Zum Inhalt springen.

Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Drupal core - Moderately critical - Multiple vulnerabilities - SA-CORE-2019-010

Menü für Listeneinstellungen

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Drupal core - Moderately critical - Multiple vulnerabilities - SA-CORE-2019-010

From: security-news AT drupal.org
To: security-news AT drupal.org
Subject: [IT-SecNots] [Security-news] Drupal core - Moderately critical - Multiple vulnerabilities - SA-CORE-2019-010
Date: Wed, 18 Dec 2019 19:54:54 +0000 (UTC)
List-archive: <http://lists.drupal.org/pipermail/security-news/>
List-id: <security-news.drupal.org>

View online: https://www.drupal.org/sa-core-2019-010

Project: Drupal core [1]
Version: 8.8.x-dev8.7.x-dev
Date: 2019-December-18
Security risk: *Moderately critical* 14∕25
AC:Basic/A:Admin/CI:Some/II:All/E:Theoretical/TD:Default [2]
Vulnerability: Multiple vulnerabilities

Description:
Drupal 8 core's file_save_upload() function does not strip the leading and
trailing dot ('.') from filenames, like Drupal 7 did.

Users with the ability to upload files with any extension in conjunction with
contributed modules may be able to use this to upload system files such as
.htaccess in order to bypass protections afforded by Drupal's default
.htaccess file.

After this fix, file_save_upload() now trims leading and trailing dots from
filenames.

Solution:
Install the latest version:

* If you use Drupal core 8.7.x: 8.7.11 [3]
* If you use Drupal core 8.8.x: 8.8.1 [4]

Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive
security coverage.

Reported By:
* Rohit Kapur [5]
* Filipe Reis [6]
* Dan Reif [7]
* mramydnei [8]

Fixed By:
* Lee Rowlands [9] of the Drupal Security Team
* Greg Knaddison [10] of the Drupal Security Team
* Michael Hess [11] of the Drupal Security Team
* Kim Pepper [12]
* Alex Pott [13] of the Drupal Security Team
* Derek Wright [14]
* Jess [15] of the Drupal Security Team
* David Rothstein [16] of the Drupal Security Team

[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/drupal/releases/8.7.11
[4] https://www.drupal.org/project/drupal/releases/8.8.1
[5] https://www.drupal.org/user/3623849
[6] https://www.drupal.org/user/3521501
[7] https://www.drupal.org/user/454444
[8] https://www.drupal.org/user/3529990
[9] https://www.drupal.org/user/395439
[10] https://www.drupal.org/user/36762
[11] https://www.drupal.org/user/102818
[12] https://www.drupal.org/user/370574
[13] https://www.drupal.org/user/157725
[14] https://www.drupal.org/user/46549
[15] https://www.drupal.org/user/65776
[16] https://www.drupal.org/user/124982

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

[IT-SecNots] [Security-news] Drupal core - Moderately critical - Multiple vulnerabilities - SA-CORE-2019-010, security-news, 18.12.2019

Archiv bereitgestellt durch MHonArc 2.6.19.