View online: https://www.drupal.org/sa-contrib-2019-003
Project: Aegir HTTPS [1] Date: 2019-January-09 Security risk: *Moderately critical* 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2] Vulnerability: Access bypass
Description: Aegir is a Web hosting control panel program that provides a Drupal-based graphical interface designed to simplify deploying, managing and upgrading an entire network of Drupal, Wordpress and CiviCRM Web sites. The Hosting HTTPS module is a commonly used piece of the Aegir platform.
This module doesn't sufficiently shield multi-site installations.
This vulnerability is mitigated by the fact that the server must be using Apache and must host multiple sites on a common platform. An attacker must have a knowledge about used filenames and the server.
Solution: Install the latest version:
* If you use Aegir hosting system, upgrade to Aegir HTTPS 7.x-3.170 [3]
Also see the Aegir HTTPS [4] project page.
Reported By: * Cristian Segarra [5]
Fixed By: * Cristian Segarra [6] * Jon Pugh [7] * anarcat [8] * Herman van Rink [9] * Colan Schwartz [10]
Coordinated By: * Greg Knaddison [11] of the Drupal Security Team * Michael Hess [12] of the Drupal Security Team * Cash Williams [13] of the Drupal Security Team
[1] https://www.drupal.org/project/hosting_https [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/hosting_https/releases/7.x-3.170 [4] https://www.drupal.org/project/hosting_https [5] https://www.drupal.org/user/1501376 [6] https://www.drupal.org/user/1501376 [7] https://www.drupal.org/user/17028 [8] https://www.drupal.org/user/1274 [9] https://www.drupal.org/user/449000 [10] https://www.drupal.org/user/58704 [11] https://www.drupal.org/user/36762 [12] https://www.drupal.org/user/102818 [13] https://www.drupal.org/user/421070