[IT-SecNots] [Security-news] PHP Configuration - Critical - Arbitrary PHP code execution - SA-CONTRIB-2018-055

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2018-055

Project: PHP Configuration [1]
Version: 8.x-1.07.x-1.0
Date: 2018-August-08
Security risk: *Critical* 17∕25
AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:All [2]
Vulnerability: Arbitrary PHP code execution

Description: 
This module enables you to add or overwrite PHP configuration on a drupal
website.

The module doesn't sufficiently allow access to set these configurations,
leading to arbitrary PHP configuration execution by an attacker.

This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "administer phpconfig".

After updating the module, it's important to review the permissions of your
website and if 'administer phpconfig' permission is given to a not fully
trusted user role, we advise to revoke it.

Solution: 
Install the latest version:

  * If you use the PHP Configuration module for Drupal 7.x, upgrade to
    PHP Configuration
    7.x-1.1
  * If you use the PHP Configuration module for Drupal 8.x, upgrade to
    PHP Configuration
    8.x-1.1

Also see the PHP Configuration [3] project page.

Reported By: 
  * Balazs Janos Tatar [4] Provisional security team member


Fixed By: 
  * bappa.sarkar [5] The module maintainer

Coordinated By: 
  * mpotter [6] of the Drupal Security Team



[1] https://www.drupal.org/project/phpconfig
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/phpconfig
[4] https://www.drupal.org/u/tatarbj
[5] https://www.drupal.org/user/262655
[6] https://www.drupal.org/u/mpotter

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news