[IT-SecNots] [Security-news] Public Download Count - Less critical - Open Redirect Vulnerability - SA-CONTRIB-2019-012

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2019-012

Project: Public Download Count [1]
Date: 2019-February-06
Security risk: *Less critical* 8∕25
AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:Uncommon [2]
Vulnerability: Open Redirect Vulnerability

Description: 
This module enables you to track download counts of files linked from a
Drupal site. Links in Drupal content are rewritten to go through an
intermediate page that records download stats and then redirects to the final
destination.

The module did not verify that the links provided to the intermediate page
were actually present in the Drupal site content and did not contain checks
to prevent external sites from accessing the counter.

Solution: 
Install the latest version:

  * If you use pubdlcnt for Drupal 7.x, upgrade to pubdlcnt 7.x-1.3 [3]

Also see the Public Download Count [4] project page.

Reported By: 
  * Jack Over  [5]

Fixed By: 
  * Corey Halpin  [6]

Coordinated By: 
  * Michael Hess [7] of the Drupal Security Team


[1] https://www.drupal.org/project/pubdlcnt
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/pubdlcnt/releases/7.x-1.3
[4] https://www.drupal.org/project/pubdlcnt
[5] https://www.drupal.org/user/953390
[6] https://www.drupal.org/user/3485405
[7] https://www.drupal.org/user/102818

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news