[Security-news] Search API attachments - Critical - Arbitrary PHP code execution - SA-CONTRIB-2021-034

[security-news at drupal.org]

View online: https://www.drupal.org/sa-contrib-2021-034

Project: Search API attachments [1]
Date: 2021-September-22
Security risk: *Critical* 15∕25
AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:Default [2]
Vulnerability: Arbitrary PHP code execution

Description: 
This module enables you to extract the textual content of files for use on a
website, e.g. to display it or or use it in search indexes.

The module doesn't sufficiently protect the administrator-defined commands
which are executed on the server, which leads to post-authentication remote
code execution by a limited set of users.

This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "administer search_api". Sites are encouraged to review
which roles have that permission and which users have that role, to ensure
that only trusted users have that permission.

Solution: 
Install the latest version:

   * If you use the search_api_attachments module for Drupal 7.x, upgrade to
     search_api_attachments 7.x-1.19 [3]

The 8.x branch does not have Security Coverage.

Reported By: 
   * Florent Torregrosa [4]

Fixed By: 
   * Damien McKenna [5] of the Drupal Security Team
   * Ismaeil Abouljamal [6]

Coordinated By: 
   * Damien McKenna [7] of the Drupal Security Team
   * Greg Knaddison [8] of the Drupal Security Team


[1] https://www.drupal.org/project/search_api_attachments
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/search_api_attachments/releases/7.x-1.19
[4] https://www.drupal.org/user/2388214
[5] https://www.drupal.org/user/108450
[6] https://www.drupal.org/user/514568
[7] https://www.drupal.org/u/damienmckenna
[8] https://www.drupal.org/u/greggles