Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.3236 Drupal Core - Multiple Vulnerabilities - SA-CORE-2018-006 23 October 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Drupal Publisher: Drupal Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Provide Misleading Information -- Existing Account Unauthorised Access -- Existing Account Resolution: Patch/Upgrade Original Bulletin: https://www.drupal.org/SA-CORE-2018-006 - --------------------------BEGIN INCLUDED TEXT-------------------- Drupal Security advisories Drupal Core - Multiple Vulnerabilities - SA-CORE-2018-006 Posted by Drupal Security Team on 17 Oct 2018 at 16:42 UTC o Advisory ID: DRUPAL-SA-CORE-2018-006 o Project: Drupal core o Version: 7.x, 8.x o Date: 2018-October-17 Description Content moderation - Moderately critical - Access bypass - Drupal 8 In some conditions, content moderation fails to check a users access to use certain transitions, leading to an access bypass. In order to fix this issue, the following changes have been made to content moderation which may have implications for backwards compatibility: ModerationStateConstraintValidator Two additional services have been injected into this service. Anyone subclassing this service must ensure these additional dependencies are passed to the constructor, if the constructor has been overridden. StateTransitionValidationInterface An additional method has been added to this interface. Implementations of this interface which do not extend the StateTransitionValidation should implement this method. Implementations which do extend from the StateTransitionValidation should ensure any behavioural changes they have made are also reflected in this new method. User permissions Previously users who didn't have access to use any content moderation transitions were granted implicit access to update content provided the state of the content did not change. Now access to an associated transition will be validated for all users in scenarios where the state of content does not change between revisions. Reported by o Roland Kovacsics o attilatilman Fixed by o Jess of the Drupal Security Team o Lee Rowlands of the Drupal Security Team o Wim Leers o Daniel Wehner o Sam Becker o Tim Millwood o Alex Pott of the Drupal Security Team External URL injection through URL aliases - Moderately Critical - Open Redirect - Drupal 7 and Drupal 8 The path module allows users with the 'administer paths' to create pretty URLs for content. In certain circumstances the user can enter a particular path that triggers an open redirect to a malicious url. The issue is mitigated by the fact that the user needs the administer paths permission to exploit. Reported by o dyates Fixed by o Dave Reid of the Drupal Security Team o David Rothstein of the Drupal Security Team o Peter Wolanin of the Drupal Security Team o Jess of the Drupal Security Team o Alex Bronstein of the Drupal Security Team o Nathaniel Catchpole of the Drupal Security Team o Lee Rowlands of the Drupal Security Team o Ted Bowman Provisional member of the Drupal Security Team Anonymous Open Redirect - Moderately Critical - Open Redirect - Drupal 8 Drupal core and contributed modules frequently use a "destination" query string parameter in URLs to redirect users to a new destination after completing an action on the current page. Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks. This vulnerability has been publicly documented. RedirectResponseSubscriber event handler removal As part of the fix, \Drupal\Core\EventSubscriber\RedirectResponseSubscriber:: sanitizeDestination has been removed, although this is a public function, it is not considered an API as per our API policy for event subscribers. If you have extended that class or are calling that method, you should review your implementation in line with the changes in the patch. The existing function has been removed to prevent a false sense of security. Reported by o Brian Osborne Fixed by o Michael Hess of the Drupal Security Team o Wim Leers o Alex Pott of the Drupal Security Team o Grant Gaudet o Lee Rowlands of the Drupal Security Team o Nathaniel Catchpole of the Drupal Security Team o Jess of the Drupal Security Team Injection in DefaultMailSystem::mail() - Critical - Remote Code Execution - Drupal 7 and Drupal 8 When sending email some variables were not being sanitized for shell arguments, which could lead to remote code execution. Reported by o Damien Tournoud Fixed by o Lee Rowlands of the Drupal Security Team o Sascha Grossenbacher o Daniel Wehner o Klaus Purer o Damien Tournoud o Stefan Ruijsenaars of the Drupal Security Team o David Rothstein of the Drupal Security Team o David Snopek of the Drupal Security Team o Jess of the Drupal Security Team o Wim Leers o Peter Wolanin of the Drupal Security Team o Ted Bowman Provisional member of the Drupal Security Team Contextual Links validation - Critical - Remote Code Execution - Drupal 8 The Contextual Links module doesn't sufficiently validate the requested contextual links. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access contextual links". Reported by o Nick Booher Fixed by o Lee Rowlands of the Drupal Security Team o Nick Booher o Samuel Mortenson of the Drupal Security Team o Wim Leers o Alex Pott of the Drupal Security Team Solution Upgrade to the most recent version of Drupal 7 or 8 core. o If you are running 7.x, upgrade to Drupal 7.60. o If you are running 8.6.x, upgrade to Drupal 8.6.2. o If you are running 8.5.x or earlier, upgrade to Drupal 8.5.8. Minor versions of Drupal 8 prior to 8.5.x are not supported and do not receive security coverage, so sites running older versions should update to the above 8.5.x release immediately. 8.5.x will receive security coverage until May 2019. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW87EU2aOgq3Tt24GAQikIQ/9HCHmxYmSTpx/9NUFPqWiIC6/b2G2TJFF HPegwn72yK6Mf4kyfLddauFTE9npeOs9Z6nqvyuknK/6/YodVDKqIuP1v/NkfrIz ve5rQqoyombPBljzHeIoU2fVTwZTo2e59v1vY/IOgf2ukb3viocs9O+i9wuEqRvt ef0NF1zzZ62yyPvWeIuniSeI1lapjLxHdnlNxniWW2taZc8XDUKr/B19UHS58MEK Twvtidu31WrJar9G2rvxXEP34tjdThQOHE0WEY2AzU5nc+8Yo7aiGSQOCtBM6Mzq lXk1huGAsyK6oSWpfg36ouE2nc1Cj/q/SDlGhGdQWsQbXwNOErfRV0ENHBa+hSbb sV3KRmzr494YBLFg61h2Xyg9MygAU2ByX07+i0qkNi6gkQrreZ+An1Vu9PY74KCZ OaFAAK0RqzuonDQ2zIHXr91X7mIuGnkMREBBgYHSzGO+lDJJZNp9ZP7Oprp40CqU H4NxR4PMWLRC6GBM4GNZR71kbtWZ9uD99cIkjl6CmAW9UtFe+6MQ5/dNiNi7xefK bWQXmvnF0nsjVoRNqPTtqAdw/JrwcFWm3ceDPni3J3M03b4ye0P7RA5hcxJoN4m+ AdISrhRVXhvqsSY5cjI2G0/Okr7iNgrX9hfgRVNs7uUfdlh6O6W4WCZBSBSUplwQ DcSfZ8zocTM= =+EdR -----END PGP SIGNATURE-----