[Security-news] DRD Agent - Critical - PHP object injection - SA-CONTRIB-2018-022
security-news at drupal.org
security-news at drupal.org
Wed Apr 25 18:08:13 UTC 2018
View online: https://www.drupal.org/sa-contrib-2018-022
Project: DRD Agent [1]
Date: 2018-April-25
Security risk: *Critical* 15∕25
AC:None/A:None/CI:None/II:Some/E:Theoretical/TD:All [2]
Vulnerability: PHP object injection
Description:
This module enables you to monitor and manage any number of remote Drupal
sites and aggregate useful information for administrators in a central
dashboard.
The modules (DRD and DRD Agent) encrypt the data which is exchanged between
them but in order to do so, they use the PHP serialize/unserialize functions
instead of the json_encode/json_decode combination. As the unserialize
function is called on unauthenticated content, this introduces a PHP object
injection vulnerability.
Solution:
Install the latest version:
* If you use the DRD module for Drupal 8.x, upgrade to DRD 8.x-3.14 [3]
* If you use the DRD Agent module for Drupal 8.x, upgrade to DRD Agent
8.x-3.7 [4]
* If you use the DRD Agent module for Drupal 7.x, upgrade to DRD Agent
7.x-3.5 [5]
Reported By:
* David Snopek [6] of the Drupal Security Team
Fixed By:
* David Snopek [7] of the Drupal Security Team
* Jürgen Haas [8]
Coordinated By:
* David Snopek [9] of the Drupal Security Team
[1] https://www.drupal.org/project/drd_agent
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/node/2965986
[4] https://www.drupal.org/node/2965984
[5] https://www.drupal.org/node/2965982
[6] https://www.drupal.org/user/266527
[7] https://www.drupal.org/user/266527
[8] https://www.drupal.org/user/168924
[9] https://www.drupal.org/user/266527
More information about the Security-news
mailing list