Category Archives: Advisories

Drupal core – Moderately critical – Multiple vulnerabilities – SA-CORE-2022-015

Read Time:1 Minute, 15 Second
Project: 
Date: 
2022-July-20
Vulnerability: 
Multiple vulnerabilities
Description: 

The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities.

This advisory is not covered by Drupal Steward.

Solution: 

Install the latest version:

If you are using Drupal 9.4, update to Drupal 9.4.3.
If you are using Drupal 9.3, update to Drupal 9.3.19.

All versions of Drupal 9 prior to 9.3.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Drupal 7 core does not include the Media module and therefore is not affected.

Reported By: 
Heine of the Drupal Security Team
Fixed By: 
Lee Rowlands of the Drupal Security Team
Alex Pott of the Drupal Security Team
Samuel Mortenson
xjm of the Drupal Security Team
Heine of the Drupal Security Team
Joseph Zhao, provisional member of the Drupal Security Team
Vijay Mani, provisional member of the Drupal Security Team
Alex Bronstein of the Drupal Security Team
Neil Drumm of the Drupal Security Team
Benji Fisher, provisional member of the Drupal Security Team
Jen Lampton, provisional member of the Drupal Security Team
Dave Long, provisional member of the Drupal Security Team

Read More

Drupal core – Critical – Arbitrary PHP code execution – SA-CORE-2022-014

Read Time:2 Minute, 31 Second
Project: 
Date: 
2022-July-20
Vulnerability: 
Arbitrary PHP code execution
Description: 

Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010).

However, the protections for these two vulnerabilities previously did not work correctly together. As a result, if the site were configured to allow the upload of files with an htaccess extension, these files’ filenames would not be properly sanitized. This could allow bypassing the protections provided by Drupal core’s default .htaccess files and possible remote code execution.

This issue is mitigated by the fact that it requires a field administrator to explicitly configure a file field to allow htaccess as an extension (a restricted permission), or a contributed module or custom code that overrides allowed file uploads.

Solution: 

Install the latest version:

If you are using Drupal 9.4, update to Drupal 9.4.3.
If you are using Drupal 9.3, update to Drupal 9.3.19.

All versions of Drupal 9 prior to 9.3.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Drupal 7 core is not affected.

Auditing your files directory’s .htaccess to ensure it has not been overwritten or overridden in a subdirectory

If your web server uses Apache httpd with AllowOverride, you should check within your files directories and subdirectories to ensure that any .htaccess files present are intentional. You can search for files named .htaccess by running the following command in the roots of both your public and private files directory:

find ./ -name “.htaccess” -print

Drupal automatically creates .htaccess files like the following in the root of the public files directory:

# Turn off all options we don’t need.
Options -Indexes -ExecCGI -Includes -MultiViews

# Set the catch-all handler to prevent scripts from being executed.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
<Files *>
# Override the handler again if we’re run later in the evaluation list.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003
</Files>

# If we know how to do it safely, disable the PHP engine entirely.
<IfModule mod_php7.c>
php_flag engine off
</IfModule>
<IfModule mod_php.c>
php_flag engine off
</IfModule>

Check with your system administrator for the correct .htaccess configuration for the given files directory.

This advisory is not covered by Drupal Steward.

Reported By: 
Fixed By: 
Peter Wolanin of the Drupal Security Team
xjm of the Drupal Security Team
Drew Webber of the Drupal Security Team
Alex Bronstein of the Drupal Security Team
Greg Knaddison of the Drupal Security Team
Jen Lampton, provisional member of the Drupal Security Team
Lee Rowlands of the Drupal Security Team
Dave Long, provisional member of the Drupal Security Team

Read More

Drupal core – Moderately critical – Access Bypass – SA-CORE-2022-013

Read Time:1 Minute, 4 Second
Project: 
Date: 
2022-July-20
Vulnerability: 
Access Bypass
Description: 

Under certain circumstances, the Drupal core form API evaluates form element access incorrectly. This may lead to a user being able to alter data they should not have access to.

No forms provided by Drupal core are known to be vulnerable. However, forms added through contributed or custom modules or themes may be affected.

This advisory is not covered by Drupal Steward.

Solution: 

Install the latest version:

If you are using Drupal 9.4, update to Drupal 9.4.3.
If you are using Drupal 9.3, update to Drupal 9.3.19.

All versions of Drupal 9 prior to 9.3.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Drupal 7 core is not affected.

Reported By: 
Fixed By: 
Pierre Rudloff
Tim Plunkett
Heine of the Drupal Security Team
Alex Bronstein of the Drupal Security Team
xjm of the Drupal Security Team
Lauri Eskola, provisional member of the Drupal Security Team
Dave Long, provisional member of the Drupal Security Team
Lee Rowlands of the Drupal Security Team

Read More

Drupal core – Moderately critical – Information Disclosure – SA-CORE-2022-012

Read Time:1 Minute, 43 Second
Project: 
Date: 
2022-July-20
Vulnerability: 
Information Disclosure
Description: 

In some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system.

Access to a non-public file is checked only if it is stored in the “private” file system. However, some contributed modules provide additional file systems, or schemes, which may lead to this vulnerability.

This vulnerability is mitigated by the fact that it only applies when the site sets (Drupal 9) $config[‘image.settings’][‘allow_insecure_derivatives’] or (Drupal 7) $conf[‘image_allow_insecure_derivatives’] to TRUE. The recommended and default setting is FALSE, and Drupal core does not provide a way to change that in the admin UI.

Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing files or image styles after updating.

Solution: 

Install the latest version:

If you are using Drupal 9.4, update to Drupal 9.4.3.

If you are using Drupal 9.3, update to Drupal 9.3.19.

If you are using Drupal 7, update to Drupal 7.91.

All versions of Drupal 9 prior to 9.3.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Fixed By: 
Lee Rowlands of the Drupal Security Team
Conrad Lara
mondrake
Alex Bronstein of the Drupal Security Team
Dave Reid of the Drupal Security Team
xjm of the Drupal Security Team
Guy Elsmore-Paddock
Dave Long Provisional Member of the Drupal Security Team
Lauri Eskola Provisional Member of the Drupal Security Team
David Strauss of the Drupal Security Team
Benji Fisher Provisional Member of the Drupal Security Team
Alex Pott of the Drupal Security Team
Drew Webber of the Drupal Security Team
Fabian Franz

Read More

Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution

Read Time:32 Second

Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Google Chrome is a web browser used to access the Internet. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Read More