Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] SA-CONTRIB-2012-022 - CDN - Information disclosure

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] SA-CONTRIB-2012-022 - CDN - Information disclosure


Chronologisch Thread 
    < Chronologisch >      < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] SA-CONTRIB-2012-022 - CDN - Information disclosure
  • Date: Wed, 15 Feb 2012 21:08:04 +0000 (UTC)
  • List-archive: <https://service.piratenpartei.de/pipermail/it-securitynotifies>
  • List-id: Sicherheitsankündigungen <it-securitynotifies.lists.piratenpartei.de>
* Advisory ID: DRUPAL-SA-CONTRIB-2012-022
* Project: CDN [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2012-February-15
* Security risk: Critical [2]
* Exploitable from: Remote
* Vulnerability: Access bypass

-------- DESCRIPTION
---------------------------------------------------------

The CDN module provides easy Content Delivery Network integration for Drupal
sites. It alters file URLs, so that files are downloaded from a CDN instead
of your web server.

When running in Origin Pull mode together with the "Far Future expiration"
option, the module contains a vulnerability that allows anyone to view the
contents of any *.php file within the site, including settings.php.

This vulnerability is mitigated by the fact that the site owner must have
enabled the "Far Future expiration" option, and must be using the latest
version of the module.

-------- VERSIONS AFFECTED
---------------------------------------------------

* CDN version 6.x-2.2
* CDN version 7.x-2.2

Drupal core is not affected. If you do not use the contributed CDN [3]
module, there is nothing you need to do.

-------- SOLUTION
------------------------------------------------------------

Install the latest version:

* Upgrade to CDN module 6.x-2.3 [4]
* Upgrade to CDN module 7.x-2.3 [5]

See also the CDN [6] project page.

-------- REPORTED BY
---------------------------------------------------------

* Ivo Van Geertruyen [7] of the Drupal Security Team

-------- FIXED BY
------------------------------------------------------------

* Wim Leers [8] the module maintainer
* Ivo Van Geertruyen [9] of the Drupal Security Team

-------- CONTACT AND MORE INFORMATION
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [10].

Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].


[1] http://drupal.org/project/cdn
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/project/cdn
[4] http://drupal.org/node/1441482
[5] http://drupal.org/node/1441480
[6] http://drupal.org/project/cdn
[7] http://drupal.org/user/383424
[8] http://drupal.org/user/99777
[9] http://drupal.org/user/383424
[10] http://drupal.org/contact
[11] http://drupal.org/security-team
[12] http://drupal.org/writing-secure-code
[13] http://drupal.org/security/secure-configuration

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
http://lists.drupal.org/mailman/listinfo/security-news


  • [IT-SecNots] [Security-news] SA-CONTRIB-2012-022 - CDN - Information disclosure, security-news, 15.02.2012

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang