Drupal Core - Multiple Vulnerabilities - SA-CORE-2018-006

* Advisory ID: DRUPAL-SA-CONTRIB-2018-006
* Project: Drupal core
* Version: 7.x, 8.x
* Date: 2018-October-17

DESCRIPTION

*Content moderation - Moderately critical - Access bypass - Drupal 8 *

In some conditions, content moderation fails to check a users access to use
certain transitions, leading to an access bypass.

In order to fix this issue, the following changes have been made to content
moderation which may have implications for backwards compatibility:

ModerationStateConstraintValidator

Two additional services have been injected into this service. Anyone
subclassing this service must ensure these additional dependencies are
passed to the constructor, if the constructor has been overridden.

StateTransitionValidationInterface

An additional method has been added to this interface. Implementations of
this interface which do not extend the StateTransitionValidation should
implement this method.

Implementations which /do/ extend from the StateTransitionValidation
should ensure any behavioural changes they have made are also reflected
in this new method.

User permissions

Previously users who didn't have access to use any content moderation
transitions were granted implicit access to update content provided the
state of the content did not change. Now access to an associated
transition will be validated for all users in scenarios where the state
of content does not change between revisions.

*External URL injection through URL aliases - Moderately Critical - Open
Redirect - Drupal 7 and Drupal 8 *

The path module allows users with the 'administer paths' to create pretty
URLs for content.

In certain circumstances the user can enter a particular path that triggers
an open redirect to a malicious url.

The issue is mitigated by the fact that the user needs the administer paths
permission to exploit.

*Anonymous Open Redirect - Moderately Critical - Open Redirect - Drupal 8 *

Drupal core and contributed modules frequently use a "destination" query
string parameter in URLs to redirect users to a new destination after
completing an action on the current page. Under certain circumstances,
malicious users can use this parameter to construct a URL that will trick
users into being redirected to a 3rd party website, thereby exposing the
users to potential social engineering attacks.

This vulnerability has been publicly documented.

.... RedirectResponseSubscriber event handler removal

As part of the fix,
\Drupal\Core\EventSubscriber\RedirectResponseSubscriber::sanitizeDestination
has been removed, although this is a public function, it is not considered an
API as per our API policy for event subscribers [20].
If you have extended that class or are calling that method, you should review
your implementation in line with the changes in the patch. The existing
function has been removed to prevent a false sense of security.

*Injection in DefaultMailSystem::mail() - Critical - Remote Code Execution -
Drupal 7 and Drupal 8*

When sending email some variables were not being sanitized for shell
arguments, which could lead to remote code execution.

*Contextual Links validation - Critical - Remote Code Execution - Drupal 8 *

The Contextual Links module doesn't sufficiently validate the requested
contextual links. This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "access contextual links".

SOLUTION

Upgrade to the most recent version of Drupal 7 or 8 core.

* If you are running 7.x, upgrade to Drupal 7.60.
* If you are running 8.6.x, upgrade to Drupal 8.6.2.
* If you are running 8.5.x or earlier, upgrade to Drupal 8.5.8.

Minor versions of Drupal 8 prior to 8.5.x are not supported and do not
receive security coverage, so sites running older versions should update to
the above 8.5.x release immediately. 8.5.x will receive security coverage
until May 2019.

Add new comment