Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Rabbit Hole - Moderately critical - Access bypass - SA-CONTRIB-2019-029

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Rabbit Hole - Moderately critical - Access bypass - SA-CONTRIB-2019-029


Chronologisch Thread 
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Rabbit Hole - Moderately critical - Access bypass - SA-CONTRIB-2019-029
  • Date: Wed, 27 Feb 2019 18:12:38 +0000 (UTC)
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>

View online: https://www.drupal.org/sa-contrib-2019-029

Project: Rabbit Hole [1]
Version: 7.x-2.x-dev
Date: 2019-February-27
Security risk: *Moderately critical* 14∕25
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass

Description: 
The Rabbit Hole module allows administrators to control what should happen
when a regular user tries to view an entity at its own page; for example, it
may deliver a 403 Access Denied or 404 Page Not Found response, or redirect
the user to another path.

The module doesn't respect the Rabbit Hole settings when an entity is being
requested with a certain header. This could lead to certain data being
exposed even if it shouldn't be. The vulnerability is mitigated by the fact
that the user also needs permission to view the content being requested.

Solution: 
Install version 7.x-2.25, available at
https://www.drupal.org/project/rabbit_hole/releases/7.x-2.25 [3].

Reported By: 
* Fabian Iwand [4]

Fixed By: 
* Fabian Iwand [5]
* M Parker [6]
* Olof Bokedal [7]

Coordinated By: 
* Greg Knaddison [8] of the Drupal Security Team


[1] https://www.drupal.org/project/rabbit_hole
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/rabbit_hole/releases/7.x-2.25
[4] https://www.drupal.org/user/1632364
[5] https://www.drupal.org/user/1632364
[6] https://www.drupal.org/user/536298
[7] https://www.drupal.org/user/1198438
[8] https://www.drupal.org/user/36762

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news


  • [IT-SecNots] [Security-news] Rabbit Hole - Moderately critical - Access bypass - SA-CONTRIB-2019-029, security-news, 27.02.2019

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang