[IT-SecNots] [Security-news] DRUPAL-PSA-2014-002 - Drupal core - Information disclosure

[security-news AT drupal.org]

View online: https://drupal.org/PSA-2014-002

   * Advisory ID: DRUPAL-PSA-2014-002
   * Project: Drupal core [1]
   * Version: 6.x, 7.x
   * Date: 2014-May-21
   * Security risk: Not critical [2]
   * Exploitable from: Remote
   * Vulnerability: Information Disclosure

-------- DESCRIPTION
---------------------------------------------------------

This is a public service announcement regarding the "access site reports"
permission (labeled as "View site reports" in the Drupal 7 administrative
interface) provided by Drupal 6 and 7 core.

This permission allows users to see logs (for example, those provided by the
core Database Logging module) and other reports via the administrative
interface of a Drupal site.  Due to the nature of the data logged by various
core and contributed modules, users with this permission can see information
in the logs that they otherwise may not have access to (for example, the
titles of nodes that are restricted by node access).

As such:

   * This permission should be granted to trusted site administrators only. It
     is now listed as an advanced permission at
     https://drupal.org/security-advisory-policy [3], and a future release of
     Drupal 7 core will mark it as restricted on the permissions page as well.
   * Developers may freely use Drupal's watchdog() function to log relevant
     information about the actions they are performing (without worrying about
     minor information disclosure or access bypass issues).  However, care
     should still be taken to only log what is necessary.  For example, 
logging
     extremely sensitive information such as plain-text user passwords (see
     SA-CONTRIB-2010-091 [4]) would still be considered a security issue
     because plain-text passwords should never be saved or displayed anywhere
     on the site.


-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------

   * /A CVE identifier [5] will be requested, and added upon issuance, in
     accordance with Drupal Security Team processes./

-------- VERSIONS AFFECTED
---------------------------------------------------

All versions of Drupal 6 and Drupal 7 core.

-------- SOLUTION
------------------------------------------------------------

Only grant trusted site administrators the "access site reports"/"View site
reports" permission.

Also see the Drupal core [6] project page.

-------- CONTACT AND MORE INFORMATION
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [7].

Learn more about the Drupal Security team and their policies [8], writing
secure code for Drupal [9], and securing your site [10].

Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [11]


[1] http://drupal.org/project/drupal
[2] http://drupal.org/security-team/risk-levels
[3] https://drupal.org/security-advisory-policy
[4] https://drupal.org/node/912412
[5] http://cve.mitre.org/
[6] http://drupal.org/project/drupal
[7] http://drupal.org/contact
[8] http://drupal.org/security-team
[9] http://drupal.org/writing-secure-code
[10] http://drupal.org/security/secure-configuration
[11] https://twitter.com/drupalsecurity

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news