[Security-news] Search API - Moderately Critical - Multiple Vulnerabilities - SA-CONTRIB-2016-022

security-news at drupal.org security-news at drupal.org
Wed Apr 20 17:06:51 UTC 2016


View online: https://www.drupal.org/node/2710063

   * Advisory ID: DRUPAL-SA-CONTRIB-2016-022
   * Project: Search API [1]     (third-party module)
   * Version: 7.x
   * Date: 2016-April-20
   * Security risk: 11/25 ( Moderately Critical)
     AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:Uncommon [2]
   * Vulnerability: Information Disclosure, Cross Site Scripting, Access 
bypass

-------- DESCRIPTION
---------------------------------------------------------

This module enables you to build searches using a wide range of features,
data sources and backends.

.... Search index not updated by node access changes

The module doesn't sufficiently re-index nodes when using the "Node access"
or "Access check" data alterations and non-standard ways of changing node
access are used. This could lead to nodes or comments being listed in search
results to which the visitor viewing the results should not have access.

This vulnerability is mitigated by the fact that this only occurs in uncommon
setups, and that only nodes that were already accessible to the user at some
point can be displayed.

.... XSS vulnerability in Views search results

The module doesn't sufficiently sanitize field values returned directly from
the search server (e.g., Solr).

This vulnerability is mitigated by the fact that several components/modules
need to be configured in a specific way to allow this vulnerability to be
exploited.


.... Doesn't check for "access comments" permission when searching for
       comments

The module doesn't sufficiently check the user's permissions when comments
are searched.

This vulnerability is mitigated by the fact that it only occurs in specific
site configurations:

   * A search index with item type "Comment".
   * Using the "Access check" data alteration for protection.
   * The site allowing certain users to view content (nodes), but not 
comments.
   * A search page for the comment index must be accessible for these users.

-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------

   * /A CVE identifier [3] will be requested, and added upon issuance, in
     accordance with Drupal Security Team processes./

-------- VERSIONS AFFECTED
---------------------------------------------------

   * Search API 7.x-1.x versions prior to 7.x-1.18.

Drupal core is not affected. If you do not use the contributed Search API [4]
module, there is nothing you need to do.

-------- SOLUTION
------------------------------------------------------------

Install the latest version:

   * If you use the Search API module for Drupal 7.x, upgrade to Search API
     7.x-1.18 [5]

Also see the Search API [6] project page.

-------- REPORTED BY
---------------------------------------------------------

   * Thomas Seidl [7] the module maintainer
   * Mike Potter [8]

-------- FIXED BY
------------------------------------------------------------

   * Thomas Seidl [9], the module maintainer

-------- COORDINATED BY
------------------------------------------------------

   * Mike Potter [10] provisional member of the Drupal Security Team

-------- CONTACT AND MORE INFORMATION
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [11].

Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and  securing your site [14].

Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [15]


[1] https://www.drupal.org/project/search_api
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/search_api
[5] https://www.drupal.org/node/2710001
[6] https://www.drupal.org/project/search_api
[7] https://www.drupal.org/u/drunken-monkey
[8] https://www.drupal.org/u/mpotter
[9] https://www.drupal.org/u/drunken-monkey
[10] https://www.drupal.org/u/mpotter
[11] https://www.drupal.org/contact
[12] https://www.drupal.org/security-team
[13] https://www.drupal.org/writing-secure-code
[14] https://www.drupal.org/security/secure-configuration
[15] https://twitter.com/drupalsecurity



More information about the Security-news mailing list