[Security-news] PHP Configuration - Critical - Arbitrary PHP code execution - SA-CONTRIB-2018-055

security-news at drupal.org security-news at drupal.org
Wed Aug 8 18:07:08 UTC 2018


View online: https://www.drupal.org/sa-contrib-2018-055

Project: PHP Configuration [1]
Version: 8.x-1.07.x-1.0
Date: 2018-August-08
Security risk: *Critical* 17∕25
AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:All [2]
Vulnerability: Arbitrary PHP code execution

Description: 
This module enables you to add or overwrite PHP configuration on a drupal
website.

The module doesn't sufficiently allow access to set these configurations,
leading to arbitrary PHP configuration execution by an attacker.

This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "administer phpconfig".

After updating the module, it's important to review the permissions of your
website and if 'administer phpconfig' permission is given to a not fully
trusted user role, we advise to revoke it.

Solution: 
Install the latest version:

   * If you use the PHP Configuration module for Drupal 7.x, upgrade to
     PHP Configuration
     7.x-1.1
   * If you use the PHP Configuration module for Drupal 8.x, upgrade to
     PHP Configuration
     8.x-1.1

Also see the PHP Configuration [3] project page.

Reported By: 
   * Balazs Janos Tatar [4] Provisional security team member


Fixed By: 
   * bappa.sarkar [5] The module maintainer

Coordinated By: 
   * mpotter [6] of the Drupal Security Team



[1] https://www.drupal.org/project/phpconfig
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/phpconfig
[4] https://www.drupal.org/u/tatarbj
[5] https://www.drupal.org/user/262655
[6] https://www.drupal.org/u/mpotter



More information about the Security-news mailing list