Drupal Core - Critical - Multiple Vulnerabilities - SA-CORE-2016-004 - Security-news

21 Sep 2016


      View online: https://www.drupal.org/SA-CORE-2016-004
-------- DESCRIPTION
---------------------------------------------------------
Users who have rights to edit a node, can set the visibility on comments for
that node.
* Advisory ID: DRUPAL-SA-CORE-2016-004
   * Project: Drupal core [1]
   * Version:li  8.x
   * Date: 2016-September-21
   * Security risk: 18/25 ( Critical)
     AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:Default [2]
   * Vulnerability:
-------- DESCRIPTION
---------------------------------------------------------
*Users without "Administer comments" can set comment visibility on nodes they
can edit. (Less critical)*
Users who have rights to edit a node, can set the visibility on comments for
that node. This should be restricted to those who have the  administer
comments permission.
*Cross-site Scripting in http exceptions (critical) *
An attacker could create a specially crafted url, which could execute
arbitrary code in the victim’s browser if loaded.  Drupal was not properly
sanitizing an exception
*Full config export can be downloaded without administrative permissions
(critical) *
The system.temporary route would allow the download of a full config export.
The full config export should be limited to those with Export configuration
permission.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
     accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
8.x
-------- SOLUTION
------------------------------------------------------------
Upgrade to Drupal 8.1.10
-------- REPORTED BY
---------------------------------------------------------
*Users without "Administer comments" can set comment visibility on nodes they
can edit.*
   * Quintus Maximus [4]
   * Kier Heyl [5]
*XSS in http exceptions*
   * Ivan [6]
*Full config export can be downloaded without administrative permissions  *
   * Anton Shubkin [7]
-------- FIXED BY
------------------------------------------------------------
*Users without "Administer comments" can set comment visibility on nodes they
can edit.*
   * Lee Rowlands of the Drupal Security Team [8]
   * Stefan Ruijsenaars of the Drupal Security Team [9]
   * Andrey Postnikov [10]
   * Daniel Wehner [11]
*XSS in http exceptions*
   * xjm of the Drupal Security Team [12]
   * Daniel Wehner [13]
   * Alex Pott of the Drupal Security Team [14]
   * Cash Williams of the Drupal Security Team [15]
   * Pere Orga of the Drupal Security Team [16]
   * David Snopek of the Drupal Security Team [17]
   * Heine Deelstra of the Drupal Security Team
*Full config export can be downloaded without administrative permissions  *
   * Nathaniel Catchpole of the Drupal Security Team [18]
   * Alex Pott of the Drupal Security Team [19]
   * Anton Shubkin [20]
   * xjm of the Drupal Security Team [21]
   * Peter Wolanin of the Drupal Security Team [22]
-------- COORDINATED BY
------------------------------------------------------
The Drupal Security Team [23]
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [24].
Learn more about the Drupal Security team and their policies [25], writing
secure code for Drupal [26], and  securing your site [27].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [28]
[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://www.drupal.org/u/q2u
[5] https://www.drupal.org/u/kierheyl
[6] https://www.drupal.org/user/556138
[7] https://www.drupal.org/user/1060446
[8] http://www.drupal.org/u/larowlan
[9] https://www.drupal.org/u/stefanr-0
[10] https://www.drupal.org/user/118908
[11] https://www.drupal.org/user/99340
[12] https://www.drupal.org/user/65776
[13] https://www.drupal.org/user/99340
[14] https://www.drupal.org/user/157725
[15] https://www.drupal.org/user/421070
[16] https://www.drupal.org/u/pere-orga
[17] https://www.drupal.org/u/dsnopek
[18] https://www.drupal.org/u/catch
[19] https://www.drupal.org/user/157725
[20] https://www.drupal.org/user/1060446
[21] https://www.drupal.org/user/65776
[22] https://www.drupal.org/user/49851
[23] https://www.drupal.org/security-team
[24] https://www.drupal.org/contact
[25] https://www.drupal.org/security-team
[26] https://www.drupal.org/writing-secure-code
[27] https://www.drupal.org/security/secure-configuration
[28] https://twitter.com/drupalsecurity