it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] File (Field) Paths - Moderately critical - Access bypass - SA-CONTRIB-2022-065
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] File (Field) Paths - Moderately critical - Access bypass - SA-CONTRIB-2022-065
- Date: Wed, 14 Dec 2022 17:55:46 +0000 (UTC)
- Authentication-results: mail.piratenpartei.de; dkim=none; dmarc=pass (policy=none) header.from=drupal.org; spf=pass (mail.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 2605:bc80:3010::137 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 7938841B73
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 332AD418C9
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 7ED8940354
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org C540740127
- List-archive: <http://lists.drupal.org/pipermail/security-news/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2022-065
Project: File (Field) Paths [1]
Date: 2022-December-14
Security risk: *Moderately critical* 12∕25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass
Description:
The File (Field) Paths module extends the default functionality of Drupal's
core File module, by adding the ability to use entity-based tokens in
destination paths and file names.
The module's default configuration could temporarily expose private files to
anonymous visitors.
*Important note:* to fix the problem, database updates must be run in
addition to updating the module.
It's possible to make a configuration change to mitigate this problem in the
admin UI at /admin/config/media/file-system/filefield-paths - the temp file
location should use either the temporary:// or private:// stream wrapper if
uploaded files should not be exposed publicly.
This vulnerability is mitigated by the fact that an attacker must be able to
guess the temporary path used for file upload.
Solution:
Install the latest version:
* If you use the File (Field) Paths module for Drupal 7.x, upgrade to File
(Field) Paths 7.x-1.2 [3]
Reported By:
* Hayato Goto [4]
* Drew Webber [5] of the Drupal Security Team
* Steve Bink [6]
Fixed By:
* Hayato Goto [7]
* David Snopek [8] of the Drupal Security Team
* Vijay Mani [9] provisional member of the Drupal Security Team
* Drew Webber [10] of the Drupal Security Team
* Oleh Vehera [11]
* Damien McKenna [12] of the Drupal Security Team
Coordinated By:
* David Snopek [13] of the Drupal Security Team
* Drew Webber [14] of the Drupal Security Team
* Greg Knaddison [15] of the Drupal Security Team
[1] https://www.drupal.org/project/filefield_paths
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/filefield_paths/releases/7.x-1.2
[4] https://www.drupal.org/user/2844385
[5] https://www.drupal.org/user/255969
[6] https://www.drupal.org/user/3427991
[7] https://www.drupal.org/user/2844385
[8] https://www.drupal.org/user/266527
[9] https://www.drupal.org/user/93488
[10] https://www.drupal.org/user/255969
[11] https://www.drupal.org/user/3260314
[12] https://www.drupal.org/user/108450
[13] https://www.drupal.org/u/dsnopek
[14] https://www.drupal.org/u/mcdruid
[15] https://www.drupal.org/user/36762
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecNots] [Security-news] File (Field) Paths - Moderately critical - Access bypass - SA-CONTRIB-2022-065, security-news, 14.12.2022
Archiv bereitgestellt durch MHonArc 2.6.24.