[Security-news] ACL - Critical - Arbitrary PHP code execution - SA-CONTRIB-2023-034

security-news at drupal.org security-news at drupal.org
Wed Aug 23 18:21:27 UTC 2023


View online: https://www.drupal.org/sa-contrib-2023-034

Project: ACL [1]
Date: 2023-August-23
Security risk: *Critical* 17∕25
AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:All [2]
Vulnerability: Arbitrary PHP code execution

Affected versions: <1.0.0
Description: 
The ACL module, short for Access Control Lists, is an API for other modules
to create lists of users and give them access to nodes.

The module processes user input in a way that could be unsafe. This can lead
to Remote Code Execution via Object Injection.

As this is an API module, it is only exploitable if a "client" module exposes
the vulnerability. Details of some contributed client modules are given
below. Custom modules using ACL could also expose the vulnerability.

This vulnerability is mitigated by the fact that an attacker typically needs
an "admin"-type permission provided by one of ACL's client modules.

Known client modules include:

   * Forum Access
   * Flexi Access
   * Content Access

Coordinated Security Advisories are being released for those client modules
that have  Security coverage.

Solution: 
Install the latest version:

   * If you use the ACL module for Drupal 7.x, upgrade to ACL 7.x-1.4 [3]
   * If you use the ACL module 8.x-1.0-beta3 or below, upgrade to ACL 8.x-1.0
     [4]

Any client modules that depend on ACL should also be updated.

Reported By: 
   * Drew Webber [5] of the Drupal Security Team
   * Samuel Mortenson [6]

Fixed By: 
   * Drew Webber [7] of the Drupal Security Team
   * Hans Salvisberg [8]
   * Jen Lampton [9] Provisional Member of the Drupal Security Team
   * xeM8VfDh [10]

Coordinated By: 
   * Drew Webber [11] of the Drupal Security Team
   * Damien McKenna [12] of the Drupal Security Team
   * Greg Knaddison [13] of the Drupal Security Team
   * Michael Hess [14] of the Drupal Security Team


[1] https://www.drupal.org/project/acl
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/acl/releases/7.x-1.4
[4] https://www.drupal.org/project/acl/releases/8.x-1.0
[5] https://www.drupal.org/user/255969
[6] https://www.drupal.org/user/2582268
[7] https://www.drupal.org/user/255969
[8] https://www.drupal.org/user/82964
[9] https://www.drupal.org/user/85586
[10] https://www.drupal.org/user/3446669
[11] https://www.drupal.org/user/255969
[12] https://www.drupal.org/user/108450
[13] https://www.drupal.org/user/36762
[14] https://www.drupal.org/user/102818



More information about the Security-news mailing list