[Security-news] Public Download Count - Less critical - Open Redirect Vulnerability - SA-CONTRIB-2019-012
security-news at drupal.org
security-news at drupal.org
Wed Feb 6 18:40:25 UTC 2019
View online: https://www.drupal.org/sa-contrib-2019-012
Project: Public Download Count [1]
Date: 2019-February-06
Security risk: *Less critical* 8∕25
AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:Uncommon [2]
Vulnerability: Open Redirect Vulnerability
Description:
This module enables you to track download counts of files linked from a
Drupal site. Links in Drupal content are rewritten to go through an
intermediate page that records download stats and then redirects to the final
destination.
The module did not verify that the links provided to the intermediate page
were actually present in the Drupal site content and did not contain checks
to prevent external sites from accessing the counter.
Solution:
Install the latest version:
* If you use pubdlcnt for Drupal 7.x, upgrade to pubdlcnt 7.x-1.3 [3]
Also see the Public Download Count [4] project page.
Reported By:
* Jack Over [5]
Fixed By:
* Corey Halpin [6]
Coordinated By:
* Michael Hess [7] of the Drupal Security Team
[1] https://www.drupal.org/project/pubdlcnt
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/pubdlcnt/releases/7.x-1.3
[4] https://www.drupal.org/project/pubdlcnt
[5] https://www.drupal.org/user/953390
[6] https://www.drupal.org/user/3485405
[7] https://www.drupal.org/user/102818
More information about the Security-news
mailing list