[Security-news] PHP Configuration - Critical - Arbitrary PHP code execution - SA-CONTRIB-2018-055
security-news at drupal.org
security-news at drupal.org
Wed Aug 8 18:07:08 UTC 2018
View online: https://www.drupal.org/sa-contrib-2018-055
Project: PHP Configuration [1]
Version: 8.x-1.07.x-1.0
Date: 2018-August-08
Security risk: *Critical* 17∕25
AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:All [2]
Vulnerability: Arbitrary PHP code execution
Description:
This module enables you to add or overwrite PHP configuration on a drupal
website.
The module doesn't sufficiently allow access to set these configurations,
leading to arbitrary PHP configuration execution by an attacker.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "administer phpconfig".
After updating the module, it's important to review the permissions of your
website and if 'administer phpconfig' permission is given to a not fully
trusted user role, we advise to revoke it.
Solution:
Install the latest version:
* If you use the PHP Configuration module for Drupal 7.x, upgrade to
PHP Configuration
7.x-1.1
* If you use the PHP Configuration module for Drupal 8.x, upgrade to
PHP Configuration
8.x-1.1
Also see the PHP Configuration [3] project page.
Reported By:
* Balazs Janos Tatar [4] Provisional security team member
Fixed By:
* bappa.sarkar [5] The module maintainer
Coordinated By:
* mpotter [6] of the Drupal Security Team
[1] https://www.drupal.org/project/phpconfig
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/phpconfig
[4] https://www.drupal.org/u/tatarbj
[5] https://www.drupal.org/user/262655
[6] https://www.drupal.org/u/mpotter
More information about the Security-news
mailing list