From security em unicamp.br  Wed Oct  3 16:20:07 2018
From: security em unicamp.br (CSIRT Unicamp)
Date: Wed, 3 Oct 2018 16:20:07 -0300
Subject: [SECURITY-L] Fwd: [Security-news] Printer,
 email and PDF versions - Highly critical - Remote Code Execution -
 SA-CONTRIB-2018-063
In-Reply-To: <mailman.6327.1538591807.49613.security-news@drupal.org>
References: <mailman.6327.1538591807.49613.security-news@drupal.org>
Message-ID: <CAEsueBOp34NZx7nJym+DjDf7Tpu8gXLT4QZzSTP6A_=Tu5-_xQ@mail.gmail.com>

From: <security-news em drupal.org>
Date: qua, 3 de out de 2018 às 15:38
Subject: [Security-news] Printer, email and PDF versions - Highly critical
- Remote Code Execution - SA-CONTRIB-2018-063
To: <security-news em drupal.org>


View online: https://www.drupal.org/sa-contrib-2018-063

Project: Printer, email and PDF versions [1]
Version: 7.x-2.x-dev
Date: 2018-October-03
Security risk: *Highly critical* 20?25
AC:None/A:None/CI:All/II:All/E:Theoretical/TD:Uncommon [2]
Vulnerability: Remote Code Execution

Description:
This module provides printer-friendly versions of content, including send by
e-mail and PDF versions.

The module doesn't sufficiently sanitize the arguments passed to the
wkhtmltopdf executable, allowing a remote attacker to execute arbitrary
shell
commands. It also doesn't sufficiently sanitize the HTML content passed to
dompdf, allowing a privileged attacker to execute arbitrary PHP code.

This vulnerability is mitigated by the fact that the site must have either
the wkhtmltopdf or dompdf sub-modules enabled and selected as the PDF
generation tool. In the case of the dompdf vulnerability, the attacker must
be able to write content to the site.

Solution:
Install the latest version:

   * If you use the print module for Drupal 7.x, upgrade to print 7.x-2.1
[3]

In alternative, disable PDF generation, or replace the PDF generation
library
with another of the supported versions.

Also see the Printer, email and PDF versions [4] project page.

Reported By:
   * yoloClin  [5]


Fixed By:
   * Lee Rowlands  [6] of the Drupal Security Team
   * João Ventura  [7]
   * yoloClin  [8]


Coordinated By:
   * Lee Rowlands  [9] of the Drupal Security Team
   * Michael Hess  [10] of the Drupal Security Team



[1] https://www.drupal.org/project/print
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/print/releases/7.x-2.1
[4] https://www.drupal.org/project/print
[5] https://www.drupal.org/user/3585171
[6] https://www.drupal.org/user/395439
[7] https://www.drupal.org/user/122464
[8] https://www.drupal.org/user/3585171
[9] https://www.drupal.org/user/395439
[10] https://www.drupal.org/u/mlhess

_______________________________________________
Security-news mailing list
Security-news em drupal.org
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: <http://www.listas.unicamp.br/pipermail/security-l/attachments/20181003/d931db2b/attachment.html>

From security em unicamp.br  Thu Oct 18 08:26:48 2018
From: security em unicamp.br (CSIRT Unicamp)
Date: Thu, 18 Oct 2018 08:26:48 -0300
Subject: [SECURITY-L] Fwd: [Security-news] Drupal Core - Multiple
 Vulnerabilities - SA-CORE-2018-006
In-Reply-To: <mailman.7816.1539817916.49613.security-news@drupal.org>
References: <mailman.7816.1539817916.49613.security-news@drupal.org>
Message-ID: <CAKQgEej4bLfzeGb9URZdnhs=xFDjgttV29YhjVhc=hBpx+cEYw@mail.gmail.com>

---------- Forwarded message ---------
From: <security-news em drupal.org>
Date: qua, 17 de out de 2018 às 20:13
Subject: [Security-news] Drupal Core - Multiple Vulnerabilities -
SA-CORE-2018-006
To: <security-news em drupal.org>


View online: https://www.drupal.org/sa-core-2018-006

   * Advisory ID: DRUPAL-SA-CONTRIB-2018-006
   * Project: Drupal core [1]
   * Version: 7.x, 8.x
   * Date: 2018-October-17

-------- DESCRIPTION
---------------------------------------------------------

*Content moderation - Moderately critical - Access bypass - Drupal 8 *

In some conditions, content moderation fails to check a users access to use
certain transitions, leading to an access bypass.

In order to fix this issue, the following changes have been made to content
moderation which may have implications for backwards compatibility:

ModerationStateConstraintValidator
      Two additional services have been injected into this service. Anyone
      subclassing this service must ensure these additional dependencies are
      passed to the constructor, if the constructor has been overridden.
StateTransitionValidationInterface
      An additional method has been added to this interface.
Implementations
of
      this interface which do not extend the StateTransitionValidation
should
      implement this method.
      Implementations which /do/ extend from the StateTransitionValidation
      should ensure any behavioural changes they have made are also
reflected
      in this new method.

User permissions
      Previously users who didn't have access to use any content moderation
      transitions were granted implicit access to update content provided
the
      state of the content did not change. Now access to an associated
      transition will be validated for all users in scenarios where the
state
      of content does not change between revisions.

Reported by

   * Roland Kovacsics  [2]
   * attilatilman  [3]

Fixed by

   * Jess  [4] of the Drupal Security Team
   * Lee Rowlands  [5] of the Drupal Security Team
   * Wim Leers  [6]
   * Daniel Wehner  [7]
   * Sam Becker  [8]
   * Tim Millwood  [9]
   * Alex Pott  [10] of the Drupal Security Team

*External URL injection through URL aliases - Moderately Critical - Open
Redirect - Drupal 7 and Drupal 8 *

The path module allows users with the 'administer paths' to create pretty
URLs for content.

In certain circumstances the user can enter a particular path that triggers
an open redirect to a malicious url.

The issue is mitigated by the fact that the user needs the administer paths
permission to exploit.

Reported by

   * dyates  [11]

Fixed by

   * Dave Reid  [12] of the Drupal Security Team
   * David Rothstein  [13] of the Drupal Security Team
   * Peter Wolanin  [14] of the Drupal Security Team
   * Jess  [15] of the Drupal Security Team
   * Alex Bronstein  [16] of the Drupal Security Team
   * Nathaniel Catchpole  [17] of the Drupal Security Team
   * Lee Rowlands  [18] of the Drupal Security Team
   * Ted Bowman  [19]Provisional member of the Drupal Security Team

*Anonymous Open Redirect - Moderately Critical - Open Redirect - Drupal 8 *

Drupal core and contributed modules frequently use a "destination" query
string parameter in URLs to redirect users to a new destination after
completing an action on the current page. Under certain circumstances,
malicious users can use this parameter to construct a URL that will trick
users into being redirected to a 3rd party website, thereby exposing the
users to potential social engineering attacks.

This vulnerability has been publicly documented.

.... RedirectResponseSubscriber event handler removal

As part of the fix,
\Drupal\Core\EventSubscriber\RedirectResponseSubscriber::sanitizeDestination
has been removed, although this is a public function, it is not considered
an
API as per our API policy for event subscribers [20].
If you have extended that class or are calling that method, you should
review
your implementation in line with the changes in the patch. The existing
function has been removed to prevent a false sense of security.

Reported by

   * Brian Osborne  [21]

Fixed by

   * Michael Hess  [22] of the Drupal Security Team
   * Wim Leers  [23]
   * Alex Pott  [24] of the Drupal Security Team
   * Grant Gaudet  [25]
   * Lee Rowlands  [26] of the Drupal Security Team
   * Nathaniel Catchpole  [27] of the Drupal Security Team
   * Jess [28] of the Drupal Security Team

*Injection in DefaultMailSystem::mail() - Critical - Remote Code Execution -
Drupal 7 and Drupal 8*

When sending email some variables were not being sanitized for shell
arguments, which could lead to remote code execution.

Reported by

   * Damien Tournoud  [29]

Fixed by

   * Lee Rowlands  [30] of the Drupal Security Team
   * Sascha Grossenbacher  [31]
   * Daniel Wehner  [32]
   * Klaus Purer  [33]
   * Damien Tournoud  [34]
   * Stefan Ruijsenaars  [35] of the Drupal Security Team
   * David Rothstein  [36] of the Drupal Security Team
   * David Snopek  [37] of the Drupal Security Team
   * Jess  [38] of the Drupal Security Team
   * Wim Leers  [39]
   * Peter Wolanin  [40] of the Drupal Security Team
   * Ted Bowman  [41]Provisional member of the Drupal Security Team

*Contextual Links validation - Critical - Remote Code Execution - Drupal 8 *

The Contextual Links module doesn't sufficiently validate the requested
contextual links.
This vulnerability is mitigated by the fact that an attacker must have a
role
with the permission "access contextual links".

Reported by

   * Nick Booher  [42]

Fixed by

   * Lee Rowlands  [43] of the Drupal Security Team
   * Nick Booher  [44]
   * Samuel Mortenson  [45] of the Drupal Security Team
   * Wim Leers  [46]
   * Alex Pott  [47] of the Drupal Security Team

-------- SOLUTION
------------------------------------------------------------

Upgrade to the most recent version of Drupal 7 or 8 core.

   * If you are running 7.x, upgrade to Drupal 7.60 [48].
   * If you are running 8.6.x, upgrade to Drupal 8.6.2 [49].
   * If you are running 8.5.x or earlier, upgrade to Drupal 8.5.8 [50].

Minor versions of Drupal 8 prior to 8.5.x are not supported and do not
receive security coverage, so sites running older versions should update to
the above 8.5.x release immediately. 8.5.x will receive security coverage
until May 2019.


[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/user/3528385
[3] https://www.drupal.org/u/attilatilman
[4] https://www.drupal.org/user/65776
[5] https://www.drupal.org/user/395439
[6] https://www.drupal.org/user/99777
[7] https://www.drupal.org/user/99340
[8] https://www.drupal.org/user/1485048
[9] https://www.drupal.org/user/227849
[10] https://www.drupal.org/user/157725
[11] https://www.drupal.org/user/3426845
[12] https://www.drupal.org/user/53892
[13] https://www.drupal.org/user/124982
[14] https://www.drupal.org/user/49851
[15] https://www.drupal.org/user/65776
[16] https://www.drupal.org/user/78040
[17] https://www.drupal.org/user/35733
[18] https://www.drupal.org/user/395439
[19] https://www.drupal.org/user/240860
[20] https://www.drupal.org/core/d8-bc-policy#paramconverters
[21] https://www.drupal.org/user/788032
[22] https://www.drupal.org/user/102818
[23] https://www.drupal.org/user/99777
[24] https://www.drupal.org/user/157725
[25] https://www.drupal.org/user/360002
[26] https://www.drupal.org/user/395439
[27] https://www.drupal.org/user/35733
[28] https://www.drupal.org/user/65776
[29] https://www.drupal.org/user/22211
[30] https://www.drupal.org/user/395439
[31] https://www.drupal.org/user/214652
[32] https://www.drupal.org/user/99340
[33] https://www.drupal.org/user/262198
[34] https://www.drupal.org/user/22211
[35] https://www.drupal.org/user/551886
[36] https://www.drupal.org/user/124982
[37] https://www.drupal.org/user/266527
[38] https://www.drupal.org/user/65776
[39] https://www.drupal.org/user/99777
[40] https://www.drupal.org/user/49851
[41] https://www.drupal.org/user/240860
[42] https://www.drupal.org/user/809346
[43] https://www.drupal.org/user/395439
[44] https://www.drupal.org/user/809346
[45] https://www.drupal.org/user/2582268
[46] https://www.drupal.org/user/99777
[47] https://www.drupal.org/user/157725
[48] https://www.drupal.org/project/drupal/releases/7.60
[49] http://www.drupal.org/project/drupal/releases/8.6.2
[50] http://www.drupal.org/project/drupal/releases/8.5.8

_______________________________________________
Security-news mailing list
Security-news em drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: <http://www.listas.unicamp.br/pipermail/security-l/attachments/20181018/10a31af5/attachment.html>