Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 15 Mar 2016 19:02:25 -0400 (EDT)
From: cve-assign@...re.org
To: pere@...a.cat
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, security@...pal.org
Subject: Re: CVE requests for Drupal core (SA-CORE-2016-001)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> https://www.drupal.org/SA-CORE-2016-001

> File upload access bypass and denial of service (File module - Drupal
> 7 and 8 - Moderately Critical)
> 
> A vulnerability exists in the File module that allows a malicious user
> to view, delete or substitute a link to a file that the victim has
> uploaded to a form while the form has not yet been submitted and
> processed. If an attacker carries out this attack continuously, all
> file uploads to a site could be blocked by deleting all temporary
> files before they can be saved.
> 
> This vulnerability is mitigated by the fact that the attacker must
> have permission to create content or comment and upload files as part
> of that process.

Use CVE-2016-3162.


> Brute force amplification attacks via XML-RPC (XML-RPC server - Drupal
> 6 and 7 - Moderately Critical)
> 
> The XML-RPC system allows a large number of calls to the same method
> to be made at once, which can be used as an enabling factor in brute
> force attacks (for example, attempting to determine user passwords by
> submitting a large number of password variations at once).
> 
> This vulnerability is mitigated by the fact that you must have enabled
> a module that provides an XML-RPC method that is vulnerable to
> brute-forcing. There are no such modules in Drupal 7 core, but Drupal
> 6 core is vulnerable via the Blog API module. It is additionally
> mitigated if flood control protection is in place for the method in
> question.

Use CVE-2016-3163.


> Open redirect via path manipulation (Base system - Drupal 6, 7 and 8 -
> Moderately Critical)
> 
> In Drupal 6 and 7, the current path can be populated with an external
> URL. This can lead to Open Redirect vulnerabilities.
> 
> This vulnerability is mitigated by the fact that it would only occur
> in combination with custom code, or in certain cases if a user submits
> a form shown on a 404 page with a specially crafted URL.
> 
> For Drupal 8 this is a hardening against possible browser flaws
> handling certain redirect paths.

Use CVE-2016-3164.


> Form API ignores access restrictions on submit buttons (Form API -
> Drupal 6 - Critical)
> 
> An access bypass vulnerability was found that allows input to be
> submitted, for example using JavaScript, for form button elements that
> a user is not supposed to have access to because the button was
> blocked by setting #access to FALSE in the server-side form
> definition.
> 
> This vulnerability is mitigated by the fact that the attacker must
> have access to submit a form that has such buttons defined for it (for
> example, a form that both administrators and non-administrators can
> access, but where administrators have additional buttons available to
> them).

Use CVE-2016-3165.


> HTTP header injection using line breaks (Base system - Drupal 6 -
> Moderately Critical)
> 
> A vulnerability in the drupal_set_header() function allows an HTTP
> header injection attack to be performed if user-generated content is
> passed as a header value on sites running PHP versions older than
> 5.1.2. If the content contains line breaks the user may be able to set
> arbitrary headers of their own choosing.
> 
> This vulnerability is mitigated by the fact that most hosts have newer
> versions of PHP installed, and that it requires a module to be
> installed on the site that allows user-submitted data to appear in
> HTTP headers.

Use CVE-2016-3166. (This issue has a CVE ID because the Drupal vendor
has issued a security advisory. A different vendor, in response to
a similar report, could choose to take the position that PHP 5.1.x
is obsolete, and the product offers no expectation of correct
behavior with 5.1.x.)


> Open redirect via double-encoded 'destination' parameter (Base system
> - Drupal 6 - Moderately Critical)
> 
> The drupal_goto() function in Drupal 6 improperly decodes the contents
> of $_REQUEST['destination'] before using it, which allows the
> function's open redirect protection to be bypassed and allows an
> attacker to initiate a redirect to an arbitrary external URL.
> 
> This vulnerability is mitigated by that fact that the attack is not
> possible for sites running on PHP 5.4.7 or greater.

Use CVE-2016-3167. (This issue has a CVE ID because the Drupal vendor
has issued a security advisory. A different vendor, in response to
a similar report, could choose to take the position that PHP 5.4.x
is obsolete, and the product offers no expectation of correct
behavior with 5.4.x.)


> Reflected file download vulnerability (System module - Drupal 6 and 7
> - Moderately Critical)
> 
> Drupal core has a reflected file download vulnerability that could
> allow an attacker to trick a user into downloading and running a file
> with arbitrary JSON-encoded content.
> 
> This vulnerability is mitigated by the fact that the victim must be a
> site administrator and that the full version of the attack only works
> with certain web browsers.

Use CVE-2016-3168.


> Saving user accounts can sometimes grant the user all roles (User
> module - Drupal 6 and 7 - Less Critical)
> 
> Some specific contributed or custom code may call Drupal's user_save()
> API in a manner different than Drupal core. Depending on the data that
> has been added to a form or the array prior to saving, this can lead
> to a user gaining all roles on a site.
> 
> This issue is mitigated by the fact that it requires contributed or
> custom code that calls user_save() with an explicit category and code
> that loads all roles into the array.

Use CVE-2016-3169.


> Email address can be matched to an account (User module - Drupal 7 and
> 8 - Less Critical)
> 
> In certain configurations where a user's email addresses could be used
> to log in instead of their username, links to "have you forgotten your
> password" could reveal the username associated with a particular email
> address, leading to an information disclosure vulnerability.
> 
> This issue is mitigated by the fact that it requires a contributed
> module to be installed that permits logging in with an email address,
> and that it is only relevant on sites where usernames are typically
> chosen to hide the users' real-life identities.

Use CVE-2016-3170.


> Session data truncation can lead to unserialization of user provided
> data (Base system - Drupal 6 - Less Critical)
> 
> On certain older versions of PHP, user-provided data stored in a
> Drupal session may be unserialized leading to possible remote code
> execution.
> 
> This issue is mitigated by the fact that it requires an unusual set of
> circumstances to exploit and depends on the particular Drupal code
> that is running on the site. It is also believed to be mitigated by
> upgrading to PHP 5.4.45, 5.5.29, 5.6.13, or any higher version.

Use CVE-2016-3171.


We may be sending a separate reply about the "And also for the
FileField contributed module" part.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJW6JQLAAoJEL54rhJi8gl5ySQQAI4bneFzYhM+2x9p8M9zDwF0
qZbMerp4yXeB+w4ejBBUv73k03xXveRwOabDiT0N4Rub/njlUUhmqtOLHuOZ21WU
wYPGYxZHEVLmsiDCYu6W55aE114CywC+uWEay6o6Nk55y5EGRrZzwQjYPwSJdbl+
/D4ArePHQkw5+mclilaFVKvhd8t01AVaH8x5cyfGYTZVJRjL6O6032fEbTgGcz6c
mEZ2cpHZYsOAvn5I0i0SKq5xTK3UK+mzt23n8toP2k2E9bFOjqIej49hQMsIKF0O
ixZn1J08J5stumLUDPMcu1L1kwr5/6+C24f5Um67q0zlL5W6jshpUUzXXe4nxBom
vr9cC2hqMk1tkjBmKvylS7BLk5VblL8rSsUjZ6UxbL+gvusdblPnTpzvw1ldlG61
fgp5e27yOFYKuOrd6/OO79zmJFGWo+mRweumJOZpKdP8H4x58IMF5eZSzFhVSuzS
EVKFKOHVwPVF1nQ3j81KyDxe4vNtCCjIy6eKJyctkHMn8Q21VlkTGjvDVcO8qfOA
oUV/JKn2ad/Pl4TN4LDT6KDss6zHCM+EvlX+mLdy4Oa13rs+N29Ek5VxLGjaEe9p
77yXCYPIO64dxUqlU+/bKH3f/fRBDv0fjLt3nWUol0e26RTmAbIn/T6xRdFCB2Qb
infW+eF3l8hqc0Y9K27J
=f4nY
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.