Drupal core – Critical – Arbitrary PHP code execution – SA-CORE-2022-014

Read Time:2 Minute, 31 Second
Project: 
Date: 
2022-July-20
Vulnerability: 
Arbitrary PHP code execution
Description: 

Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010).

However, the protections for these two vulnerabilities previously did not work correctly together. As a result, if the site were configured to allow the upload of files with an htaccess extension, these files’ filenames would not be properly sanitized. This could allow bypassing the protections provided by Drupal core’s default .htaccess files and possible remote code execution.

This issue is mitigated by the fact that it requires a field administrator to explicitly configure a file field to allow htaccess as an extension (a restricted permission), or a contributed module or custom code that overrides allowed file uploads.

Solution: 

Install the latest version:

If you are using Drupal 9.4, update to Drupal 9.4.3.
If you are using Drupal 9.3, update to Drupal 9.3.19.

All versions of Drupal 9 prior to 9.3.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Drupal 7 core is not affected.

Auditing your files directory’s .htaccess to ensure it has not been overwritten or overridden in a subdirectory

If your web server uses Apache httpd with AllowOverride, you should check within your files directories and subdirectories to ensure that any .htaccess files present are intentional. You can search for files named .htaccess by running the following command in the roots of both your public and private files directory:

find ./ -name “.htaccess” -print

Drupal automatically creates .htaccess files like the following in the root of the public files directory:

# Turn off all options we don’t need.
Options -Indexes -ExecCGI -Includes -MultiViews

# Set the catch-all handler to prevent scripts from being executed.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
<Files *>
# Override the handler again if we’re run later in the evaluation list.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003
</Files>

# If we know how to do it safely, disable the PHP engine entirely.
<IfModule mod_php7.c>
php_flag engine off
</IfModule>
<IfModule mod_php.c>
php_flag engine off
</IfModule>

Check with your system administrator for the correct .htaccess configuration for the given files directory.

This advisory is not covered by Drupal Steward.

Reported By: 
Fixed By: 
Peter Wolanin of the Drupal Security Team
xjm of the Drupal Security Team
Drew Webber of the Drupal Security Team
Alex Bronstein of the Drupal Security Team
Greg Knaddison of the Drupal Security Team
Jen Lampton, provisional member of the Drupal Security Team
Lee Rowlands of the Drupal Security Team
Dave Long, provisional member of the Drupal Security Team

Read More

Drupal core – Moderately critical – Access Bypass – SA-CORE-2022-013

Read Time:1 Minute, 4 Second
Project: 
Date: 
2022-July-20
Vulnerability: 
Access Bypass
Description: 

Under certain circumstances, the Drupal core form API evaluates form element access incorrectly. This may lead to a user being able to alter data they should not have access to.

No forms provided by Drupal core are known to be vulnerable. However, forms added through contributed or custom modules or themes may be affected.

This advisory is not covered by Drupal Steward.

Solution: 

Install the latest version:

If you are using Drupal 9.4, update to Drupal 9.4.3.
If you are using Drupal 9.3, update to Drupal 9.3.19.

All versions of Drupal 9 prior to 9.3.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Drupal 7 core is not affected.

Reported By: 
Fixed By: 
Pierre Rudloff
Tim Plunkett
Heine of the Drupal Security Team
Alex Bronstein of the Drupal Security Team
xjm of the Drupal Security Team
Lauri Eskola, provisional member of the Drupal Security Team
Dave Long, provisional member of the Drupal Security Team
Lee Rowlands of the Drupal Security Team

Read More

Drupal core – Moderately critical – Information Disclosure – SA-CORE-2022-012

Read Time:1 Minute, 43 Second
Project: 
Date: 
2022-July-20
Vulnerability: 
Information Disclosure
Description: 

In some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system.

Access to a non-public file is checked only if it is stored in the “private” file system. However, some contributed modules provide additional file systems, or schemes, which may lead to this vulnerability.

This vulnerability is mitigated by the fact that it only applies when the site sets (Drupal 9) $config[‘image.settings’][‘allow_insecure_derivatives’] or (Drupal 7) $conf[‘image_allow_insecure_derivatives’] to TRUE. The recommended and default setting is FALSE, and Drupal core does not provide a way to change that in the admin UI.

Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing files or image styles after updating.

Solution: 

Install the latest version:

If you are using Drupal 9.4, update to Drupal 9.4.3.

If you are using Drupal 9.3, update to Drupal 9.3.19.

If you are using Drupal 7, update to Drupal 7.91.

All versions of Drupal 9 prior to 9.3.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Fixed By: 
Lee Rowlands of the Drupal Security Team
Conrad Lara
mondrake
Alex Bronstein of the Drupal Security Team
Dave Reid of the Drupal Security Team
xjm of the Drupal Security Team
Guy Elsmore-Paddock
Dave Long Provisional Member of the Drupal Security Team
Lauri Eskola Provisional Member of the Drupal Security Team
David Strauss of the Drupal Security Team
Benji Fisher Provisional Member of the Drupal Security Team
Alex Pott of the Drupal Security Team
Drew Webber of the Drupal Security Team
Fabian Franz

Read More

Russia Creates Malware False-Flag App

Read Time:51 Second

The Russian hacking group Turla released an Android app that seems to aid Ukrainian hackers in their attacks against Russian networks. It’s actually malware, and provides information back to the Russians:

The hackers pretended to be a “community of free people around the world who are fighting russia’s aggression”—much like the IT Army. But the app they developed was actually malware. The hackers called it CyberAzov, in reference to the Azov Regiment or Battalion, a far-right group that has become part of Ukraine’s national guard. To add more credibility to the ruse they hosted the app on a domain “spoofing” the Azov Regiment: cyberazov[.]com.

[…]

The app actually didn’t DDoS anything, but was designed to map out and figure out who would want to use such an app to attack Russian websites, according to Huntely.

[…]

Google said the fake app wasn’t hosted on the Play Store, and that the number of installs “was miniscule.”

Details from Google’s Threat Analysis Group here.

Read More

Perception Point launches managed security service to help eliminate web browser threats

Read Time:52 Second

Perception Point has announced the launch of a new managed security service designed to eliminate web browser threats to organizations. According to the firm, Perception Point Advanced Browser Security adds managed, enterprise-grade security to native Chrome and Edge browsers allowing users to browse the web or access SaaS applications without exposing enterprise data to risk. The release is reflective of a growing trend of security products coming to market to provide advanced security for native browsers.

Advanced Browser Security designed to isolate, detect and remediate web threats

In a press release, Perception Point said the new solution fuses patented browser security technology powered by web isolation platform Hysolate, which it acquired earlier this year, and its own multi-layer detection engines. This combination delivers the ability to isolate, detect and remediate threats from the web, including phishing, ransomware, malware and APTs. Advanced Browser Security also secures access to sensitive corporate apps via an isolated, trusted Chrome or Edge browser, the firm added.

To read this article in full, please click here

Read More