[Security-news] Public Download Count - Less critical - Open Redirect Vulnerability - SA-CONTRIB-2019-012

security-news at drupal.org security-news at drupal.org
Wed Feb 6 18:40:25 UTC 2019


View online: https://www.drupal.org/sa-contrib-2019-012

Project: Public Download Count [1]
Date: 2019-February-06
Security risk: *Less critical* 8∕25
AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:Uncommon [2]
Vulnerability: Open Redirect Vulnerability

Description: 
This module enables you to track download counts of files linked from a
Drupal site. Links in Drupal content are rewritten to go through an
intermediate page that records download stats and then redirects to the final
destination.

The module did not verify that the links provided to the intermediate page
were actually present in the Drupal site content and did not contain checks
to prevent external sites from accessing the counter.

Solution: 
Install the latest version:

   * If you use pubdlcnt for Drupal 7.x, upgrade to pubdlcnt 7.x-1.3 [3]

Also see the Public Download Count [4] project page.

Reported By: 
   * Jack Over  [5]

Fixed By: 
   * Corey Halpin  [6]

Coordinated By: 
   * Michael Hess [7] of the Drupal Security Team


[1] https://www.drupal.org/project/pubdlcnt
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/pubdlcnt/releases/7.x-1.3
[4] https://www.drupal.org/project/pubdlcnt
[5] https://www.drupal.org/user/953390
[6] https://www.drupal.org/user/3485405
[7] https://www.drupal.org/user/102818



More information about the Security-news mailing list