From security em unicamp.br Thu Mar 9 10:23:31 2017 From: security em unicamp.br (CSIRT Unicamp) Date: Thu, 9 Mar 2017 10:23:31 -0300 Subject: [SECURITY-L] [security-news@drupal.org: Services - Critical - Arbitrary Code Execution - SA-CONTRIB-2017-029] Message-ID: <20170309132331.GA21690@unicamp.br> View online: https://www.drupal.org/node/2858847 * Advisory ID: DRUPAL-SA-CONTRIB-2016-029 * Project: Services [1] (third-party module) * Version: 7.x * Date: 2017-March-08 * Security risk: 21/25 ( Highly Critical) AC:None/A:None/CI:All/II:All/E:Theoretical/TD:Default [2] * Vulnerability: Arbitrary PHP code execution -------- DESCRIPTION --------------------------------------------------------- This module provides a standardized solution for building API's so that external clients can communicate with Drupal. The module accepts user submitted data in PHP's serialization format ("Content-Type: application/vnd.php.serialized") which can lead to arbitrary remote code execution. This vulnerability is mitigated by the fact that an attacker must know your Service Endpoint's path, and your Service Endpoint must have "application/vnd.php.serialized" enabled as a request parser. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Services 7.x-3.x versions prior to 7.x-3.19. Drupal core is not affected. If you do not use the contributed Services [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Services 3.x module for Drupal 7.x, upgrade to Services 7.x-3.19 [5] You may disable "application/vnd.php.serialized" under "Request parsing" in Drupal to prevent the exploit: /admin/structure/services/list/[my-endpoint]/server However, installing the latest version of the Services module is highly recommended. Also see the Services [6] project page. -------- REPORTED BY --------------------------------------------------------- * Charles Fol [7] -------- FIXED BY ------------------------------------------------------------ * Kyle Browning [8], module maintainer * Tyler Frankenstein [9], module maintainer -------- COORDINATED BY ------------------------------------------------------ * Klaus Purer [10] of the Drupal Security Team * Michael Hess [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [16] [1] https://www.drupal.org/project/services [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/services [5] https://www.drupal.org/project/services/releases/7.x-3.19 [6] https://www.drupal.org/project/services [7] https://www.drupal.org/user/3520095 [8] https://www.drupal.org/user/211387 [9] https://www.drupal.org/user/150680 [10] https://www.drupal.org/user/262198 [11] https://www.drupal.org/user/102818 [12] https://www.drupal.org/contact [13] https://www.drupal.org/security-team [14] https://www.drupal.org/writing-secure-code [15] https://www.drupal.org/security/secure-configuration [16] https://twitter.com/drupalsecurity _______________________________________________ Security-news mailing list Security-news em drupal.org From security em unicamp.br Thu Mar 16 09:14:27 2017 From: security em unicamp.br (CSIRT Unicamp) Date: Thu, 16 Mar 2017 09:14:27 -0300 Subject: [SECURITY-L] [security-news@drupal.org: [Security-news] Drupal Core - Multiple Vulnerabilities - SA-CORE-2017-001] Message-ID: <20170316121427.GA29469@unicamp.br> ----- Forwarded message from security-news em drupal.org ----- Date: Wed, 15 Mar 2017 20:34:42 +0000 (UTC) From: security-news em drupal.org To: security-news em drupal.org Subject: [Security-news] Drupal Core - Multiple Vulnerabilities - SA-CORE-2017-001 View online: https://www.drupal.org/SA-2017-001 Drupal 8.2.7, a maintenance release which contains fixes for security vulnerabilities, is now available for download. Download Drupal 8.2.7 [1] *Upgrading [2] your existing Drupal 8 sites is strongly recommended.* There are no new features nor non-security-related bug fixes in this release. See the 8.2.7 release notes [3] for details on important changes and known issues affecting this release. Read on for details of the security vulnerabilities that were fixed in this release. * Advisory ID: DRUPAL-SA-CORE-2017-001 * Project: Drupal core [4] * Version: 7.x, 8.x * Date: 2017-March-15 -------- DESCRIPTION --------------------------------------------------------- .. Editor module incorrectly checks access to inline private files - Drupal 8 - Access Bypass - Critical - CVE-2017-6377 When adding a private file via a configured text editor (like CKEditor), the editor will not correctly check access for the file being attached, resulting in an access bypass. .. Some admin paths were not protected with a CSRF token - Drupal 8 - Cross Site Request Forgery - Moderately Critical - CVE-2017-6379 Some administrative paths did not include protection for CSRF. This would allow an attacker to disable some blocks on a site. This issue is mitigated by the fact that users would have to know the block ID. .. Remote code execution - Drupal 8 - Remote code execution - Moderately Critical - CVE-2017-6381 A 3rd party development library including with Drupal 8 development dependencies is vulnerable to remote code execution. This is mitigated by the default .htaccess protection against PHP execution, and the fact that Composer development dependencies aren't normal installed. You might be vulnerable to this if you are running a version of Drupal