View online: https://www.drupal.org/SA-CORE-2016-002

* Advisory ID: DRUPAL-SA-CORE-2016-002
* Project: Drupal core [1]
* Version: 7.x, 8.x
* Date: 2016-June-15
* Security risk: 11/25 ( Moderately Critical)
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2]
* Vulnerability: Access bypass, Multiple vulnerabilities

——– DESCRIPTION
———————————————————

…. Saving user accounts can sometimes grant the user all roles (User module
– Drupal 7 – Moderately Critical)

A vulnerability exists in the User module, where if some specific contributed
or custom code triggers a rebuild of the user profile form, a registered user
can be granted all user roles on the site. This would typically result in the
user gaining administrative access.

This issue is mitigated by the fact that it requires contributed or custom
code that performs a form rebuild during submission of the user profile form.

…. Views can allow unauthorized users to see Statistics information (Views
module – Drupal 8 – Less Critical)

An access bypass vulnerability exists in the Views module, where users
without the “View content count” permission can see the number of hits
collected by the Statistics module for results in the view.

This issue is mitigated by the fact that the view must be configured to show
a “Content statistics” field, such as “Total views”, “Views today” or “Last
visit”.

The same vulnerability exists in the Drupal 7 Views module (see
SA-CONTRIB-2016-036 [3]).

——– CVE IDENTIFIER(S) ISSUED
——————————————–

* /A CVE identifier [4] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./

——– VERSIONS AFFECTED
—————————————————

* Drupal core 7.x versions prior to 7.44
* Drupal core 8.x versions prior to 8.1.3

——– SOLUTION
————————————————————

Install the latest version:

* If you use Drupal 7.x, upgrade to Drupal core 7.44
* If you use Drupal 8.x, upgrade to Drupal core 8.1.3

Also see the Drupal core [5] project page.

——– REPORTED BY
———————————————————

Saving user accounts can sometimes grant the user all roles:

* alfaguru [6]

Views can allow unauthorized users to see Statistics information:

* Nickolay Leshchev [7]

——– FIXED BY
————————————————————

Saving user accounts can sometimes grant the user all roles:

* Ben Dougherty [8] of the Drupal Security Team
* Balazs Nagykekesi [9]
* David Rothstein [10] of the Drupal Security Team
* Lee Rowlands [11] of the Drupal Security Team
* Stefan Ruijsenaars [12] of the Drupal Security Team
* vlad.k [13]
* Peter Wolanin [14] of the Drupal Security Team

Views can allow unauthorized users to see Statistics information:

* Nathaniel Catchpole [15] of the Drupal Security Team
* Greg Knaddison [16] of the Drupal Security Team
* Nickolay Leshchev [17]
* Stefan Ruijsenaars [18] of the Drupal Security Team
* David Snopek [19] of the Drupal Security Team
* Daniel Wehner [20]
* xjm [21] of the Drupal Security Team

——– COORDINATED BY
——————————————————

The Drupal Security Team

——– CONTACT AND MORE INFORMATION
—————————————-

The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [22].

Learn more about the Drupal Security team and their policies [23], writing
secure code for Drupal [24], and securing your site [25].

Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [26]

[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/node/2749333
[4] http://cve.mitre.org/
[5] https://www.drupal.org/project/drupal
[6] https://www.drupal.org/user/112814
[7] https://www.drupal.org/user/982724
[8] https://www.drupal.org/user/1852732
[9] https://www.drupal.org/user/21231
[10] https://www.drupal.org/user/124982
[11] https://www.drupal.org/user/395439
[12] https://www.drupal.org/user/551886
[13] https://www.drupal.org/user/731068
[14] https://www.drupal.org/user/49851
[15] https://www.drupal.org/user/35733
[16] https://www.drupal.org/user/36762
[17] https://www.drupal.org/user/982724
[18] https://www.drupal.org/user/551886
[19] https://www.drupal.org/user/266527
[20] https://www.drupal.org/user/99340
[21] https://www.drupal.org/user/65776
[22] https://www.drupal.org/contact
[23] https://www.drupal.org/security-team
[24] https://www.drupal.org/writing-secure-code
[25] https://www.drupal.org/security/secure-configuration
[26] https://twitter.com/drupalsecurity

_______________________________________________
Security-news mailing list
Security-news@drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news