Security-news February 2019

security-news@drupal.org

1 participants
23 discussions

Acquia Connector - Moderately critical - Access bypass - SA-CONTRIB-2019-014
by security-news＠drupal.org 06 Feb '19

06 Feb '19

View online: https://www.drupal.org/sa-contrib-2019-014 Project: Acquia Connector [1] Date: 2019-February-06 Security risk: *Moderately critical* 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2] Vulnerability: Access bypass Description: Acquia Connector facilitates sending certain telemetry data to Acquia for the purposes of analysis. The module automates the collection of site information to speed support communication and issue resolution. It is required for use with the Acquia Insight service. The module does not properly enforce access control in a specific case, which can lead to disclosing information. The vulnerability is mitigated by requiring the module diff feature to be enabled. This feature is enabled by default. Solution: Install the latest version: * If you use the Acquia Connector module for Drupal 7.x, upgrade to Acquia Connector 7.x-3.4 [3] * If you use the Acquia Connector module for Drupal 8.x, upgrade to Acquia Connector 8.x-1.16 [4] This vulnerability can be mitigated by unchecking /Source code/ under /Allow collection and examination of the following items/ on the Acquia Subscription settings (in Drupal 7) or Acquia Connector settings (in Drupal 8) page. The settings page is under Administration -> Configuration -> System. For Drupal 7, this setting can also be disabled by setting the acquia_spi_module_diff_data variable to FALSE. Using Drush: drush vset acquia_spi_module_diff_data FALSE For Drupal 8, this setting can also be disabled by setting the spi.module_diff_data key within the acquia_connector.settings configuration setting to 0. Using Drush: drush config-set acquia_connector.settings spi.module_diff_data 0 Also see the Acquia Connector [5] project page. Reported By: * Samuel Mortenson [6] of the Drupal Security Team Fixed By: * Mark Trapp [7] * Vlad Pavlovic [8] Coordinated By: * Greg Knaddison [9] of the Drupal Security Team * Cash Williams [10] of the Drupal Security Team [1] https://www.drupal.org/project/acquia_connector [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/acquia_connector/releases/7.x-3.4 [4] https://www.drupal.org/project/acquia_connector/releases/8.x-1.16 [5] https://www.drupal.org/project/acquia_connector [6] https://www.drupal.org/user/2582268 [7] https://www.drupal.org/user/212019 [8] https://www.drupal.org/user/92673 [9] https://www.drupal.org/user/36762 [10] https://www.drupal.org/user/421070

1 0

06 Feb '19

View online: https://www.drupal.org/sa-contrib-2019-013 Project: Login Alert [1] Date: 2019-February-06 Security risk: *Moderately critical* 13∕25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All [2] Vulnerability: Access bypass Description: This module provides a field on user profiles which allows users to get a notification when their account logs in to the site. The notification e-mail includes a link which will terminate all sessions for that user. This is useful in the case of unauthorised access to the account. The module doesn't employ sufficient randomness in the generation of URLs, which represents an Access Bypass vulnerability. Solution: Install the latest version: * If you use the Login Alert module for Drupal 8.x, upgrade to Login Alert 8.x-1.3 [3] Also see the Login Alert [4] project page. Reported By: * Drew Webber [5] provisional member of the Drupal Security Team Fixed By: * Arvind Verma [6] Coordinated By: * Drew Webber [7] provisional member of the Drupal Security Team * Greg Knaddison [8] member of the Drupal Security Team [1] https://www.drupal.org/project/login_alert [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/node/3030545/ [4] https://www.drupal.org/project/login_alert [5] https://www.drupal.org/user/255969 [6] https://www.drupal.org/user/3307077 [7] https://www.drupal.org/user/255969 [8] https://www.drupal.org/user/36762

1 0

Public Download Count - Less critical - Open Redirect Vulnerability - SA-CONTRIB-2019-012
by security-news＠drupal.org 06 Feb '19

06 Feb '19

View online: https://www.drupal.org/sa-contrib-2019-012 Project: Public Download Count [1] Date: 2019-February-06 Security risk: *Less critical* 8∕25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:Uncommon [2] Vulnerability: Open Redirect Vulnerability Description: This module enables you to track download counts of files linked from a Drupal site. Links in Drupal content are rewritten to go through an intermediate page that records download stats and then redirects to the final destination. The module did not verify that the links provided to the intermediate page were actually present in the Drupal site content and did not contain checks to prevent external sites from accessing the counter. Solution: Install the latest version: * If you use pubdlcnt for Drupal 7.x, upgrade to pubdlcnt 7.x-1.3 [3] Also see the Public Download Count [4] project page. Reported By: * Jack Over [5] Fixed By: * Corey Halpin [6] Coordinated By: * Michael Hess [7] of the Drupal Security Team [1] https://www.drupal.org/project/pubdlcnt [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/pubdlcnt/releases/7.x-1.3 [4] https://www.drupal.org/project/pubdlcnt [5] https://www.drupal.org/user/953390 [6] https://www.drupal.org/user/3485405 [7] https://www.drupal.org/user/102818

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news February 2019