DRD Agent - Critical - PHP object injection - SA-CONTRIB-2018-022

Project: DRD Agent
Date: 2018-April-25
Security risk: *Critical* 15∕25
Vulnerability: PHP object injection

Description

This module enables you to monitor and manage any number of remote Drupal
sites and aggregate useful information for administrators in a central
dashboard.

The modules (DRD and DRD Agent) encrypt the data which is exchanged between
them but in order to do so, they use the PHP serialize/unserialize functions
instead of the json_encode/json_decode combination. As the unserialize
function is called on unauthenticated content, this introduces a PHP object
injection vulnerability.

Solution

 
Install the latest version:

* If you use the DRD module for Drupal 8.x, upgrade to DRD 8.x-3.14
* If you use the DRD Agent module for Drupal 8.x, upgrade to DRD Agent
8.x-3.7

* If you use the DRD Agent module for Drupal 7.x, upgrade to DRD Agent
7.x-3.5

Add new comment