before 8.2.2. To be sure you aren?t vulnerable, you can remove the /vendor/phpunit directory from the site root of your production deployments. -------- SOLUTION ------------------------------------------------------------ Upgrade to Drupal 8.2.7 -------- REPORTED BY --------------------------------------------------------- .. Editor module incorrectly checks access to inline private files - Drupal 8 - Access Bypass - Critical - CVE-2017-6377 * Casey [5] .. Some admin paths were not protected with a CSRF token - Drupal 8 - Cross Site Request Forgery - Moderately Critical - CVE-2017-6379 * Samuel Mortenson [6] .. Remote code execution - Drupal 8 - Remote code execution - Moderately Critical - CVE-2017-6381 * Timo Hilsdorf [7] -------- FIXED BY ------------------------------------------------------------ .. Editor module incorrectly checks access to inline private files - Drupal 8 - Access Bypass - Critical - CVE-2017-6377 * László Csécsy [8] * Wim Leers [9] * Alex Pott [10] of the Drupal Security Team * Klaus Purer [11] of the Drupal Security Team .. Some admin paths were not protected with a CSRF token - Drupal 8 - Cross Site Request Forgery - Moderately Critical - CVE-2017-6379 * Samuel Mortenson [12] * Sascha Grossenbacher .. Remote code execution - Drupal 8 - Remote code execution -Moderately Critical - CVE-2017-6381 * Klaus Purer [13] Of the Drupal Security Team * Mixologic [14] -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [15]. Learn more about the Drupal Security team and their policies [16], writing secure code for Drupal [17], and securing your site [18]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [19] [1] http://ftp.drupal.org/files/projects/drupal-8.2.7.tar.gz [2] https://www.drupal.org/upgrade [3] https://www.drupal.org/project/drupal/releases/8.2.7 [4] https://www.drupal.org/project/drupal [5] https://www.drupal.org/u/casey [6] http://drupal.org/u/samuel.mortenson [7] https://www.drupal.org/user/3506593 [8] https://www.drupal.org/u/Boobaa [9] https://www.drupal.org/u/wim-leers [10] https://www.drupal.org/u/alexpott [11] https://www.drupal.org/u/klausi [12] https://www.drupal.org/u/samuel.mortenson [13] https://www.drupal.org/u/klausi [14] https://www.drupal.org/u/Mixologic [15] https://www.drupal.org/contact [16] https://www.drupal.org/security-team [17] https://www.drupal.org/writing-secure-code [18] https://www.drupal.org/security/secure-configuration [19] https://twitter.com/drupalsecurity _______________________________________________ Security-news mailing list Security-news em drupal.org Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news ----- End forwarded message ----- From security em unicamp.br Thu Mar 9 10:23:32 2017 From: security em unicamp.br (CSIRT Unicamp) Date: Thu, 09 Mar 2017 13:23:32 -0000 Subject: [SECURITY-L] [security-news@drupal.org: Services - Critical - Arbitrary Code Execution - SA-CONTRIB-2017-029] Message-ID: <20170309132331.GA21690@unicamp.br> View online: https://www.drupal.org/node/2858847 * Advisory ID: DRUPAL-SA-CONTRIB-2016-029 * Project: Services [1] (third-party module) * Version: 7.x * Date: 2017-March-08 * Security risk: 21/25 ( Highly Critical) AC:None/A:None/CI:All/II:All/E:Theoretical/TD:Default [2] * Vulnerability: Arbitrary PHP code execution -------- DESCRIPTION --------------------------------------------------------- This module provides a standardized solution for building API's so that external clients can communicate with Drupal. The module accepts user submitted data in PHP's serialization format ("Content-Type: application/vnd.php.serialized") which can lead to arbitrary remote code execution. This vulnerability is mitigated by the fact that an attacker must know your Service Endpoint's path, and your Service Endpoint must have "application/vnd.php.serialized" enabled as a request parser. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Services 7.x-3.x versions prior to 7.x-3.19. Drupal core is not affected. If you do not use the contributed Services [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Services 3.x module for Drupal 7.x, upgrade to Services 7.x-3.19 [5] You may disable "application/vnd.php.serialized" under "Request parsing" in Drupal to prevent the exploit: /admin/structure/services/list/[my-endpoint]/server However, installing the latest version of the Services module is highly recommended. Also see the Services [6] project page. -------- REPORTED BY --------------------------------------------------------- * Charles Fol [7] -------- FIXED BY ------------------------------------------------------------ * Kyle Browning [8], module maintainer * Tyler Frankenstein [9], module maintainer -------- COORDINATED BY ------------------------------------------------------ * Klaus Purer [10] of the Drupal Security Team * Michael Hess [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [16] [1] https://www.drupal.org/project/services [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/services [5] https://www.drupal.org/project/services/releases/7.x-3.19 [6] https://www.drupal.org/project/services [7] https://www.drupal.org/user/3520095 [8] https://www.drupal.org/user/211387 [9] https://www.drupal.org/user/150680 [10] https://www.drupal.org/user/262198 [11] https://www.drupal.org/user/102818 [12] https://www.drupal.org/contact [13] https://www.drupal.org/security-team [14] https://www.drupal.org/writing-secure-code [15] https://www.drupal.org/security/secure-configuration [16] https://twitter.com/drupalsecurity _______________________________________________ Security-news mailing list Security-news em drupal.org From security em unicamp.br Thu Mar 16 09:14:28 2017 From: security em unicamp.br (CSIRT Unicamp) Date: Thu, 16 Mar 2017 12:14:28 -0000 Subject: [SECURITY-L] [security-news@drupal.org: [Security-news] Drupal Core - Multiple Vulnerabilities - SA-CORE-2017-001] Message-ID: <20170316121427.GA29469@unicamp.br> ----- Forwarded message from security-news em drupal.org ----- Date: Wed, 15 Mar 2017 20:34:42 +0000 (UTC) From: security-news em drupal.org To: security-news em drupal.org Subject: [Security-news] Drupal Core - Multiple Vulnerabilities - SA-CORE-2017-001 View online: https://www.drupal.org/SA-2017-001 Drupal 8.2.7, a maintenance release which contains fixes for security vulnerabilities, is now available for download. Download Drupal 8.2.7 [1] *Upgrading [2] your existing Drupal 8 sites is strongly recommended.* There are no new features nor non-security-related bug fixes in this release. See the 8.2.7 release notes [3] for details on important changes and known issues affecting this release. Read on for details of the security vulnerabilities that were fixed in this release. * Advisory ID: DRUPAL-SA-CORE-2017-001 * Project: Drupal core [4] * Version: 7.x, 8.x * Date: 2017-March-15 -------- DESCRIPTION --------------------------------------------------------- .. Editor module incorrectly checks access to inline private files - Drupal 8 - Access Bypass - Critical - CVE-2017-6377 When adding a private file via a configured text editor (like CKEditor), the editor will not correctly check access for the file being attached, resulting in an access bypass. .. Some admin paths were not protected with a CSRF token - Drupal 8 - Cross Site Request Forgery - Moderately Critical - CVE-2017-6379 Some administrative paths did not include protection for CSRF. This would allow an attacker to disable some blocks on a site. This issue is mitigated by the fact that users would have to know the block ID. .. Remote code execution - Drupal 8 - Remote code execution - Moderately Critical - CVE-2017-6381 A 3rd party development library including with Drupal 8 development dependencies is vulnerable to remote code execution. This is mitigated by the default .htaccess protection against PHP execution, and the fact that Composer development dependencies aren't normal installed. You might be vulnerable to this if you are running a version of Drupal before 8.2.2. To be sure you aren?t vulnerable, you can remove the /vendor/phpunit directory from the site root of your production deployments. -------- SOLUTION ------------------------------------------------------------ Upgrade to Drupal 8.2.7 -------- REPORTED BY --------------------------------------------------------- .. Editor module incorrectly checks access to inline private files - Drupal 8 - Access Bypass - Critical - CVE-2017-6377 * Casey [5] .. Some admin paths were not protected with a CSRF token - Drupal 8 - Cross Site Request Forgery - Moderately Critical - CVE-2017-6379 * Samuel Mortenson [6] .. Remote code execution - Drupal 8 - Remote code execution - Moderately Critical - CVE-2017-6381 * Timo Hilsdorf [7] -------- FIXED BY ------------------------------------------------------------ .. Editor module incorrectly checks access to inline private files - Drupal 8 - Access Bypass - Critical - CVE-2017-6377 * László Csécsy [8] * Wim Leers [9] * Alex Pott [10] of the Drupal Security Team * Klaus Purer [11] of the Drupal Security Team .. Some admin paths were not protected with a CSRF token - Drupal 8 - Cross Site Request Forgery - Moderately Critical - CVE-2017-6379 * Samuel Mortenson [12] * Sascha Grossenbacher .. Remote code execution - Drupal 8 - Remote code execution -Moderately Critical - CVE-2017-6381 * Klaus Purer [13] Of the Drupal Security Team * Mixologic [14] -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [15]. Learn more about the Drupal Security team and their policies [16], writing secure code for Drupal [17], and securing your site [18]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [19] [1] http://ftp.drupal.org/files/projects/drupal-8.2.7.tar.gz [2] https://www.drupal.org/upgrade [3] https://www.drupal.org/project/drupal/releases/8.2.7 [4] https://www.drupal.org/project/drupal [5] https://www.drupal.org/u/casey [6] http://drupal.org/u/samuel.mortenson [7] https://www.drupal.org/user/3506593 [8] https://www.drupal.org/u/Boobaa [9] https://www.drupal.org/u/wim-leers [10] https://www.drupal.org/u/alexpott [11] https://www.drupal.org/u/klausi [12] https://www.drupal.org/u/samuel.mortenson [13] https://www.drupal.org/u/klausi [14] https://www.drupal.org/u/Mixologic [15] https://www.drupal.org/contact [16] https://www.drupal.org/security-team [17] https://www.drupal.org/writing-secure-code [18] https://www.drupal.org/security/secure-configuration [19] https://twitter.com/drupalsecurity _______________________________________________ Security-news mailing list Security-news em drupal.org Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news ----- End forwarded message -----