[IT-SecNots] [Security-news] Stacks - Critical - Arbitrary PHP code execution - SA-CONTRIB-2018-001

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2018-001

Project: Stacks [1]
Date: 2018-January-10
Security risk: *Critical* 18∕25
AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Arbitrary PHP code execution

Description: 
This module enables content editors to create complex pages and layouts on
the fly without the help from a developer, using reusable widgets.
The module does not sufficiently filter values posted to its AJAX endpoint,
which leads to the instantiation of an arbitrary PHP class.
This vulnerability is mitigated by the fact that only sites with the Stacks -
Content Feed submodule enabled are affected.

Solution: 
Install the latest version:

  * If you use the Stacks module for Drupal 8.x, upgrade to Stacks 8.x-1.1 
[3]

Reported By: 
  * Jean-François Hovinne [4]
Fixed By: 
  * Mauro Vigliotti [5] the module maintainer
Coordinated By: 
  * Michael Hess [6] of the Drupal Security Team

[1] https://www.drupal.org/project/stacks
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/stacks/releases/8.x-1.1
[4] https://www.drupal.org/user/77723
[5] https://www.drupal.org/user/176620
[6] https://www.drupal.org/u/mlhess

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news