Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Stage File Proxy - Less critical - Denial of Service - SA-CONTRIB-2019-044

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Stage File Proxy - Less critical - Denial of Service - SA-CONTRIB-2019-044


Chronologisch Thread 
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Stage File Proxy - Less critical - Denial of Service - SA-CONTRIB-2019-044
  • Date: Wed, 17 Apr 2019 16:42:11 +0000 (UTC)
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>

View online: https://www.drupal.org/sa-contrib-2019-044

Project: Stage File Proxy [1]
Version: 8.x-1.x-dev7.x-1.x-dev
Date: 2019-April-17
Security risk: *Less critical* 9∕25
AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Denial of Service

Description: 
Stage File Proxy is a general solution for getting production files on a
development server on demand.

The module doesn't sufficiently validate requested urls, allowing an attacker
to send repeated requests for files that do not exist which could exhaust
resources on the server where Stage File Proxy is installed.

This vulnerability is mitigated by the fact that an attacker must make
repeated requests. The vulnerability only exists on environments where Stage
File Proxy is installed (it generally is not installed on production). It
only affects sites where the "Hot Link" option is disabled (disabled is the
default configuration).

Solution: 
Install the latest version:

* If you use the Stage File Proxy module for Drupal 7.x, upgrade to Stage
File Proxy 7.x-1.9 [3]

Also see the Stage File Proxy [4] project page.

Reported By: 
* remydenton [5]
* Axel Rutz [6]
* Drew Webber [7]

Fixed By: 
* remydenton [8]
* Axel Rutz [9]
* Drew Webber [10]

Coordinated By: 
* Greg Knaddison [11] of the Drupal Security Team


[1] https://www.drupal.org/project/stage_file_proxy
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/stage_file_proxy/releases/7.x-1.9
[4] https://www.drupal.org/project/stage_file_proxy
[5] https://www.drupal.org/user/969184
[6] https://www.drupal.org/user/229048
[7] https://www.drupal.org/user/255969
[8] https://www.drupal.org/user/969184
[9] https://www.drupal.org/user/229048
[10] https://www.drupal.org/user/255969
[11] https://www.drupal.org/u/greggles

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news


  • [IT-SecNots] [Security-news] Stage File Proxy - Less critical - Denial of Service - SA-CONTRIB-2019-044, security-news, 17.04.2019

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang