Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Provision - Moderately critical - Access bypass - SA-CONTRIB-2019-002

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Provision - Moderately critical - Access bypass - SA-CONTRIB-2019-002


Chronologisch Thread 
    < Chronologisch >      < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Provision - Moderately critical - Access bypass - SA-CONTRIB-2019-002
  • Date: Wed, 9 Jan 2019 20:14:14 +0000 (UTC)
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2019-002

Project: Provision [1]
Version: 7.x-3.170
Date: 2019-January-09
Security risk: *Moderately critical* 12∕25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass

Description: 
Aegir is a Web hosting control panel program that provides a Drupal-based
graphical interface designed to simplify deploying, managing and upgrading an
entire network of Drupal, Wordpress and CiviCRM Web sites. The Provision
module is a core piece of the Aegir platform.

This module doesn't sufficiently shield multi-site installations or the PHP
source code.

This vulnerability is mitigated by the fact that the server must be using
Apache. For multi-site installations, the server must host multiple sites on
a common platform. Additionally an attacker must have a knowledge about used
filenames and the server.


Solution: 
Install the latest version:

* If you use Aegir hosting system, upgrade to Provision 7.x-3.170 [3]

Also see the Provision [4] project page.

Reported By: 
* Cristian Segarra [5]

Fixed By: 
* Cristian Segarra [6]
* Jon Pugh [7]
* anarcat [8]
* Herman van Rink [9]
* Colan Schwartz [10]

Coordinated By: 
* Greg Knaddison [11] of the Drupal Security Team
* Michael Hess [12] of the Drupal Security Team
* Cash Williams [13] of the Drupal Security Team


[1] https://www.drupal.org/project/provision
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/provision/releases/7.x-3.170
[4] https://www.drupal.org/project/provision
[5] https://www.drupal.org/user/1501376
[6] https://www.drupal.org/user/1501376
[7] https://www.drupal.org/user/17028
[8] https://www.drupal.org/user/1274
[9] https://www.drupal.org/user/449000
[10] https://www.drupal.org/user/58704
[11] https://www.drupal.org/user/36762
[12] https://www.drupal.org/user/102818
[13] https://www.drupal.org/user/421070

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] Provision - Moderately critical - Access bypass - SA-CONTRIB-2019-002, security-news, 09.01.2019

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang