Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Basic HTTP Authentication - Critical - Access bypass - SA-CONTRIB-2024-057

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Basic HTTP Authentication - Critical - Access bypass - SA-CONTRIB-2024-057


Chronologisch Thread  
    < Chronologisch >       < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Basic HTTP Authentication - Critical - Access bypass - SA-CONTRIB-2024-057
  • Date: Wed, 6 Nov 2024 17:21:52 +0000 (UTC)
  • Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=Y+wXBw60; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 140.211.166.137 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org; dmarc=pass (policy=none) header.from=drupal.org
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 858264088C
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 2E014400D8
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2024-057

Project: Basic HTTP Authentication [1]
Date: 2024-November-06
Security risk: *Critical* 16 ∕ 25
AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Access bypass

Description: 
The module provides a possibility to restrict access to specific paths using
basic HTTP authentication, in addition to standard Drupal access checks.

In some cases, the module removes existing access checks from some paths,
resulting in an access bypass vulnerability.

Solution: 
Install the latest version:

* If you use the Basic HTTP Authentication module for Drupal 7.x, upgrade to
Basic Authentication 7.x-1.4 [3]

Reported By: 
* Roderik Muit [4]

Fixed By: 
* Roderik Muit [5]
* Ivo Van Geertruyen [6] of the Drupal Security Team

Coordinated By: 
* Ivo Van Geertruyen [7] of the Drupal Security Team


[1] https://www.drupal.org/project/basic_auth
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/basic_auth/releases/7.x-1.4
[4] https://www.drupal.org/user/8841
[5] https://www.drupal.org/user/8841
[6] https://www.drupal.org/user/383424
[7] https://www.drupal.org/user/383424

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] Basic HTTP Authentication - Critical - Access bypass - SA-CONTRIB-2024-057, security-news, 06.11.2024

Archiv bereitgestellt durch MHonArc 2.6.19+.

Seitenanfang