Blogroll: Drupal Contrib Security

I read blogs, as well as write one. The 'blogroll' on this site reproduces some posts from some of the people I enjoy reading. There are currently 2 posts from the blog 'Drupal Contrib Security.'

Disclaimer: Reproducing an article here need not necessarily imply agreement or endorsement!

Subscribe to Drupal Contrib Security feed
Updated: 2 hours 13 min ago

Fast Autocomplete - Moderately critical - Access bypass - SA-CONTRIB-2021-005

Wed, 17/03/2021 - 18:36
Project: Fast AutocompleteVersion: 8.x-1.78.x-1.68.x-1.58.x-1.48.x-1.38.x-1.28.x-1.18.x-1.0Date: 2021-March-17Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

The Fast Autocomplete module provides fast IMDB-like suggestions below a text input field. Suggestions are stored as JSON files in the public files folder so that they can be provided to the browser relatively fast without the need for Drupal to be bootstrapped.

The module doesn't correctly generate certain hashes when the configuration option "Perform search as anonymous user only" is switched from the default on value to off.

This enables a malicious user to read search results generated by users with other roles, disclosing search results the user normally has no access to.

Solution: 

Install the latest version:

Alternatively, re-enable the setting "Perform search as anonymous user only" to only display anonymous search results and delete the generated files by using the "Delete json files" option in all Fast Autocomplete configurations.

Fast Autocomplete for Drupal 7.x is not affected.

Reported By: Fixed By: Coordinated By: 
Categories: Technology

Webform - Moderately critical - Access bypass - SA-CONTRIB-2021-004

Wed, 03/03/2021 - 16:49
Project: WebformDate: 2021-March-03Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:None/II:None/E:Exploit/TD:DefaultVulnerability: Access bypassDescription: 

The Webform module for Drupal 8/9 includes a default Contact webform, which sends a notification email to the site owner and a confirmation email to the email address supplied via the form.

The confirmation email can be used as an open mail relay to send an email to any email address.

This vulnerability is mitigated by the fact that the site owner's email address is also receiving a notification email, which should alert the site owner to the exploitation. If the site owner's mailbox is not monitored, the open mail relay can be more easily exploited.

With the Webform module's latest release, the default Contact's confirmation email will only be sent to an authenticated user's email address. Anonymous users will no longer receive a confirmation email.

If anonymous users need to receive a confirmation email, we recommend you add SPAM protection to the form and update the email handler.

Solution: 

Install the latest version:

If you are using a previous release of the Webform module you can immediately do one of several options.

  1. Delete the default Contact form. (/form/contact)
  2. Delete the default Contact form's confirmation email handler.(/admin/structure/webform/manage/contact/handlers)
  3. Update the default Contact form's confirmation email to only email the current user's email address using the [current-user:mail] token. (/admin/structure/webform/manage/contact/handlers/email_confirmation/edit)
  4. Add SPAM protection to the default Contact form.
Reported By: Fixed By: Coordinated By: 
Categories: Technology
Additional Terms