Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Custom Permissions - Moderately critical - Access bypass - SA-CONTRIB-2018-010

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Custom Permissions - Moderately critical - Access bypass - SA-CONTRIB-2018-010


Chronologisch Thread 
    < Chronologisch >      < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Custom Permissions - Moderately critical - Access bypass - SA-CONTRIB-2018-010
  • Date: Wed, 14 Feb 2018 20:54:27 +0000 (UTC)
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2018-010

Project: Custom Permissions [1]
Version: 7.x-2.x-dev
Date: 2018-February-14
Security risk: *Moderately critical* 14∕25
AC:None/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Access bypass

Description: 
This module enables the user to set custom permissions per path.

The module doesn't perform sufficient checks on paths with dynamic arguments
(like "node/1" or "user/2"), thereby allowing the site administrator to save
custom permissions for paths that won't be protected. This could lead to an
access bypass vulnerability if the site is relying on the Custom Permissions
module to protect those paths.

This vulnerability is mitigated by the fact that it only occurs on sites
which attempted to use the Custom Permissions module to protect dynamic
paths.

Solution: 
Install the latest version:

* If you use the Custom Permissions module for Drupal 7.x, upgrade to Custom
Permissions 7.x-2.2 [3]

After installing the latest version, visit Administration → People →
Custom Permissions (admin/people/custom_permissions) and save the form. If it
saves with no errors, your site is not vulnerable. However, if an error
message is displayed informing you that the module is attempting to protect
paths with dynamic arguments that it is unable to protect, your site requires
a manual fix; you should reconfigure the site to use a different method to
protect these paths (for example, use "node/*" to protect all nodes with the
same permission, rather than "node/1" to try to protect only a specific node;
or, alternatively, use a node access module to protect the node-related paths
with fine-grained access control).

Reported By: 
* David Rothstein [4] of the Drupal Security Team

Fixed By: 
* David Rothstein [5] of the Drupal Security Team
* David Valdez [6] the module maintainer

Coordinated By: 
* David Rothstein [7] of the Drupal Security Team


[1] https://www.drupal.org/project/config_perms
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/config_perms/releases/7.x-2.2
[4] https://www.drupal.org/user/124982
[5] https://www.drupal.org/user/124982
[6] https://www.drupal.org/user/992990
[7] https://www.drupal.org/user/124982

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] Custom Permissions - Moderately critical - Access bypass - SA-CONTRIB-2018-010, security-news, 14.02.2018

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang