[IT-SecNots] [Security-news] DRD Agent - Critical - PHP object injection - SA-CONTRIB-2018-022

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2018-022

Project: DRD Agent [1]
Date: 2018-April-25
Security risk: *Critical* 15∕25
AC:None/A:None/CI:None/II:Some/E:Theoretical/TD:All [2]
Vulnerability: PHP object injection

Description: 
This module enables you to monitor and manage any number of remote Drupal
sites and aggregate useful information for administrators in a central
dashboard.

The modules (DRD and DRD Agent) encrypt the data which is exchanged between
them but in order to do so, they use the PHP serialize/unserialize functions
instead of the json_encode/json_decode combination. As the unserialize
function is called on unauthenticated content, this introduces a PHP object
injection vulnerability.

Solution: 
Install the latest version:

  * If you use the DRD module for Drupal 8.x, upgrade to DRD 8.x-3.14 [3]
  * If you use the DRD Agent module for Drupal 8.x, upgrade to DRD Agent
    8.x-3.7 [4]
  * If you use the DRD Agent module for Drupal 7.x, upgrade to DRD Agent
    7.x-3.5 [5]

Reported By: 
  * David Snopek  [6] of the Drupal Security Team

Fixed By: 
  * David Snopek  [7] of the Drupal Security Team
  * Jürgen Haas  [8]

Coordinated By: 
  * David Snopek  [9] of the Drupal Security Team


[1] https://www.drupal.org/project/drd_agent
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/node/2965986
[4] https://www.drupal.org/node/2965984
[5] https://www.drupal.org/node/2965982
[6] https://www.drupal.org/user/266527
[7] https://www.drupal.org/user/266527
[8] https://www.drupal.org/user/168924
[9] https://www.drupal.org/user/266527

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news