[SECURITY-L] [Security-news] Basic HTTP Authentication - Critical - Access bypass - SA-CONTRIB-2024-057
CSIRT Unicamp
security em unicamp.br
Quarta Novembro 6 15:35:18 -03 2024
View online: https://www.drupal.org/sa-contrib-2024-057
Project: Basic HTTP Authentication [1]
Date: 2024-November-06
Security risk: *Critical* 16 ∕ 25
AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Access bypass
Description:
The module provides a possibility to restrict access to specific paths using
basic HTTP authentication, in addition to standard Drupal access checks.
In some cases, the module removes existing access checks from some paths,
resulting in an access bypass vulnerability.
Solution:
Install the latest version:
* If you use the Basic HTTP Authentication module for Drupal 7.x,
upgrade
to
Basic Authentication 7.x-1.4 [3]
Reported By:
* Roderik Muit [4]
Fixed By:
* Roderik Muit [5]
* Ivo Van Geertruyen [6] of the Drupal Security Team
Coordinated By:
* Ivo Van Geertruyen [7] of the Drupal Security Team
[1] https://www.drupal.org/project/basic_auth
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/basic_auth/releases/7.x-1.4
[4] https://www.drupal.org/user/8841
[5] https://www.drupal.org/user/8841
[6] https://www.drupal.org/user/383424
[7] https://www.drupal.org/user/383424
_______________________________________________
Security-news mailing list
Security-news em drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
===
Computer Security Incident Response Team - CSIRT
Universidade Estadual de Campinas - Unicamp
Centro de Computacao - CCUEC
GnuPG Public Key: http://www.security.unicamp.br/security.asc [^]
Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: <http://www.listas.unicamp.br/pipermail/security-l/attachments/20241106/a81866b9/attachment.html>
Mais detalhes sobre a lista de discussão SECURITY-L