[Security-news] Custom Tokens - Critical - Arbitrary PHP code execution - SA-CONTRIB-2018-041

security-news at drupal.org security-news at drupal.org
Wed Jun 13 16:42:12 UTC 2018 

View online: https://www.drupal.org/sa-contrib-2018-041

Project: Custom Tokens [1]
Date: 2018-June-13
Security risk: *Critical* 16∕25
AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:Default [2]
Vulnerability: Arbitrary PHP code execution

Description: 
The Custom Tokens module enables you to create custom tokens for specific
replacements that can improve other modules relying on the token API.

The module doesn't sufficiently identify that its custom permissions are
risky and should only be granted to highly trusted roles.

This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "administer custom tokens".


-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------

   * /A CVE identifier [3] will be requested, and added upon issuance, in
     accordance with Drupal Security Team processes./

Solution: 
Install the latest version and review your permissions.

*Note, after upgrading, additional configuration steps required.* Sites using
this module should review the permissions page at  Administration » People
» Permissions to verify only trusted users are granted permissions defined
by the module such as "administer custom tokens".

   * If you use the Custom Tokens module (1.x) for Drupal 7.x, upgrade to
     Custom Tokens 7.x-1.2 [4].
   * If you use the Custom Tokens module (2.x) for Drupal 7.x, upgrade to
     Custom Tokens 7.x-2.0 [5].

Also see the Custom Tokens [6] project page.

Reported By: 
   * Matt Glaman  [7]

Fixed By: 
   * Ariel Barreiro  [8]

Coordinated By: 
   * Michael Hess [9] of the Drupal Security Team
   * Greg Knaddison [10] of the Drupal Security Team


[1] https://www.drupal.org/project/token_custom
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/token_custom/releases/7.x-1.2
[5] https://www.drupal.org/project/token_custom/releases/7.x-2.0
[6] https://www.drupal.org/project/token_custom
[7] https://www.drupal.org/user/2416470
[8] https://www.drupal.org/user/23157
[9] https://www.drupal.org/u/mlhess
[10] https://www.drupal.org/u/greggles

More information about the Security-news mailing list