[IT-SecNots] [Security-news] Drupal Core - Critical - Multiple Vulnerabilities - SA-CORE-2016-004

[security-news AT drupal.org]

View online: https://www.drupal.org/SA-CORE-2016-004

-------- DESCRIPTION
---------------------------------------------------------

Users who have rights to edit a node, can set the visibility on comments for
that node.

  * Advisory ID: DRUPAL-SA-CORE-2016-004
  * Project: Drupal core [1]
  * Version:li  8.x
  * Date: 2016-September-21
  * Security risk: 18/25 ( Critical)
    AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:Default [2]
  * Vulnerability:

-------- DESCRIPTION
---------------------------------------------------------

*Users without "Administer comments" can set comment visibility on nodes they
can edit. (Less critical)*
Users who have rights to edit a node, can set the visibility on comments for
that node. This should be restricted to those who have the  administer
comments permission.

*Cross-site Scripting in http exceptions (critical) *
An attacker could create a specially crafted url, which could execute
arbitrary code in the victim’s browser if loaded.  Drupal was not properly
sanitizing an exception

*Full config export can be downloaded without administrative permissions
(critical) *
The system.temporary route would allow the download of a full config export.
The full config export should be limited to those with Export configuration
permission.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------

  * /A CVE identifier [3] will be requested, and added upon issuance, in
    accordance with Drupal Security Team processes./

-------- VERSIONS AFFECTED
---------------------------------------------------

8.x

-------- SOLUTION
------------------------------------------------------------

Upgrade to Drupal 8.1.10

-------- REPORTED BY
---------------------------------------------------------

*Users without "Administer comments" can set comment visibility on nodes they
can edit.*
  * Quintus Maximus [4]
  * Kier Heyl [5]

*XSS in http exceptions*
  * Ivan [6]

*Full config export can be downloaded without administrative permissions  *
  * Anton Shubkin [7]

-------- FIXED BY
------------------------------------------------------------

*Users without "Administer comments" can set comment visibility on nodes they
can edit.*
  * Lee Rowlands of the Drupal Security Team [8]
  * Stefan Ruijsenaars of the Drupal Security Team [9]
  * Andrey Postnikov [10]
  * Daniel Wehner [11]

*XSS in http exceptions*
  * xjm of the Drupal Security Team [12]
  * Daniel Wehner [13]
  * Alex Pott of the Drupal Security Team [14]
  * Cash Williams of the Drupal Security Team [15]
  * Pere Orga of the Drupal Security Team [16]
  * David Snopek of the Drupal Security Team [17]
  * Heine Deelstra of the Drupal Security Team

*Full config export can be downloaded without administrative permissions  *
  * Nathaniel Catchpole of the Drupal Security Team [18]
  * Alex Pott of the Drupal Security Team [19]
  * Anton Shubkin [20]
  * xjm of the Drupal Security Team [21]
  * Peter Wolanin of the Drupal Security Team [22]

-------- COORDINATED BY
------------------------------------------------------

The Drupal Security Team [23]

-------- CONTACT AND MORE INFORMATION
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [24].

Learn more about the Drupal Security team and their policies [25], writing
secure code for Drupal [26], and  securing your site [27].

Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [28]


[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://www.drupal.org/u/q2u
[5] https://www.drupal.org/u/kierheyl
[6] https://www.drupal.org/user/556138
[7] https://www.drupal.org/user/1060446
[8] http://www.drupal.org/u/larowlan
[9] https://www.drupal.org/u/stefanr-0
[10] https://www.drupal.org/user/118908
[11] https://www.drupal.org/user/99340
[12] https://www.drupal.org/user/65776
[13] https://www.drupal.org/user/99340
[14] https://www.drupal.org/user/157725
[15] https://www.drupal.org/user/421070
[16] https://www.drupal.org/u/pere-orga
[17] https://www.drupal.org/u/dsnopek
[18] https://www.drupal.org/u/catch
[19] https://www.drupal.org/user/157725
[20] https://www.drupal.org/user/1060446
[21] https://www.drupal.org/user/65776
[22] https://www.drupal.org/user/49851
[23] https://www.drupal.org/security-team
[24] https://www.drupal.org/contact
[25] https://www.drupal.org/security-team
[26] https://www.drupal.org/writing-secure-code
[27] https://www.drupal.org/security/secure-configuration
[28] https://twitter.com/drupalsecurity

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news