Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Configuration Update Manager - Moderately critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2017-091

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Configuration Update Manager - Moderately critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2017-091


Chronologisch Thread 
    < Chronologisch >      < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Configuration Update Manager - Moderately critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2017-091
  • Date: Wed, 6 Dec 2017 19:19:03 +0000 (UTC)
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2017-091

Project: Configuration Update Manager [1]
Version: 8.x-1.4
Date: 2017-December-06
Security risk: *Moderately critical* 12∕25
AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross Site Request Forgery (CSRF)

Description: 
The Configuration Update Reports sub-module in the Configuration Update
module project enables you to run reports to see what configuration on your
site differs from the configuration distributed by a module, theme, or
installation profile, and to revert, delete, or import configuration.

This module doesn't sufficiently protect the Import operation, thereby
exposing a Cross Site Request Forgery (CSRF) vulnerability which can be
exploited by unprivileged users to trick an administrator into unwanted
import of configuration.

This vulnerability is mitigated by the fact that only configuration items
distributed with a module, theme, or installation profile that is currently
installed and enabled on the site can be imported, not arbitrary
configuration values.

Solution: 
Install the latest version:

* If you use the Configuration Update Manager module and its Reports
sub-module for Drupal 8.x, upgrade to Configuration Update Manager version
8.x-1.5 [3]

Alternatively, you could remove the permission "import configuration" from
all roles on the site, or uninstall the Configuration Update Reports
sub-module from your production sites.

Also see the Configuration Update Manager [4] project page.

Reported By: 
* Jean-Francois Hovinne [5]

Fixed By: 
* Jennifer Hodgdon [6] the module maintainer

Coordinated By: 
* Greg Knaddison [7] of the Drupal Security Team
* Lee Rowlands [8] of the Drupal Security Team


[1] https://www.drupal.org/project/config_update
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/config_update/releases/8.x-1.5
[4] https://www.drupal.org/project/config_update
[5] https://www.drupal.org/u/jfhovinne
[6] https://www.drupal.org/u/jhodgdon
[7] https://www.drupal.org/u/greggles
[8] https://www.drupal.org/u/larowlan

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] Configuration Update Manager - Moderately critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2017-091, security-news, 06.12.2017

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang