View online: https://www.drupal.org/sa-core-2018-006

* Advisory ID: DRUPAL-SA-CONTRIB-2018-006
* Project: Drupal core [1]
* Version: 7.x, 8.x
* Date: 2018-October-17

——– DESCRIPTION
———————————————————

*Content moderation – Moderately critical – Access bypass – Drupal 8 *

In some conditions, content moderation fails to check a users access to use
certain transitions, leading to an access bypass.

In order to fix this issue, the following changes have been made to content
moderation which may have implications for backwards compatibility:

ModerationStateConstraintValidator
Two additional services have been injected into this service. Anyone
subclassing this service must ensure these additional dependencies are
passed to the constructor, if the constructor has been overridden.
StateTransitionValidationInterface
An additional method has been added to this interface. Implementations
of
this interface which do not extend the StateTransitionValidation should
implement this method.
Implementations which /do/ extend from the StateTransitionValidation
should ensure any behavioural changes they have made are also reflected
in this new method.

User permissions
Previously users who didn’t have access to use any content moderation
transitions were granted implicit access to update content provided the
state of the content did not change. Now access to an associated
transition will be validated for all users in scenarios where the state
of content does not change between revisions.

Reported by

* Roland Kovacsics [2]
* attilatilman [3]

Fixed by

* Jess [4] of the Drupal Security Team
* Lee Rowlands [5] of the Drupal Security Team
* Wim Leers [6]
* Daniel Wehner [7]
* Sam Becker [8]
* Tim Millwood [9]
* Alex Pott [10] of the Drupal Security Team

*External URL injection through URL aliases – Moderately Critical – Open
Redirect – Drupal 7 and Drupal 8 *

The path module allows users with the ‘administer paths’ to create pretty
URLs for content.

In certain circumstances the user can enter a particular path that triggers
an open redirect to a malicious url.

The issue is mitigated by the fact that the user needs the administer paths
permission to exploit.

Reported by

* dyates [11]

Fixed by

* Dave Reid [12] of the Drupal Security Team
* David Rothstein [13] of the Drupal Security Team
* Peter Wolanin [14] of the Drupal Security Team
* Jess [15] of the Drupal Security Team
* Alex Bronstein [16] of the Drupal Security Team
* Nathaniel Catchpole [17] of the Drupal Security Team
* Lee Rowlands [18] of the Drupal Security Team
* Ted Bowman [19]Provisional member of the Drupal Security Team

*Anonymous Open Redirect – Moderately Critical – Open Redirect – Drupal 8 *

Drupal core and contributed modules frequently use a “destination” query
string parameter in URLs to redirect users to a new destination after
completing an action on the current page. Under certain circumstances,
malicious users can use this parameter to construct a URL that will trick
users into being redirected to a 3rd party website, thereby exposing the
users to potential social engineering attacks.

This vulnerability has been publicly documented.

…. RedirectResponseSubscriber event handler removal

As part of the fix,
\Drupal\Core\EventSubscriber\RedirectResponseSubscriber::sanitizeDestination
has been removed, although this is a public function, it is not considered an
API as per our API policy for event subscribers [20].
If you have extended that class or are calling that method, you should review
your implementation in line with the changes in the patch. The existing
function has been removed to prevent a false sense of security.

Reported by

* Brian Osborne [21]

Fixed by

* Michael Hess [22] of the Drupal Security Team
* Wim Leers [23]
* Alex Pott [24] of the Drupal Security Team
* Grant Gaudet [25]
* Lee Rowlands [26] of the Drupal Security Team
* Nathaniel Catchpole [27] of the Drupal Security Team
* Jess [28] of the Drupal Security Team

*Injection in DefaultMailSystem::mail() – Critical – Remote Code Execution –
Drupal 7 and Drupal 8*

When sending email some variables were not being sanitized for shell
arguments, which could lead to remote code execution.

