Drupal Security

Project: TableFieldVersion: 8.x-2.x-devDate: 2019-September-18Security risk: Moderately critical 12∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

This module allows you to attach tabular data to an entity.

There is insufficient access checking for users with the ability to "Export Tablefield Data as CSV". They can export data from unpublished nodes or otherwise inaccessible entities.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Export Tablefield Data as CSV".

Solution: 

Install the latest version:

• If you use the Tablefield module for Drupal 8.x, upgrade to Tablefield 8.x-2.1

Also see the TableField project page.

Reported By: 

• Mitch Portier

Fixed By: 

• Mitch Portier
• Jen Lampton
• Martin Postma

Coordinated By: 

• Chris McCafferty of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team
• Drew Webber of the Drupal Security Team

Project: Create user permissionVersion: 8.x-1.x-devDate: 2019-September-18Security risk: Critical 15∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

This module enables you to have a separate permission only for creating users.

The module doesn't respect Drupal's setting for "Who can register accounts?" when set to "Visitors, but administrator approval is required".

When this option is chosen, the module overrides the setting, and makes it possible to register accounts with no approval.

This vulnerability can be mitigated by having other settings in place for account registration, such as requiring email verification for new accounts, or permitting account creation for "Administrators only".

Solution: 

Install the latest version:

• If you use the create_user_permission module for Drupal 8.x, upgrade to Create user permission 8.x-1.2

Also see the Create user permission project page.

Reported By: 

• jddh

Fixed By: 

• Eirik Morland

Coordinated By: 

• Michael Hess of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team
• Drew Webber of the Drupal Security Team

Date: 2019-September-04Description: 

In June of 2011, the Drupal Security Team issued Public Service Advisory PSA-2011-002 - External libraries and plugins.

8 years later that is still the policy of the Drupal Security team. As Drupal core and modules leverage 3rd party code more and more it seems like an important time to remind site owners that they are responsible for monitoring security of 3rd party libraries. Here is the advice from 2011 which is even more relevant today:

Just like there's a need to diligently follow announcements and update contributed modules downloaded from Drupal.org, there's also a need to follow announcements by vendors of third-party libraries or plugins that are required by such modules.

Drupal's update module has no functionality to alert you to these announcements. The Drupal security team will not release announcements about security issues in external libraries and plugins.

Current PHPUnit/Mailchimp library exploit

Recently we have become aware of a vulnerability that is being actively exploited on some Drupal sites. The vulnerability is in PHPUnit and has a CVE# CVE-2017-9841. The exploit targets Drupal sites that currently or previously used the Mailchimp or Mailchimp commerce module and still have a vulnerable version of the file sites/all/libraries/mailchimp/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php. See below for details on whether a file is vulnerable or not. The vulnerable file might be at other paths on your individual site, but an automated attack exists that is looking for that specific path. This attack can execute PHP on the server.

Solution: 

Follow release announcements by the vendors of the external libraries and plugins you use.

In this specific case, check for the existence of a file named eval-stdin.php and check its contents. If they match the new version in this commit then it is safe. If the file reads from php://input then the codebase is vulnerable. This is not an indication of a site being compromised, just of it being vulnerable. To fix this vulnerability, update your libraries. In particular you should ensure the Mailchimp and Mailchimp Ecommerce modules and their libraries are updated.

If you discover your site has been compromised, we have a guide of how to remediate a compromised site.

Also see the Drupal core project page.

Reported By: 

• Hans Rossel

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Imagecache ExternalDate: 2019-August-21Security risk: Critical 15∕25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Insecure session token managementDescription: 

This module that allows you to store external images on your server and apply your own Image Styles.

The module exposes cookies to external sites when making external image requests.

This vulnerability is mitigated by using the whitelisted host feature to restrict external image requests from trusted sources.

Solution: 

Install the latest version:

• If you use the Imagecache External 8.x-1.0 version, upgrade to Imagecache External 8.x-1.1 version

Also see the Imagecache External project page.

Reported By: 

• Jason Want
• Heine Deelstra of the Drupal Security Team

Fixed By: 

• Heine Deelstra of the Drupal Security Team
• Baris Wanschers

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Forms StepsDate: 2019-August-14Security risk: Critical 16∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

Forms Steps provides an UI to create form workflows using form modes. It creates quick and configurable multisteps forms.

The module doesn't sufficiently check user permissions to access its workflows entities that allows to see any entities that have been created through the different steps of its multistep forms.

This vulnerability is mitigated by the fact that you have to know the Forms Steps URL to create a content linked to the flow. Also, all created content is very hard to edit through the same flow as you have to know the URL and the linked hash to the content.

Solution: 

Install the latest version:

• If you use the Forms Steps module for Drupal 8.x, upgrade to Forms Steps 8.x-1.2

Also see the Forms Steps project page.

Reported By: 

• solide-echt

Fixed By: 

• Hakim Rachidi
• solide-echt
• nicoloye

Coordinated By: 

• Michael Hess of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Project: External Links FilterDate: 2019-August-14Security risk: Moderately critical 10∕25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:AllVulnerability: Open Redirect VulnerabilityDescription: 

The External Link Filter module provides an input filter that replaces external links by a local link that redirects to the target URL.

The module did not have protection for the Redirect URL to go where content authors intended.

Solution: 

Install the latest version:

• If you use the External Links Filter module for Drupal 7.x, upgrade to External Links Filter version 7.x-3.1
• If you use the External Links Filter module for Drupal 8.x, upgrade to External Links Filter version 8.x-1.2

Also see the External Links Filter project page.

Reported By: 

• Manuel Adán

Fixed By: 

• Manuel Adán
• Dmitry Drozdik

Coordinated By: 

• Michael Hess of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Project: Super LoginDate: 2019-August-14Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross site scriptingDescription: 

This module improves the Drupal login page with the new features and layout.

The module doesn't sufficiently filter input text in the administration pages text configuration inputs. For example, the login text field.

The vulnerability is mitigated by the fact it can only be exploited by a user with the "Administer super login" permission.

Solution: 

Install the latest version:

• If you use the Super Login module for Drupal 8.x, upgrade to Super Login 8.x-1.3
• If you use the Super Login module for Drupal 7.x, upgrade to Super Login 7.x-1.4

Also see the Super Login project page.

Reported By: 

• Mitch Portier

Fixed By: 

• Mitch Portier
• Shawn Ostermann

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: scroll to topDate: 2019-August-14Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross site scriptingDescription: 

The Scroll To Top module enables you to have an animated scroll to top link in the bottom of the node.

The module does not sufficiently filter configuration text leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer scroll to top".

Solution: 

Install the latest version of the module.

• If you use the Scroll To Top module for Drupal 7.x, upgrade to Scroll To Top 7.x-2.2

Also see the scroll to top project page.

Reported By: 

• Ayesh Karunaratne
• Yonatan Offek

Fixed By: 

• Ayesh Karunaratne
• Tarek Djebali

Coordinated By: 

• Michael Hess of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Project: Existing Values Autocomplete WidgetDate: 2019-July-24Security risk: Critical 17∕25 AC:None/A:None/CI:All/II:None/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

This module provides an autocomplete widget for text fields that suggests all existing (previously entered) values for that field.

The module doesn't sufficiently check for proper access permission before returning autocomplete results.

This vulnerability is mitigated by the fact that an attacker must know the route to the autocomplete callback controller though this is easily known.

Solution: 

Install the latest version:

• If you use the Existing Values Autocomplete Widget module for Drupal 8.x, upgrade to Existing Values Autocomplete Widget 8.x-1.2

Also see the Existing Values Autocomplete Widget project page.

Reported By: 

• David Stinemetze

Fixed By: 

• Art Williams

Coordinated By: 

• Michael Hess of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Project: Facebook Messenger Customer Chat PluginDate: 2019-July-24Security risk: Critical 16∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

The Facebook Messenger Customer Chat Plugin module enables you to add the Facebook Messenger Customer Chat Plugin to your Drupal site.

The module doesn't require user permissions on the admin page.

Solution: 

Install the latest version:

• If you use the Facebook Messenger Customer Chat Plugin module for Drupal 7.x, upgrade to Facebook Messenger Customer Chat Plugin 7.x-1.1

Also see the Facebook Messenger Customer Chat Plugin project page.

Reported By: Reported by

• Marcelo Vani

Fixed By: 

• Marcelo Vani

Coordinated By: 

• Michael Hess of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Project: MetatagDate: 2019-July-24Security risk: Moderately critical 13∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Information disclosureDescription: 

This module enables you to customize meta tags to help with a site's search engine ranking and improve the display of page summaries when shared on social networks.

The module doesn't sufficiently check for a site being in maintenance mode.

This vulnerability is mitigated by the fact that the site must be configured to disallow access to certain content, and must be put into maintenance mode.

Solution: 

Install the latest version:

• If you use the Metatag module for Drupal 8.x, upgrade to Metatag 8.x-1.9

Also see the Metatag project page.

Reported By: 

• Shloma

Fixed By: 

• Damien McKenna of the Drupal Security Team

Coordinated By: 

• Damien McKenna of the Drupal Security Team

Project: Drupal coreDate: 2019-July-17Security risk: Critical 17∕25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassCVE IDs: CVE-2019-6342Description: 

In Drupal 8.7.4, when the experimental Workspaces module is enabled, an access bypass condition is created.

This can be mitigated by disabling the Workspaces module. It does not affect any release other than Drupal 8.7.4.

Drupal 8.7.3 and earlier, Drupal 8.6.x and earlier, and Drupal 7.x are not affected.

Solution: 

If the site is running Drupal 8.7.4, upgrade to Drupal 8.7.5.

Note, manual step needed. For sites with the Workspaces module enabled, update.php needs to run to ensure a required cache clear. If there is a reverse proxy cache or content delivery network (e.g. Varnish, CloudFlare) it is also advisable to clear these as well.

