View online: https://www.drupal.org/sa-contrib-2019-002

Project: Provision [1] Version: 7.x-3.170 Date: 2019-January-09 Security risk: *Moderately critical* 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2] Vulnerability: Access bypass

Description:  Aegir is a Web hosting control panel program that provides a Drupal-based graphical interface designed to simplify deploying, managing and upgrading an entire network of Drupal, Wordpress and CiviCRM Web sites. The Provision module is a core piece of the Aegir platform.

This module doesn't sufficiently shield multi-site installations or the PHP source code.

This vulnerability is mitigated by the fact that the server must be using Apache. For multi-site installations, the server must host multiple sites on a common platform. Additionally an attacker must have a knowledge about used filenames and the server.

Solution:  Install the latest version:

* If you use Aegir hosting system, upgrade to Provision 7.x-3.170 [3]

Also see the Provision [4] project page.

Reported By:  * Cristian Segarra [5]

Fixed By:  * Cristian Segarra [6] * Jon Pugh [7] * anarcat [8] * Herman van Rink [9] * Colan Schwartz [10]

Coordinated By:  * Greg Knaddison [11] of the Drupal Security Team * Michael Hess [12] of the Drupal Security Team * Cash Williams [13] of the Drupal Security Team

[1] https://www.drupal.org/project/provision [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/provision/releases/7.x-3.170 [4] https://www.drupal.org/project/provision [5] https://www.drupal.org/user/1501376 [6] https://www.drupal.org/user/1501376 [7] https://www.drupal.org/user/17028 [8] https://www.drupal.org/user/1274 [9] https://www.drupal.org/user/449000 [10] https://www.drupal.org/user/58704 [11] https://www.drupal.org/user/36762 [12] https://www.drupal.org/user/102818 [13] https://www.drupal.org/user/421070