it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] Mailhandler - Critical - Remote Code Execution - SA-CONTRIB-2017-089
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] Mailhandler - Critical - Remote Code Execution - SA-CONTRIB-2017-089
- Date: Wed, 6 Dec 2017 19:16:53 +0000 (UTC)
- List-archive: <http://lists.drupal.org/pipermail/security-news/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2017-089
Project: Mailhandler [1]
Version: 7.x-2.10
Date: 2017-December-06
Security risk: *Critical* 17∕25
AC:Complex/A:User/CI:All/II:All/E:Theoretical/TD:All [2]
Vulnerability: Remote Code Execution
Description:
The Mailhandler module enables you to create nodes by email.
The Mailhandler module does not validate file attachments. By sending a
correctly crafted e-mail to a mailhandler mailbox an attacker can execute
arbitrary code.
The vulnerability applies to any active mailhandler mailbox, whether or not
attachments are mapped to a field.
*Mitigating factors:*
* For 7.x versions prior to 7.x-2.5, the vulnerability is mitigated by the
fact that the 'MailhandlerCommandsFiles' plugin must be enabled. For later
versions, the option to disable commands was removed, all commands are
enabled in any case.
* The vulnerability is mitigated by the fact that the attacker must pass the
authentication step. The default authentication is that the attacker must
send the crafted e-mail from a registered e-mail address.
* The vulnerability is mitigated by the fact that the mailhandler mailbox
e-mail address must be known by the attacker. This essentially depends on
the usecase, e.g. Mailcomment module.
* The vulnerability is mitigated by the fact that the webserver
configuration must either permit the execution of some file extensions in
the public filesystem or (Apache) has '.htaccess' support enabled through
the AllowOverride directive.
Solution:
Install the latest version:
* If you use the Mailhandler module for Drupal 7.x, upgrade to Mailhandler
7.x-2.11 [3]
Also see the Mailhandler [4] project page.
Reported By:
* Marc Darcis [5]
Fixed By:
* Marc Darcis [6]
* Nathaniel Catchpole [7]
* Milos Bovan [8]
Coordinated By:
* Greg Knaddison [9] of the Drupal Security Team
[1] https://www.drupal.org/project/mailhandler
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/mailhandler/releases/7.x-2.11
[4] https://www.drupal.org/project/mailhandler
[5] https://www.drupal.org/user/3552485
[6] https://www.drupal.org/user/3552485
[7] https://www.drupal.org/user/35733
[8] https://www.drupal.org/u/mbovan
[9] https://www.drupal.org/u/greggles
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecNots] [Security-news] Mailhandler - Critical - Remote Code Execution - SA-CONTRIB-2017-089, security-news, 06.12.2017
Archiv bereitgestellt durch MHonArc 2.6.19.