| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 19 Dec 2012 20:27:16 -0500
From: laurent gaffie <laurent.gaffie@...il.com>
To: noreply@...pal.org
Cc: full-disclosure@...ts.grok.org.uk, security-news@...pal.org
Subject: Re: [Security-news] SA-CORE-2012-004 - Drupal
core - Multiple vulnerabilities
In regards to the code exec;
Ever heard of whitelisting ?
Le 19 déc. 2012 14:39, <security-news@...pal.org> a écrit :
> View online: http://drupal.org/SA-CORE-2012-004
>
> * Advisory ID: DRUPAL-SA-CORE-2012-004
> * Project: Drupal core [1]
> * Version: 6.x, 7.x
> * Date: 2012-December-19
> * Security risk: Moderately critical [2]
> * Exploitable from: Remote
> * Vulnerability: Access bypass, Arbitrary PHP code execution
>
> -------- DESCRIPTION
> ---------------------------------------------------------
>
> Multiple vulnerabilities were fixed in the supported Drupal core versions 6
> and 7.
>
> .... Access bypass (User module search - Drupal 6 and 7)
>
> A vulnerability was identified that allows blocked users to appear in user
> search results, even when the search results are viewed by unprivileged
> users.
>
> This vulnerability is mitigated by the fact that the default Drupal core
> user
> search results only display usernames (and disclosure of usernames is not
> considered a security vulnerability [3]). However, since modules or themes
> may override the search results to display more information from each
> user's
> profile, this could result in additional information about blocked users
> being disclosed on some sites.
>
> CVE: Requested.
>
> .... Access bypass (Upload module - Drupal 6)
>
> A vulnerability was identified that allows information about uploaded files
> to be displayed in RSS feeds and search results to users that do not have
> the
> "view uploaded files" permission.
>
> This issue affects Drupal 6 only.
>
> CVE: Requested.
>
> .... Arbitrary PHP code execution (File upload modules - Drupal 6 and 7)
>
> Drupal core's file upload feature blocks the upload of many files that can
> be
> executed on the server by munging the filename. A malicious user could
> name a
> file in a manner that bypasses this munging of the filename in Drupal's
> input
> validation.
>
> This vulnerability is mitigated by several factors: The attacker would need
> the permission to upload a file to the server. Certain combinations of PHP
> and filesystems are not vulnerable to this issue, though we did not perform
> an exhaustive review of the supported PHP versions. Finally: the server
> would
> need to allow execution of files in the uploads directory. Drupal core has
> protected against this with a .htaccess file protection in place from
> SA-2006-006 - Drupal Core - Execution of arbitrary files in certain Apache
> configurations [4]. Users of IIS should consider updating their web.config
> [5]. Users of Nginx should confirm that only the index.php and other known
> good scripts are executable. Users of other webservers should review their
> configuration to ensure the goals are achieved in some other way.
>
> CVE: Requested.
>
>
> -------- CVE IDENTIFIER(S) ISSUED
> --------------------------------------------
>
> * /A CVE identifier [6] will be requested, and added upon issuance, in
> accordance with Drupal Security Team processes./
>
> -------- VERSIONS AFFECTED
> ---------------------------------------------------
>
> * Drupal core 6.x versions prior to 6.27.
> * Drupal core 7.x versions prior to 7.18.
>
> -------- SOLUTION
> ------------------------------------------------------------
>
> Install the latest version:
>
> * If you use Drupal 6.x, upgrade to Drupal core 6.27 [7].
> * If you use Drupal 7.x, upgrade to Drupal core 7.18 [8].
>
> Also see the Drupal core [9] project page.
>
> -------- REPORTED BY
> ---------------------------------------------------------
>
> * The access bypass issue in the User module search results was reported
> by
> Derek Wright [10] of the Drupal Security Team.
> * The access bypass issue in the Drupal 6 Upload module was reported by
> Simon Rycroft [11], and by Damien Tournoud [12] of the Drupal Security
> Team.
> * The arbitrary code execution issue was reported by Amit Asaravala [13].
>
> -------- FIXED BY
> ------------------------------------------------------------
>
> * The access bypass issue in the User module search results was fixed by
> Derek Wright [14], Ivo Van Geertruyen [15], Peter Wolanin [16], and
> David
> Rothstein [17], all members of the Drupal Security Team.
> * The access bypass issue in the Drupal 6 Upload module was fixed by
> Michaël Dupont [18], and by Fox [19] and David Rothstein [20] of the
> Drupal Security Team.
> * The arbitrary code execution issue was fixed by Nathan Haug [21] and
> Justin Klein-Keane [22], and by John Morahan [23] and Greg Knaddison
> [24]
> of the Drupal Security team.
>
> -------- COORDINATED BY
> ------------------------------------------------------
>
> * Jeremy Thorson [25] QA/Testing infrastructure
> * Ben Jeavons [26] of the Drupal Security Team
> * David Rothstein [27] of the Drupal Security Team
> * Gábor Hojtsy [28] of the Drupal Security Team
> * Greg Knaddison [29] of the Drupal Security Team
> * Fox [30] of the Drupal Security Team
>
> -------- CONTACT AND MORE INFORMATION
> ----------------------------------------
>
> The Drupal security team can be reached at security at drupal.org or via
> the
> contact form at http://drupal.org/contact [31].
>
> Learn more about the Drupal Security team and their policies [32], writing
> secure code for Drupal [33], and securing your site [34].
>
>
> [1] http://drupal.org/project/drupal
> [2] http://drupal.org/security-team/risk-levels
> [3] http://drupal.org/node/1004778
> [4] http://drupal.org/node/65409
> [5] http://drupal.org/node/1543392
> [6] http://cve.mitre.org/
> [7] http://drupal.org/drupal-6.27-release-notes
> [8] http://drupal.org/drupal-7.18-release-notes
> [9] http://drupal.org/project/drupal
> [10] http://drupal.org/user/46549
> [11] http://drupal.org/user/151544
> [12] http://drupal.org/user/22211
> [13] http://drupal.org/user/181407
> [14] http://drupal.org/user/46549
> [15] http://drupal.org/user/383424
> [16] http://drupal.org/user/49851
> [17] http://drupal.org/user/124982
> [18] http://drupal.org/user/400288
> [19] http://drupal.org/user/426416
> [20] http://drupal.org/user/124982
> [21] http://drupal.org/user/35821
> [22] http://drupal.org/user/302225
> [23] http://drupal.org/user/58170
> [24] http://drupal.org/user/36762
> [25] http://drupal.org/user/148199
> [26] http://drupal.org/user/91990
> [27] http://drupal.org/user/124982
> [28] http://drupal.org/user/4166
> [29] http://drupal.org/user/36762
> [30] http://drupal.org/user/426416
> [31] http://drupal.org/contact
> [32] http://drupal.org/security-team
> [33] http://drupal.org/writing-secure-code
> [34] http://drupal.org/security/secure-configuration
>
> _______________________________________________
> Security-news mailing list
> Security-news@...pal.org
> Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists