it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] SA-CONTRIB-2014-076 - Fasttoggle - Access bypass
- Date: Wed, 6 Aug 2014 20:48:45 +0000 (UTC)
- List-archive: <https://service.piratenpartei.de/pipermail/it-securitynotifies>
- List-id: Sicherheitsankündigungen <it-securitynotifies.lists.piratenpartei.de>
View online: https://www.drupal.org/node/2316747
* Advisory ID: DRUPAL-SA-CONTRIB-2014-076
* Project: Fasttoggle [1] (third-party module)
* Version: 7.x
* Date: 2014-August-06
* Security risk: 11/25 ( Moderately Critical)
AC:Basic/A:None/CI:None/II:None/E:Exploit/TD:25 [2]
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to quickly toggle various user, node and field
related settings via ajax links.
The recent 7.x-1.3 and 1.4 releases of the module include a rewrite of the
access control which doesn't correctly implement support for the user status
(allow/block) link.
This vulnerability is mitigated by the fact that the administrator must
enable the link in the fasttoggle configuration and allow user profiles to be
viewed by anonymous or logged in users. For user 1 to be affected, the
administrator must also enable the fasttoggle setting that allows that
account to be blocked via fasttoggle.
All uses of the Fasttoggle module are logged, so any invocations of the
exploit will be recorded. Accounts can only be blocked or unblocked via the
exploit.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance
with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
Drupal core is not affected. If you do not use the contributed Fasttoggle [4]
module,
there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Fasttoggle module for Drupal 7.x, upgrade to Fasttoggle
7.x-1.5 [5]
Also see the Fasttoggle [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Laura Hild [7]
-------- FIXED BY
------------------------------------------------------------
* Nigel Cunningham [8] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Neil Drumm [9] of the Drupal Security Team
* David Stoline [10] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
[1] http://drupal.org/project/fasttoggle
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/fasttoggle
[5] https://www.drupal.org/node/2316065
[6] http://drupal.org/project/fasttoggle
[7] https://www.drupal.org/user/760454
[8] https://www.drupal.org/user/250105
[9] https://www.drupal.org/user/3064
[10] https://www.drupal.org/u/dstol
[11] http://drupal.org/contact
[12] http://drupal.org/security-team
[13] http://drupal.org/writing-secure-code
[14] http://drupal.org/security/secure-configuration
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecNots] [Security-news] SA-CONTRIB-2014-076 - Fasttoggle - Access bypass, security-news, 06.08.2014
Archiv bereitgestellt durch MHonArc 2.6.19.