Drupal Security advisories
Drupal Core - Multiple Vulnerabilities - SA-CORE-2018-006
Posted by Drupal Security Team on 17 Oct 2018 at 16:42 UTC
o Advisory ID: DRUPAL-SA-CORE-2018-006
o Project: Drupal core
o Version: 7.x, 8.x
o Date: 2018-October-17
Description
Content moderation - Moderately critical - Access bypass - Drupal 8
In some conditions, content moderation fails to check a users access to use
certain transitions, leading to an access bypass.
In order to fix this issue, the following changes have been made to content
moderation which may have implications for backwards compatibility:
ModerationStateConstraintValidator
Two additional services have been injected into this service. Anyone
subclassing this service must ensure these additional dependencies are
passed to the constructor, if the constructor has been overridden.
StateTransitionValidationInterface
An additional method has been added to this interface. Implementations of
this interface which do not extend the StateTransitionValidation should
implement this method.
Implementations which do extend from the StateTransitionValidation should
ensure any behavioural changes they have made are also reflected in this
new method.
User permissions
Previously users who didn't have access to use any content moderation
transitions were granted implicit access to update content provided the
state of the content did not change. Now access to an associated transition
will be validated for all users in scenarios where the state of content
does not change between revisions.
Reported by
o Roland Kovacsics
o attilatilman
Fixed by
o Jess of the Drupal Security Team
o Lee Rowlands of the Drupal Security Team
o Wim Leers
o Daniel Wehner
o Sam Becker
o Tim Millwood
o Alex Pott of the Drupal Security Team
External URL injection through URL aliases - Moderately Critical - Open
Redirect - Drupal 7 and Drupal 8
The path module allows users with the 'administer paths' to create pretty URLs
for content.
In certain circumstances the user can enter a particular path that triggers an
open redirect to a malicious url.
The issue is mitigated by the fact that the user needs the administer paths
permission to exploit.
Reported by
o dyates
Fixed by
o Dave Reid of the Drupal Security Team
o David Rothstein of the Drupal Security Team
o Peter Wolanin of the Drupal Security Team
o Jess of the Drupal Security Team
o Alex Bronstein of the Drupal Security Team
o Nathaniel Catchpole of the Drupal Security Team
o Lee Rowlands of the Drupal Security Team
o Ted Bowman Provisional member of the Drupal Security Team
Anonymous Open Redirect - Moderately Critical - Open Redirect - Drupal 8
Drupal core and contributed modules frequently use a "destination" query string
parameter in URLs to redirect users to a new destination after completing an
action on the current page. Under certain circumstances, malicious users can
use this parameter to construct a URL that will trick users into being
redirected to a 3rd party website, thereby exposing the users to potential
social engineering attacks.
This vulnerability has been publicly documented.
RedirectResponseSubscriber event handler removal
As part of the fix, \Drupal\Core\EventSubscriber\RedirectResponseSubscriber::
sanitizeDestination has been removed, although this is a public function, it is
not considered an API as per our API policy for event subscribers.
If you have extended that class or are calling that method, you should review
your implementation in line with the changes in the patch. The existing
function has been removed to prevent a false sense of security.
Reported by
o Brian Osborne
Fixed by
o Michael Hess of the Drupal Security Team
o Wim Leers
o Alex Pott of the Drupal Security Team
o Grant Gaudet
o Lee Rowlands of the Drupal Security Team
o Nathaniel Catchpole of the Drupal Security Team
o Jess of the Drupal Security Team
Injection in DefaultMailSystem::mail() - Critical - Remote Code Execution -
Drupal 7 and Drupal 8
When sending email some variables were not being sanitized for shell arguments,
which could lead to remote code execution.
Reported by
o Damien Tournoud
Fixed by
o Lee Rowlands of the Drupal Security Team
o Sascha Grossenbacher
o Daniel Wehner
o Klaus Purer
o Damien Tournoud
o Stefan Ruijsenaars of the Drupal Security Team
o David Rothstein of the Drupal Security Team
o David Snopek of the Drupal Security Team
o Jess of the Drupal Security Team
o Wim Leers
o Peter Wolanin of the Drupal Security Team
o Ted Bowman Provisional member of the Drupal Security Team
Contextual Links validation - Critical - Remote Code Execution - Drupal 8
The Contextual Links module doesn't sufficiently validate the requested
contextual links.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "access contextual links".
Reported by
o Nick Booher
Fixed by
o Lee Rowlands of the Drupal Security Team
o Nick Booher
o Samuel Mortenson of the Drupal Security Team
o Wim Leers
o Alex Pott of the Drupal Security Team
Solution
Upgrade to the most recent version of Drupal 7 or 8 core.
o If you are running 7.x, upgrade to Drupal 7.60.
o If you are running 8.6.x, upgrade to Drupal 8.6.2.
o If you are running 8.5.x or earlier, upgrade to Drupal 8.5.8.
Minor versions of Drupal 8 prior to 8.5.x are not supported and do not receive
security coverage, so sites running older versions should update to the above
8.5.x release immediately. 8.5.x will receive security coverage until May 2019.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBW87EU2aOgq3Tt24GAQikIQ/9HCHmxYmSTpx/9NUFPqWiIC6/b2G2TJFF
HPegwn72yK6Mf4kyfLddauFTE9npeOs9Z6nqvyuknK/6/YodVDKqIuP1v/NkfrIz
ve5rQqoyombPBljzHeIoU2fVTwZTo2e59v1vY/IOgf2ukb3viocs9O+i9wuEqRvt
ef0NF1zzZ62yyPvWeIuniSeI1lapjLxHdnlNxniWW2taZc8XDUKr/B19UHS58MEK
Twvtidu31WrJar9G2rvxXEP34tjdThQOHE0WEY2AzU5nc+8Yo7aiGSQOCtBM6Mzq
lXk1huGAsyK6oSWpfg36ouE2nc1Cj/q/SDlGhGdQWsQbXwNOErfRV0ENHBa+hSbb
sV3KRmzr494YBLFg61h2Xyg9MygAU2ByX07+i0qkNi6gkQrreZ+An1Vu9PY74KCZ
OaFAAK0RqzuonDQ2zIHXr91X7mIuGnkMREBBgYHSzGO+lDJJZNp9ZP7Oprp40CqU
H4NxR4PMWLRC6GBM4GNZR71kbtWZ9uD99cIkjl6CmAW9UtFe+6MQ5/dNiNi7xefK
bWQXmvnF0nsjVoRNqPTtqAdw/JrwcFWm3ceDPni3J3M03b4ye0P7RA5hcxJoN4m+
AdISrhRVXhvqsSY5cjI2G0/Okr7iNgrX9hfgRVNs7uUfdlh6O6W4WCZBSBSUplwQ
DcSfZ8zocTM=
=+EdR
-----END PGP SIGNATURE-----