Blogroll: Drupal Contrib Security

I read blogs, as well as write one. The 'blogroll' on this site reproduces some posts from some of the people I enjoy reading. There are currently 6 posts from the blog 'Drupal Contrib Security.'

Disclaimer: Reproducing an article here need not necessarily imply agreement or endorsement!

Subscribe to Drupal Contrib Security feed
Updated: 44 min 41 sec ago

Renderkit - Moderately critical - Access bypass - SA-CONTRIB-2018-060

Wed, 19/09/2018 - 17:02
Project: RenderkitDate: 2018-September-19Security risk: Moderately critical 11∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: 

This module, typically in combination with cfr:cfrplugin, allows to compose behaviors from granular components. One of such behaviors is to display a list of related entities, for a given source entity and a given entity relation (e.g. an entity reference field).

The components that display related content do not check if the user has access to view the related entities. This way e.g. unpublished nodes may be displayed to anonymous visitors.

This vulnerability is mitigated by the facts that
- a site builder must have used the component that displays "related" entities for a source entity, using cfr:cfrplugin, OR a programmer has used one of the affected components in code.
- a source entity displayed this way must reference access-restricted content.

Solution: 

Install the latest version:

Also see the Renderkit project page.

Reported By: Fixed By: Coordinated By: 
Categories: Technology

Fraction - Less critical - XSS vulnerability - SA-CONTRIB-2018-059

Wed, 05/09/2018 - 18:22
Project: FractionDate: 2018-September-05Security risk: Less critical 5∕25 6/25 ( Less Critical) AC:Complex/A:Admin/CI:None/II:None/E:Theoretical/TD:AllVulnerability: XSS vulnerabilityDescription: 

This module enables you to create fields for storing decimal values as two integers (numerator and denominator) for maximum precision.

The module doesn't sufficiently filter XSS strings out of field labels.

This vulnerability is mitigated by the fact that an attacker must have a role with the ability to manage field configuration.

Solution: 

Install the latest version:

Also see the Fraction project page.

Reported By: Fixed By: Coordinated By: 
Categories: Technology

Bing Autosuggest API - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-058

Wed, 29/08/2018 - 17:27
Project: Bing Autosuggest APIVersion: 7.x-1.x-devDate: 2018-August-29Security risk: Moderately critical 13∕25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescription: 

This module enables you to use the Bing Autosuggest API.

The module doesn't sufficiently sanitize a value used to populate an API request.

Solution: 

Install the latest version:

Also see the Bing Autosuggest API project page.

Reported By: Fixed By: Coordinated By: 
Categories: Technology

Drupal Commerce - Moderately critical - Access bypass - SA-CONTRIB-2018-057

Wed, 29/08/2018 - 17:26
Project: Drupal CommerceVersion: 8.x-2.x-devDate: 2018-August-29Security risk: Moderately critical 14∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: 

This module enables you to build eCommerce websites and applications with Drupal.

The module doesn't sufficiently check access for some of its entity types.

Solution: 

Update to Commerce 8.x-2.9.

Reported By: Fixed By: Coordinated By: 
Categories: Technology

File (Field) Paths - Critical - Remote Code Execution - SA-CONTRIB-2018-056

Wed, 15/08/2018 - 13:32
Project: File (Field) PathsDate: 2018-August-15Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:All/E:Theoretical/TD:DefaultVulnerability: Remote Code ExecutionDescription: 

This module enables you to automatically sort and rename your uploaded files using token based replacement patterns to maintain a nice clean filesystem.

The module doesn't sufficiently sanitize the path while a new file is uploading, allowing a remote attacker to execute arbitrary PHP code.

This vulnerability is mitigated by the fact that an attacker must have access to a form containing a widget processed by this module.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 
Categories: Technology

PHP Configuration - Critical - Arbitrary PHP code execution - SA-CONTRIB-2018-055

Wed, 08/08/2018 - 18:14
Project: PHP ConfigurationVersion: 8.x-1.07.x-1.0Date: 2018-August-08Security risk: Critical 17∕25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Arbitrary PHP code executionDescription: 

This module enables you to add or overwrite PHP configuration on a drupal website.

The module doesn't sufficiently allow access to set these configurations, leading to arbitrary PHP configuration execution by an attacker.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer phpconfig".

After updating the module, it's important to review the permissions of your website and if 'administer phpconfig' permission is given to a not fully trusted user role, we advise to revoke it.

Solution: 

Install the latest version:

Also see the PHP Configuration project page.

Reported By: Fixed By: Coordinated By: 
  • mpotter of the Drupal Security Team

Categories: Technology
Additional Terms