[Security-news] Configuration Update Manager - Moderately critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2017-091

security-news at drupal.org security-news at drupal.org
Wed Dec 6 19:19:03 UTC 2017 

View online: https://www.drupal.org/sa-contrib-2017-091

Project: Configuration Update Manager [1]
Version: 8.x-1.4
Date: 2017-December-06
Security risk: *Moderately critical* 12∕25
AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross Site Request Forgery (CSRF)

Description: 
The Configuration Update Reports sub-module in the Configuration Update
module project enables you to run reports to see what configuration on your
site differs from the configuration distributed by a module, theme, or
installation profile, and to revert, delete, or import configuration.

This module doesn't sufficiently protect the Import operation, thereby
exposing a Cross Site Request Forgery (CSRF) vulnerability which can be
exploited by unprivileged users to trick an administrator into unwanted
import of configuration.

This vulnerability is mitigated by the fact that only configuration items
distributed with a module, theme, or installation profile that is currently
installed and enabled on the site can be imported, not arbitrary
configuration values.

Solution: 
Install the latest version:

   * If you use the Configuration Update Manager module and its Reports
     sub-module for Drupal 8.x, upgrade to Configuration Update Manager 
version
     8.x-1.5 [3]

Alternatively, you could remove the permission "import configuration" from
all roles on the site, or uninstall the Configuration Update Reports
sub-module from your production sites.

Also see the Configuration Update Manager [4] project page.

Reported By: 
   * Jean-Francois Hovinne [5]

Fixed By: 
   * Jennifer Hodgdon [6] the module maintainer

Coordinated By: 
   * Greg Knaddison [7] of the Drupal Security Team
   * Lee Rowlands [8] of the Drupal Security Team


[1] https://www.drupal.org/project/config_update
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/config_update/releases/8.x-1.5
[4] https://www.drupal.org/project/config_update
[5] https://www.drupal.org/u/jfhovinne
[6] https://www.drupal.org/u/jhodgdon
[7] https://www.drupal.org/u/greggles
[8] https://www.drupal.org/u/larowlan

More information about the Security-news mailing list