Reported by

* Damien Tournoud [29]

Fixed by

* Lee Rowlands [30] of the Drupal Security Team
* Sascha Grossenbacher [31]
* Daniel Wehner [32]
* Klaus Purer [33]
* Damien Tournoud [34]
* Stefan Ruijsenaars [35] of the Drupal Security Team
* David Rothstein [36] of the Drupal Security Team
* David Snopek [37] of the Drupal Security Team
* Jess [38] of the Drupal Security Team
* Wim Leers [39]
* Peter Wolanin [40] of the Drupal Security Team
* Ted Bowman [41]Provisional member of the Drupal Security Team

*Contextual Links validation – Critical – Remote Code Execution – Drupal 8 *

The Contextual Links module doesn’t sufficiently validate the requested
contextual links.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission “access contextual links”.

Reported by

* Nick Booher [42]

Fixed by

* Lee Rowlands [43] of the Drupal Security Team
* Nick Booher [44]
* Samuel Mortenson [45] of the Drupal Security Team
* Wim Leers [46]
* Alex Pott [47] of the Drupal Security Team

——– SOLUTION
————————————————————

Upgrade to the most recent version of Drupal 7 or 8 core.

* If you are running 7.x, upgrade to Drupal 7.60 [48].
* If you are running 8.6.x, upgrade to Drupal 8.6.2 [49].
* If you are running 8.5.x or earlier, upgrade to Drupal 8.5.8 [50].

Minor versions of Drupal 8 prior to 8.5.x are not supported and do not
receive security coverage, so sites running older versions should update to
the above 8.5.x release immediately. 8.5.x will receive security coverage
until May 2019.

[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/user/3528385
[3] https://www.drupal.org/u/attilatilman
[4] https://www.drupal.org/user/65776
[5] https://www.drupal.org/user/395439
[6] https://www.drupal.org/user/99777
[7] https://www.drupal.org/user/99340
[8] https://www.drupal.org/user/1485048
[9] https://www.drupal.org/user/227849
[10] https://www.drupal.org/user/157725
[11] https://www.drupal.org/user/3426845
[12] https://www.drupal.org/user/53892
[13] https://www.drupal.org/user/124982
[14] https://www.drupal.org/user/49851
[15] https://www.drupal.org/user/65776
[16] https://www.drupal.org/user/78040
[17] https://www.drupal.org/user/35733
[18] https://www.drupal.org/user/395439
[19] https://www.drupal.org/user/240860
[20] https://www.drupal.org/core/d8-bc-policy#paramconverters
[21] https://www.drupal.org/user/788032
[22] https://www.drupal.org/user/102818
[23] https://www.drupal.org/user/99777
[24] https://www.drupal.org/user/157725
[25] https://www.drupal.org/user/360002
[26] https://www.drupal.org/user/395439
[27] https://www.drupal.org/user/35733
[28] https://www.drupal.org/user/65776
[29] https://www.drupal.org/user/22211
[30] https://www.drupal.org/user/395439
[31] https://www.drupal.org/user/214652
[32] https://www.drupal.org/user/99340
[33] https://www.drupal.org/user/262198
[34] https://www.drupal.org/user/22211
[35] https://www.drupal.org/user/551886
[36] https://www.drupal.org/user/124982
[37] https://www.drupal.org/user/266527
[38] https://www.drupal.org/user/65776
[39] https://www.drupal.org/user/99777
[40] https://www.drupal.org/user/49851
[41] https://www.drupal.org/user/240860
[42] https://www.drupal.org/user/809346
[43] https://www.drupal.org/user/395439
[44] https://www.drupal.org/user/809346
[45] https://www.drupal.org/user/2582268
[46] https://www.drupal.org/user/99777
[47] https://www.drupal.org/user/157725
[48] https://www.drupal.org/project/drupal/releases/7.60
[49] http://www.drupal.org/project/drupal/releases/8.6.2
[50] http://www.drupal.org/project/drupal/releases/8.5.8

_______________________________________________
Security-news mailing list
Security-news@drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news