[IT-SecNots] [Security-news] Various 3rd Party Vulnerabilities - PSA-2019-09-04

[security-news AT drupal.org]

View online: https://www.drupal.org/psa-2019-09-04

Date: 2019-September-04
Vulnerability: Various 3rd Party Vulnerabilities

Description: 
In June of 2011, the Drupal Security Team issued Public Service Advisory
PSA-2011-002 - External libraries and plugins [1].

8 years later that is still the policy of the Drupal Security team. As Drupal
core and modules leverage 3rd party code more and more it seems like an
important time to remind site owners that they are responsible for monitoring
security of 3rd party libraries. Here is the advice from 2011 which is even
more relevant today:

 >Just like there's a need to diligently follow announcements and update
 >contributed modules downloaded from Drupal.org, there's also a need to
 >follow announcements by vendors of third-party libraries or plugins that 
are
 >required by such modules.
 >
 >Drupal's update module has no functionality to alert you to these
 >announcements. The Drupal security team will not release announcements 
about
 >security issues in external libraries and plugins.
 >
-------- CURRENT PHPUNIT/MAILCHIMP LIBRARY EXPLOIT
---------------------------

Recently we have become aware of a vulnerability that is being actively
exploited on some Drupal sites. The vulnerability is in PHPUnit and has a
CVE# CVE-2017-9841. The exploit targets Drupal sites that currently or
previously used the Mailchimp or Mailchimp commerce module and still have a
vulnerable version of the file
sites/all/libraries/mailchimp/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php.
See below for details on whether a file is vulnerable or not. The vulnerable
file might be at other paths on your individual site, but an automated attack
exists that is looking for that specific path. This attack can execute PHP on
the server.

Solution: 
Follow release announcements by the vendors of the external libraries and
plugins you use.

In this specific case, check for the existence of a file named eval-stdin.php
and check its contents. If they match the new version in this commit [2] then
it is safe. If the file reads from  php://input  then the codebase is
vulnerable. This is not an indication of a site being compromised, just of it
being vulnerable. To fix this vulnerability, update your libraries. In
particular you should ensure the Mailchimp [3] and Mailchimp Ecommerce [4]
modules *and their libraries* are updated.

If you discover your site has been compromised, we have a guide of how to
remediate a compromised site [5].

Also see the Drupal core [6] project page.

Reported By: 
  * Hans Rossel [7]

Coordinated By: 
  * Greg Knaddison [8] of the Drupal Security Team


[1] https://www.drupal.org/node/1189632
[2]
https://github.com/sebastianbergmann/phpunit/commit/284a69fb88a2d0845d23f42974a583d8f59bf5a5
[3] https://www.drupal.org/project/mailchimp/
[4] https://www.drupal.org/project/mailchimp_ecommerce/
[5]
https://www.drupal.org/docs/develop/security/your-drupal-site-got-hacked-now-what
[6] https://www.drupal.org/project/drupal
[7] https://www.drupal.org/u/hansrossel
[8] https://www.drupal.org/user/36762

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news