[Security-news] Localization update - Moderately critical - Insecure server configuration - SA-CONTRIB-2019-072

[security-news at drupal.org]

View online: https://www.drupal.org/sa-contrib-2019-072

Project: Localization update [1]
Date: 2019-October-02
Security risk: *Moderately critical* 10∕25
AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Insecure server configuration

Description: 
This module enables you to automatically download and update the site's
interface translation by fetching them from localize.drupal.org or any other
Localization server.

The module doesn't sufficiently protect the directory it stores translation
files in. It's conventional for directories which may be writeable to be
protected by a .htaccess file to prevent malicious PHP files placed within
them being executed by the webserver. This vulnerability is mitigated by the
fact that an attacker typically wouldn't be able to place a malicious file in
the module's storage directory.

Solution: 
Install the latest version:

   * If you use the Localization Update module for Drupal 7.x-1.x, upgrade to
     Localization Update 7.x-1.2 [3]
   * If you use the Localization Update module for Drupal 7.x-2.x, upgrade to
     Localization Update 7.x-2.3 [4]

Also see the Localization update [5] project page.

Reported By: 
Gisle Hannemyr  [6]

Fixed By: 
   * Gisle Hannemyr  [7]
   * Erik Stielstra  [8]
   * Gábor Hojtsy  [9]

Coordinated By: 
   * Damien McKenna [10] of the Drupal Security Team


[1] https://www.drupal.org/project/l10n_update
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/l10n_update/releases/7.x-1.2
[4] https://www.drupal.org/project/l10n_update/releases/7.x-2.3
[5] https://www.drupal.org/project/l10n_update
[6] https://www.drupal.org/user/409554
[7] https://www.drupal.org/user/409554
[8] https://www.drupal.org/user/73854
[9] https://www.drupal.org/user/4166
[10] https://www.drupal.org/u/dmckenna