Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Fast Autocomplete - Moderately critical - Access bypass - SA-CONTRIB-2021-005

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Fast Autocomplete - Moderately critical - Access bypass - SA-CONTRIB-2021-005


Chronologisch Thread 
    < Chronologisch >      < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Fast Autocomplete - Moderately critical - Access bypass - SA-CONTRIB-2021-005
  • Date: Wed, 17 Mar 2021 19:30:23 +0000 (UTC)
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2021-005

Project: Fast Autocomplete [1]
Version: 8.x-1.78.x-1.68.x-1.58.x-1.48.x-1.38.x-1.28.x-1.18.x-1.0
Date: 2021-March-17
Security risk: *Moderately critical* 12∕25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass

Description: 
The Fast Autocomplete module [3] provides fast IMDB-like suggestions below a
text input field. Suggestions are stored as JSON files in the public files
folder so that they can be provided to the browser relatively fast without
the need for Drupal to be bootstrapped.

The module doesn't correctly generate certain hashes when the configuration
option "Perform search as anonymous user only" is switched from the default
on value to off.

This enables a malicious user to read search results generated by users with
other roles, disclosing search results the user normally has no access to.

Solution: 
Install the latest version:

* If you use the Fast Autocomplete module for Drupal 8.x, upgrade to Fast
Autocomplete 8.x-1.8 [4]

Alternatively, re-enable the setting "Perform search as anonymous user only"
to only display anonymous search results and delete the generated files by
using the "Delete json files" option in all Fast Autocomplete configurations.

Fast Autocomplete for Drupal 7.x is not affected.

Reported By: 
* Heine Deelstra [5] of the Drupal Security Team

Fixed By: 
* Heine Deelstra [6] of the Drupal Security Team
* Martijn Vermeulen [7]

Coordinated By: 
* Heine Deelstra [8] of the Drupal Security Team


[1] https://www.drupal.org/project/fac
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/fac
[4] https://www.drupal.org/node/3204029
[5] https://www.drupal.org/user/17943
[6] https://www.drupal.org/user/17943
[7] https://www.drupal.org/user/960720
[8] https://www.drupal.org/user/17943

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] Fast Autocomplete - Moderately critical - Access bypass - SA-CONTRIB-2021-005, security-news, 18.03.2021

Archiv bereitgestellt durch MHonArc 2.6.24.

Seitenanfang