Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Localization update - Moderately critical - Insecure server configuration - SA-CONTRIB-2019-072

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Localization update - Moderately critical - Insecure server configuration - SA-CONTRIB-2019-072


Chronologisch Thread 
    < Chronologisch >      < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Localization update - Moderately critical - Insecure server configuration - SA-CONTRIB-2019-072
  • Date: Wed, 2 Oct 2019 17:45:51 +0000 (UTC)
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2019-072

Project: Localization update [1]
Date: 2019-October-02
Security risk: *Moderately critical* 10∕25
AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Insecure server configuration

Description: 
This module enables you to automatically download and update the site's
interface translation by fetching them from localize.drupal.org or any other
Localization server.

The module doesn't sufficiently protect the directory it stores translation
files in. It's conventional for directories which may be writeable to be
protected by a .htaccess file to prevent malicious PHP files placed within
them being executed by the webserver. This vulnerability is mitigated by the
fact that an attacker typically wouldn't be able to place a malicious file in
the module's storage directory.

Solution: 
Install the latest version:

* If you use the Localization Update module for Drupal 7.x-1.x, upgrade to
Localization Update 7.x-1.2 [3]
* If you use the Localization Update module for Drupal 7.x-2.x, upgrade to
Localization Update 7.x-2.3 [4]

Also see the Localization update [5] project page.

Reported By: 
Gisle Hannemyr [6]

Fixed By: 
* Gisle Hannemyr [7]
* Erik Stielstra [8]
* Gábor Hojtsy [9]

Coordinated By: 
* Damien McKenna [10] of the Drupal Security Team


[1] https://www.drupal.org/project/l10n_update
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/l10n_update/releases/7.x-1.2
[4] https://www.drupal.org/project/l10n_update/releases/7.x-2.3
[5] https://www.drupal.org/project/l10n_update
[6] https://www.drupal.org/user/409554
[7] https://www.drupal.org/user/409554
[8] https://www.drupal.org/user/73854
[9] https://www.drupal.org/user/4166
[10] https://www.drupal.org/u/dmckenna

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] Localization update - Moderately critical - Insecure server configuration - SA-CONTRIB-2019-072, security-news, 02.10.2019

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang