Drupal Security

Project: Drupal coreDate: 2019-January-16Security risk: Critical 16∕25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Arbitrary PHP code executionDescription: 

A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI.

Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability.

This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration.

Solution: 

• If you are using Drupal 8.6.x, upgrade to Drupal 8.6.6.
• If you are using Drupal 8.5.x or earlier, upgrade to Drupal 8.5.9.
• If you are using Drupal 7.x, upgrade to Drupal 7.62.

Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.

Known issues

This fix introduced a fatal error for some Drush installatiosn when updating a site with Drush. New releases (8.6.7, 8.5.10, and 7.63) have been issued to resolve this regression. See the release notes for additional details.

Update information .phar added to dangerous extensions list

The .phar file extension has been added to Drupal's dangerous extensions list, which means that any such file uploaded to a Drupal file field will automatically be converted to a text file (with the .txt extension) to prevent it from being executed. This is similar to how Drupal handles file uploads with a .php extension.

phar:// stream wrapper disabled by default for Drupal 7 sites on PHP 5.3.2 and earlier

The replacement stream wrapper is not compatible with PHP versions lower than 5.3.3. Drupal 8 requires a higher PHP version than that, but for Drupal 7 sites using lower PHP versions, the built-in phar stream wrapper has been disabled rather than replaced. Drupal 7 sites using PHP 5.2 (or PHP 5.3.0-5.3.2) that require phar support will need to re-enable the stream wrapper for it; however, note that re-enabling the stream wrapper will re-enable the insecure PHP behavior on those PHP versions.

It is very uncommon to both be running a PHP version lower than 5.3.3 and to need phar support. If you're in that situation, consider upgrading your PHP version instead of restoring insecure phar support.

Reported By: 

• Greg Knaddison of the Drupal Security Team

Fixed By: 

• Cash Williams of the Drupal Security Team
• Lee Rowlands of the Drupal Security Team
• Samuel Mortenson of the Drupal Security Team
• Jess of the Drupal Security Team
• Alex Pott of the Drupal Security Team
• Ted Bowman
• Michael Hess of the Drupal Security Team
• Alex Bronstein of the Drupal Security Team
• Fabian Franz

Additional information

Note: Going forward, Drupal core will issue individual security advisories for separate vulnerabilities included in the release, rather than lumping "multiple vulnerabilities" into a single advisory. All advisories released today:

• SA-CORE-2019-001
• SA-CORE-2019-002

Updating to the latest Drupal core release will apply the fixes for all the above advisories.

Project: Drupal coreDate: 2019-January-16Security risk: Critical 16∕25 AC:Complex/A:User/CI:All/II:All/E:Proof/TD:UncommonVulnerability: Third Party Libraries Description: 

Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details.

Solution: 

• If you are using Drupal 8.6.x, upgrade to Drupal 8.6.6.
• If you are using Drupal 8.5.x or earlier, upgrade to Drupal 8.5.9.
• If you are using Drupal 7.x, upgrade to Drupal 7.62.

Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.

Reported By: 

• Ayesh Karunaratne
• farisv

Fixed By: 

• Jess of the Drupal Security Team
• Ayesh Karunaratne
• michieltcs
• Lee Rowlands of the Drupal Security Team
• Alex Pott of the Drupal Security Team

Known issues

Users are reporting seeing a fatal error when updating their sites with Drush. Site owners may be able to run drush updb and either drush cc all or drush cr depending on the version to complete the update. Check the status report afterward to confirm that Drupal has been updated. See https://www.drupal.org/project/drupal/issues/3026386 for details.

Additional information

Note: Going forward, Drupal core will issue individual security advisories for separate vulnerabilities included in the release, rather than lumping "multiple vulnerabilities" into a single advisory. All advisories released today:

• SA-CORE-2019-001
• SA-CORE-2019-002

Updating to the latest Drupal core release will apply the fixes for all the above advisories.

Project: Aegir HTTPSVersion: 7.x-3.170Date: 2019-January-09Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

Aegir is a Web hosting control panel program that provides a Drupal-based graphical interface designed to simplify deploying, managing and upgrading an entire network of Drupal, Wordpress and CiviCRM Web sites. The Hosting HTTPS module is a commonly used piece of the Aegir platform.

This module doesn't sufficiently shield multi-site installations.

This vulnerability is mitigated by the fact that the server must be using Apache and must host multiple sites on a common platform. An attacker must have a knowledge about used filenames and the server.

Solution: 

Install the latest version:

• If you use Aegir hosting system, upgrade to Aegir HTTPS 7.x-3.170

Also see the Aegir HTTPS project page.

Reported By: 

• Cristian Segarra

Fixed By: 

• Cristian Segarra
• Jon Pugh
• anarcat
• Herman van Rink
• Colan Schwartz

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Michael Hess of the Drupal Security Team
• Cash Williams of the Drupal Security Team

Project: ProvisionVersion: 7.x-3.170Date: 2019-January-09Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

Aegir is a Web hosting control panel program that provides a Drupal-based graphical interface designed to simplify deploying, managing and upgrading an entire network of Drupal, Wordpress and CiviCRM Web sites. The Provision module is a core piece of the Aegir platform.

This module doesn't sufficiently shield multi-site installations or the PHP source code.

This vulnerability is mitigated by the fact that the server must be using Apache. For multi-site installations, the server must host multiple sites on a common platform. Additionally an attacker must have a knowledge about used filenames and the server.

Solution: 

Install the latest version:

• If you use Aegir hosting system, upgrade to Provision 7.x-3.170

Also see the Provision project page.

Reported By: 

• Cristian Segarra

Fixed By: 

• Cristian Segarra
• Jon Pugh
• anarcat
• Herman van Rink
• Colan Schwartz

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Michael Hess of the Drupal Security Team
• Cash Williams of the Drupal Security Team

Project: Phone FieldDate: 2019-January-09Security risk: Critical 16∕25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: SQL InjectionDescription: 

This module provides a phone field for Drupal 7 that supports the HTML5 tel:-schema.

In an API function that is not used by the module, the name for the phone field is not sufficiently sanitised when using it in database queries.

This vulnerability is mitigated by the fact that it affects an unused function. A site is only vulnerable if it has custom code that uses the phonefield_get_entity_id() function and exposes control over the $field parameter to visitors to the site.

Solution: 

Install the latest version:

• If you use the phonefield module for Drupal 7.x, upgrade to phonefield 7.x-1.1

Also see the Phone Field project page.

Reported By: 

• Drew Webber Provisional Security Team Member

Fixed By: 

• Drew Webber Provisional Security Team Member
• Gisle Hannemyr

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Drew Webber Provisional Security Team Member

Project: JSON:APIDate: 2018-December-19Security risk: Moderately critical 13∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

This module provides a JSON:API specification-compliant HTTP API for accessing and manipulating Drupal content and configuration entities.

The module doesn't sufficiently check access when responding to certain filtered collection requests, thereby causing an access bypass vulnerability. (This means certain GET requests are vulnerable; no POST, PATCH or DELETE requests are vulnerable.)

In order to fix this issue, two new hooks were added: hook_jsonapi_ENTITY_TYPE_filter_access() and hook_jsonapi_entity_field_filter_access(). Sites with custom entity types and/or with entity or field access customizations may need to implement these newly introduced hooks.

Solution: 

Install the latest version:

• If you use the JSON:API module 8.x-1.x for Drupal 8.x, upgrade to JSON API 8.x-1.24

Also see the JSON:API project page.

Reported By: 

• Gabe Sullice
• Lauri Eskola

Fixed By: 

• Gabe Sullice
• Wim Leers
• Alex Bronstein of the Drupal Security Team
• Tobias Zimmermann
• Andrei Mateescu
• Mateu Aguiló Bosch
• Hristo Chonov
• Daniel Wehner
• Sascha Grossenbacher
• Kristiaan Van den Eynde
• Lee Rowlands of the Drupal Security Team

Coordinated By: 

• Alex Bronstein of the Drupal Security Team

Project: E-SignVersion: 7.x-1.9Date: 2018-December-19Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross site scriptingDescription: 

This module allows for integration of Signature Pad, an electronic-signing
script, into Drupal for both nodes (content), the Field API (FAPI), and Webforms.

The module doesn't sufficiently filter user input when displaying a signature.

The vulnerability is mitigated by the fact that an attacker must have the ability to submit a signature. That permission might be associated with submitting a webform or creating or editing a node depending on site configuration.

Solution: 

Install the latest version:

• If you use the Esign module for Drupal 7.x, upgrade to Esign 7.x-1.10

Also see the E-Sign project page.

Reported By: 

• Mitch Portier

Fixed By: 

• Adam Weiss
• Mitch Portier

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Responsive MenusVersion: 7.x-1.x-devDate: 2018-December-05Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross site scriptingDescription: 

This module enables you to collapse your sites main menu on mobile, and show a menu toggle button.

The module doesn't sufficiently sanitize configuration settings provided by users which leads to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer responsive menus".

Solution: 

Install the latest version:

• If you use the responsive_menus module for Drupal 7.x, upgrade to responsive_menus 7.x-1.7

Reported By: 

• Ayesh Karunaratne

Fixed By: 

• Joshua Walker

Coordinated By: 

• Michael Hess of the Drupal Security Team
• David Snopek of the Drupal Security Team

Project: Salesforce SuiteDate: 2018-December-05Security risk: Moderately critical 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

This module enables Drupal to synchronize entities with Salesforce records. The module includes a page that does not sufficiently protect access rights, resulting in potential information disclosure.

This vulnerability is mitigated by the fact that only Drupal entity title and IDs, and Salesforce record IDs are exposed. Entity content and metadata are appropriately protected. Disclosure of Salesforce ID does not confer any additional privileges.

Solution: 

Install the latest version:

• If you use the Salesforce Suite module for Drupal 8.x, upgrade to Salesforce Suite 8.x-3.1

Also see the Salesforce Suite project page.

Reported By: 

• Oskar Schöldström

Fixed By: 

• Aaron Bauman
• Gabriel Carleton-Barnes

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Password PolicyVersion: 7.x-1.x-devDate: 2018-December-05Security risk: Less critical 9∕25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:DefaultVulnerability: Denial of ServiceDescription: 

The Password Policy module makes it possible to set constraints on user passwords which disallow certain passwords.

The "digit placement" constraint is vulnerable to Denial of Service attacks if an attacker submits specially crafted passwords which can cause a site to become unresponsive.

This vulnerability is mitigated by the fact that a site must have the "digit placement" constraint enabled.

Solution: 

Install the latest version:

• If you use the Password Policy module for Drupal 7.x, upgrade to Password Policy 7.x-1.16

Reported By: 

• Michael Sherron

Fixed By: 

• AohRveTPV

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• David Snopek of the Drupal Security Team

Project: Date ReminderDate: 2018-November-28Security risk: Moderately critical 10∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

This module allows registered users to request email reminders to be sent at a specified time before an event.

The module doesn't sufficiently check access to nodes, allowing a user to set a reminder on a node that the user shouldn't be able to access.

This can be mitigated with configuring DateReminder with Reminder Display: "Fieldset within a node" disables the potential exploit.

Solution: 

Install the latest version:

• If you use the Date Reminder module for Drupal 7.x, upgrade to Date Reminder 7.x-1.15

Also see the Date Reminder project page.

Reported By: 

• than_nak87

Fixed By: 

• dwillcox
• Balazs Janos Tatar Provisional Security Team member

Coordinated By: 

Balazs Janos Tatar Provisional Security Team member

Project: GatherContentDate: 2018-November-28Security risk: Moderately critical 13∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

This module enables you to import and export data from the GatherContent service.

The module didn't properly protect its administrative paths.

Solution: 

Install the latest version:

• If you use the gathercontent module for Drupal 7.x, upgrade to gathercontent 7.x-3.5

Also see the GatherContent project page.

Reported By: 

• Francisco Rodriguez

Fixed By: 

• Roland Kovacsics

Coordinated By: 

• Michael Hess of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Project: BootstrapVersion: 7.x-3.228.x-3.14Date: 2018-November-28Security risk: Moderately critical 11∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross site scriptingDescription: 

This base theme bridges the gap between Drupal and the Bootstrap Framework.

The theme doesn't sufficiently filter valid targets under the scenario of opening modals, popovers, and tooltips.

This vulnerability is mitigated by the fact that an attacker must already have the ability to either:

1. Edit/save custom content that supplies a value for the data-target attribute by injecting malicious code.
2. Inject custom markup onto the page that further exploits the data-target attribute by injecting malicious code. This method of attack is highly unlikely if they already have this level of access.

Note: while the base-theme does not provide either of these opportunities to do this out-of-the-box; a custom sub-theme may, however, be susceptible if it didn't sanitize or filter user provided input for XSS properly.

Solution: 

Install the latest version and take additional manual steps (see below).

• If you use the Drupal Bootstrap base-theme for Drupal 7.x, upgrade to 7.x-3.22
• If you use the Drupal Bootstrap base-theme for Drupal 8.x, upgrade to 8.x-3.14

Extra Note:

The vulnerability fixed in the Bootstrap theme releases on Drupal.org is a by-product from forking parts of the external framework's JavaScript code. The external framework's vulnerability was first reported in a public issue and later a fix for this vulnerability was merged into the external framework, however an official release of the external framework has yet to be made.

Users of this theme should take two additional steps:

1. Follow this external framework issue for further information and to keep up-to-date on when you need to upgrade your sub-theme's external framework source. You may consider using the distributed files from the temporary branch master-xmr-v3-fixes until an official release is made.
2. Review any custom code on your site that might have copied from the external framework's vulnerable code.

Also see the Bootstrap project page.

Reported By: 

• Gomez_in_the_South

Fixed By: 

• Mark Carver

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• 
  Samuel Mortenson of the Drupal Security Team

Project: ParagraphsVersion: 8.x-1.4Date: 2018-October-31Security risk: Moderately critical 10∕25 AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:UncommonVulnerability: Access BypassDescription: 

The Paragraphs module allows Drupal Site Builders to make content organization cleaner so that you can give more editing power to end-users.

The module doesn't sufficiently check access to create new paragraph entities which can cause access bypass issues when used in combination with other contributed modules.

Solution: 

Install the latest version:

• If you use the Paragraphs module for Drupal 8.x, upgrade to Paragraphs 8.x-1.5

Also see the Paragraphs project page.

Reported By: 

• Sam Becker

Fixed By: 

• Sam Becker
• Alex Pott of the Drupal Security Team
• Sascha Grossenbacher
• Alex Bronstein of the Drupal Security Team
• Mateu Aguiló Bosch
• Miro Dietiker

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Session LimitVersion: 7.x-2.28.x-1.0-beta2Date: 2018-October-31Security risk: Critical 15∕25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Insecure Session ManagementDescription: 

The session limit module enables a site administrator to set a policy around the number of active sessions users of the site may have. This is typically set to one so that you can only be logged in once with the same user account.

In one configuration of the module, when a user logs in with another session elsewhere already active, the module asks the user which session should be closed before they can proceed with login. The module does not sufficiently tokenise the list of sessions so that the user's session keys can be found through inspection of the form.

This vulnerability is mitigated by the fact that an attacker must already be able to intercept the contents of the HTML page to exploit the issue. That ability to intercept may come from Cross Site Scripting. This makes a Cross Site Scripting vulnerability worse than it would normally be.

Solution: 

Install the latest version:

• If you use the Session Limit module for Drupal 7.x, upgrade to 7.x-2.3
• If you use the Session Limit module for Drupal 8.x, upgrade to 8.x-1.0-beta3

Also see the Session Limit project page.

Reported By: 

• Simon Kapadia

Fixed By: 

• John Ennew

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Decoupled RouterVersion: 8.x-1.18.x-1.0Date: 2018-October-31Security risk: Critical 15∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

This module enables you to resolve the provided Drupal path in order to find the canonical path and information about the resolved entity. This information includes entity type ID, entity ID, entity UUID and entity label.

The module doesn't sufficiently check access before displaying entity labels. This leads to the display of labels on entities that are not be accessible, for example; titles of unpublished content.

Solution: 

Install the latest version:

• If you use the Decoupled Router module for Drupal 8.x, upgrade to Decoupled Router 8.x-1.2

Also see the Decoupled Router project page.

Reported By: 

• Rainer Friederich

Fixed By: 

• Mateu Aguiló Bosch

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Michael Hess (mlhess) of the Drupal Security Team

Project: Search AutocompleteDate: 2018-October-17Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingCVE IDs: CVE-2018-7603Description: 

This Search Autocomplete module enables you to autocomplete textfield using data from your website (nodes, comments, etc..).

The module doesn't sufficiently filter user-entered text among the autocompletion items leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability can be exploited by any user allowed to create one of the autocompletion item, for instance, nodes, users, comments.

Solution: 

Install the latest version:

• If you use the Search Autocomplete module for Drupal 7.x, upgrade to Search Autocomplete 7.x-4.8

Also see the Search Autocomplete project page.

Reported By: 

• Simon Kapadia

Fixed By: 

• Dominique CLAUSE

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

The Drupal Security team has a core and contrib release window on the 3rd Wednesday of the month. This window normally ends at 5pm Eastern (9PM UTC).

Due to unforeseen circumstances, we are extending the current window we are in by 3 hours until Oct 17th, 2018 at 8pm Eastern (11:59PM UTC).

Project: HTML MailDate: 2018-October-17Security risk: Critical 17∕25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Remote Code ExecutionDescription: 

The HTML Mail module lets you theme your messages the same way you theme the rest of your website.

When sending email some variables were not being sanitized for shell arguments, which could lead to remote code execution.

This issue is related to the Drupal Core release SA-CORE-2018-006.

Solution: 

Install the latest version:

• If you are running Drupal 7.x,
  • update to 7.x-2.71.
  • In case you're still using 7.x-2.65, there is a version 7.x-2.66 which has only the security patch applied, but you must realize that you are running old code and you're missing a number of bug fixes.

Also see the HTML Mail project page.

Reported By: 

• Damien Tournoud

Fixed By: 

• Hans Salvisberg

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Mime MailDate: 2018-October-17Security risk: Critical 17∕25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Remote Code ExecutionDescription: 

The MIME Mail module allows to send MIME-encoded e-mail messages with embedded images and attachments.

The module doesn't sufficiently sanitized some variables for shell arguments when sending email, which could lead to arbitrary remote code execution.

This issue is related to the Drupal Core release SA-CORE-2018-006.

Solution: 

Install the latest version:

• If you use the Mime Mail module for Drupal 7.x, upgrade to Mime Mail 7.x-1.1

Also see the Mime Mail project page.

Reported By: 

• RainbowLyte

Fixed By: 

• sgabe

Coordinated By: 

• Greg Knaddison of the Drupal Security Team