View online: https://www.drupal.org/sa-contrib-2018-022
Project: DRD Agent [1] Date: 2018-April-25 Security risk: *Critical* 15∕25 AC:None/A:None/CI:None/II:Some/E:Theoretical/TD:All [2] Vulnerability: PHP object injection
Description: This module enables you to monitor and manage any number of remote Drupal sites and aggregate useful information for administrators in a central dashboard.
The modules (DRD and DRD Agent) encrypt the data which is exchanged between them but in order to do so, they use the PHP serialize/unserialize functions instead of the json_encode/json_decode combination. As the unserialize function is called on unauthenticated content, this introduces a PHP object injection vulnerability.
Solution: Install the latest version:
* If you use the DRD module for Drupal 8.x, upgrade to DRD 8.x-3.14 [3] * If you use the DRD Agent module for Drupal 8.x, upgrade to DRD Agent 8.x-3.7 [4] * If you use the DRD Agent module for Drupal 7.x, upgrade to DRD Agent 7.x-3.5 [5]
Reported By: * David Snopek [6] of the Drupal Security Team
Fixed By: * David Snopek [7] of the Drupal Security Team * Jürgen Haas [8]
Coordinated By: * David Snopek [9] of the Drupal Security Team
[1] https://www.drupal.org/project/drd_agent [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/node/2965986 [4] https://www.drupal.org/node/2965984 [5] https://www.drupal.org/node/2965982 [6] https://www.drupal.org/user/266527 [7] https://www.drupal.org/user/266527 [8] https://www.drupal.org/user/168924 [9] https://www.drupal.org/user/266527