[IT-SecNots] [Security-news] Fancy File Delete - Moderately critical - Access Bypass - SA-CONTRIB-2022-023

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2022-023

Project: Fancy File Delete [1]
Date: 2022-February-09
Security risk: *Moderately critical* 14∕25
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access Bypass

Description: 
This module enables you to manage and delete files.

The module doesn't sufficiently protect unmanaged files from view under the
scenario unauthenticated user knows path to visit the view and can attempt to
delete files which results in duplicate files being created.

To mitigate this issue without deploying code, review all views that are
based on Fancy File Delete and ensure they have an access control set to use
the permission "administer unmanaged files entities".

Solution: 
Install the latest version *and do check your views configuration*:

  1) If you use the Fancy File Delete module for Drupal ^8.x , upgrade to
     Fancy File Delete 2.0.7 [3]
  2) Review all views that are based on Fancy File Delete and ensure they 
have
     an access control set to use the permission "administer unmanaged files
     entities".

Reported By: 
  * Ambient.Impact [4]

Fixed By: 
  * Daniel Pickering [5]
  * Jaime Seuma [6]

Coordinated By: 
  * Chris McCafferty [7] of the Drupal Security Team


[1] https://www.drupal.org/project/fancy_file_delete
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/fancy_file_delete/releases/2.0.7
[4] https://www.drupal.org/user/1131532
[5] https://www.drupal.org/user/3285813
[6] https://www.drupal.org/user/3589760
[7] https://www.drupal.org/user/1850070

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news