Reported By: 

• Dave Botsch

Fixed By: 

• Michael Hess of the Drupal Security Team
• Jess of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team
• Chris McCafferty of the Drupal Security Team
• Neil Drumm of the Drupal Security Team
• Alex Pott of the Drupal Security Team
• Andrei Mateescu

Project: Meta tags quickDate: 2019-July-17Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescription: 

Metatags quick is a module that manages meta tags (tags that appear in HTML's head section) as Drupal 7 fields.
Administration page of metatags quick does not sanitize the output of blocks that appear on the same page. This allows an attacker to inject malicious JavaScript in block markup.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks".

Solution: 

Install the latest version.

If you use the Metatags quick module for Drupal 7.x, upgrade to metatags quick 7.x-2.10.

Reported By: 

• Yonatan Offek

Fixed By: 

• Valery Lourie
• Yonatan Offek

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: ImageCache ActionsDate: 2019-July-17Security risk: Critical 17∕25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Multiple Vulnerabilities Description: 

The imagecache actions module defines a number of additional image effects that can be used to create image styles. The "Image styles admin" sub module provides additional functionality to duplicate, export and import image styles. The module uses unserialize() to import image styles into another site where unserialize() is known to have security issues when processing potentially unsafe input.

This vulnerability is mitigated by the fact that the "Image styles admin" sub module must be enabled and an attacker must have a role with the permission "'administer image styles'".

Furthermore, the import functionality supports PHP code included in image effects as part of an image style, which would run on image derivative generation subject to the PHP module being enabled. This is intended behaviour for the "Image styles admin" sub module, but the user access restrictions should reflect the potential risks involved.

The new security release of this module introduces a new "import image styles" permission which is marked as restricted. In order to use the image style import functionality, users will need to have a role which has this new permission in addition to "administer image styles" (which is not marked as restricted).

Solution: 

• If you use the Imagecache Actions module for Drupal 7.x, upgrade to Imagecache Actions 7.x-1.10.
• Image Effects, the D8 successor is *not* vulnerable to this exploit.

Reported By: 

• Ruben Hofman

Fixed By: 

• Erwin Derksen
• Greg Knaddison of the Drupal Security Team

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Ivo Van Geertruyen of the Drupal Security Team
• Drew Webber of the Drupal Security Team

Project: Custom PermissionsVersion: 8.x-1.x-devDate: 2019-July-10Security risk: Critical 16∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

This module enables you to add and manage additional custom permissions through the administration UI.

The module doesn't sufficiently check for the proper access permissions to this page.

This vulnerability is mitigated by the fact that an attacker must know the route of the Custom Permissions administration form though this is easily known.

Solution: 

Install the latest version:

• If you use the Custom Permissions 8.x-1.1 for Drupal 8.x, upgrade to Custom Permissions 8.x-1.2

Also see the Custom Permissions project page.

Reported By: 

• Mohammed Razem

Fixed By: 

• David Valdez

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Advanced ForumVersion: 7.x-2.x-devDate: 2019-June-26Security risk: Critical 16∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescription: 

Advanced Forum builds on and enhances Drupal's core forum module. When used in combination with other Drupal contributed modules, many of which are automatically used by Advanced Forum, you can achieve much of what stand alone software provides.

The module doesn't sufficiently sanitise user input in specific circumstances. It is not possible to disable the vulnerable functionality.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to create forum content.

Solution: 

Install the latest version:

• If you use the Advanced Forum module for Drupal 7.x, upgrade to Advanced Forum 7.x-2.8

Also see the Advanced Forum project page.

Reported By: 

• Drew Webber of the Drupal Security Team

Fixed By: 

• Drew Webber of the Drupal Security Team
• Vijaya Chandran Mani Provisonal Member of the Drupal Security Team

Coordinated By: 

• Drew Webber of the Drupal Security Team

Project: Easy BreadcrumbVersion: 7.x-2.x-devDate: 2019-June-19Security risk: Critical 18∕25 AC:Basic/A:None/CI:Some/II:Some/E:Exploit/TD:DefaultVulnerability: Cross Site ScriptingDescription: 

This module enables you to use the current URL (path alias) and the current page's title to automatically extract the breadcrumb's segments and its respective links then show them as breadcrumbs on your website.

The module doesn't sufficiently sanitise user input in certain circumstances.

This vulnerability does not require any permissions but can be mitigated by un-checking the 'Allow HTML tags in breadcrumb text' setting (enabled by default). In some cases browsers' built-in XSS protection may prevent exploitation.

Edited 2019-Jun-20: updated risk calculation to reflect an oversight in the original advisory. The issue has been exploited.

Solution: 

Install the latest version:

• If you use the Easy Breadcrumb module for Drupal 7.x, upgrade to Easy Breadcrumb 7.x-2.17

Also see the Easy Breadcrumb project page.

Reported By: 

• Jill Garland
• P K

Fixed By: 

• Balazs Janos Tatar Provisional Member of the Drupal Security Team
• Drew Webber of the Drupal Security Team
• Greg Boggs

Coordinated By: 

• Drew Webber of the Drupal Security Team