it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] Custom Tokens - Critical - Arbitrary PHP code execution - SA-CONTRIB-2018-041
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] Custom Tokens - Critical - Arbitrary PHP code execution - SA-CONTRIB-2018-041
- Date: Wed, 13 Jun 2018 16:42:12 +0000 (UTC)
- List-archive: <http://lists.drupal.org/pipermail/security-news/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2018-041
Project: Custom Tokens [1]
Date: 2018-June-13
Security risk: *Critical* 16∕25
AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:Default [2]
Vulnerability: Arbitrary PHP code execution
Description:
The Custom Tokens module enables you to create custom tokens for specific
replacements that can improve other modules relying on the token API.
The module doesn't sufficiently identify that its custom permissions are
risky and should only be granted to highly trusted roles.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "administer custom tokens".
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
Solution:
Install the latest version and review your permissions.
*Note, after upgrading, additional configuration steps required.* Sites using
this module should review the permissions page at Administration » People
» Permissions to verify only trusted users are granted permissions defined
by the module such as "administer custom tokens".
* If you use the Custom Tokens module (1.x) for Drupal 7.x, upgrade to
Custom Tokens 7.x-1.2 [4].
* If you use the Custom Tokens module (2.x) for Drupal 7.x, upgrade to
Custom Tokens 7.x-2.0 [5].
Also see the Custom Tokens [6] project page.
Reported By:
* Matt Glaman [7]
Fixed By:
* Ariel Barreiro [8]
Coordinated By:
* Michael Hess [9] of the Drupal Security Team
* Greg Knaddison [10] of the Drupal Security Team
[1] https://www.drupal.org/project/token_custom
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/token_custom/releases/7.x-1.2
[5] https://www.drupal.org/project/token_custom/releases/7.x-2.0
[6] https://www.drupal.org/project/token_custom
[7] https://www.drupal.org/user/2416470
[8] https://www.drupal.org/user/23157
[9] https://www.drupal.org/u/mlhess
[10] https://www.drupal.org/u/greggles
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecNots] [Security-news] Custom Tokens - Critical - Arbitrary PHP code execution - SA-CONTRIB-2018-041, security-news, 13.06.2018
Archiv bereitgestellt durch MHonArc 2.6.19.