Opened 2 years ago
Last modified 2 years ago
#77 new defect
Drupal contrib - Highly Critical - Remote code execution PSA-2016-001
| Reported by: | chris | Owned by: | chris |
|---|---|---|---|
| Priority: | major | Milestone: | Maintenance |
| Component: | drupal | Version: | |
| Keywords: | Cc: | peter, jenny, gillian | |
| Estimated Number of Hours: | 0 | Add Hours to Ticket: | 0 |
| Billable?: | yes | Total Hours: | 0.9 |
Description
At 16:00 UTC (5pm BST) fixes for multiple "highly critical remote code execution vulnerabilities" in unspecified Drupal 7 modules will be released and it is expected that "exploits are expected to be developed within hours/days", see:
Peter: do you have this in hand? I notice that the dev site is still not running properly:
CSS is linked like this:
@import url("https:///sites/all/modules/contrib/domain/domain_nav/domain_nav.css?o4jry7");
@import url("https:///modules/field/theme/field.css?o4jry7");
JS is linked like this:
<script src="https:///sites/default/files/js/js_zzcIWOou_jnX0ZWAIA4sb6Xy_p5a8FZNA0GySvuWjPU.js"></script>
And images are linked like this:
<img typeof="foaf:Image" src="https:///sites/default/files/styles/390x387/public/1.1.jpg?itok=p_PWQReL" width="390" height="387" alt="" />
Is there anything I can do to help?
Change History (15)
comment:1 Changed 2 years ago by chris
- Add Hours to Ticket changed from 0 to 0.25
- Total Hours set to 0.25
comment:2 Changed 2 years ago by chris
comment:3 follow-up: ↓ 4 Changed 2 years ago by gillian
HI Chris, I will contact Code Positive by phone now. Jenny is on leave. Thanks, Gillian On 13 July 2016 at 14:17, CRIN Trac <trac@trac.crin.org> wrote: > #77: Drupal contrib - Highly Critical - Remote code execution PSA-2016-001 > ------------------------------------+----------------------------------- > Reporter: chris | Owner: chris > Type: defect | Status: new > Priority: major | Milestone: Maintenance > Component: drupal | Version: > Resolution: | Keywords: > Estimated Number of Hours: 0 | Add Hours to Ticket: 0 > Billable?: 1 | Total Hours: 0.25 > ------------------------------------+----------------------------------- > > Comment (by chris): > > I'm beginning to be a little concerned that I have had no response to this > ticket, we have 2 hours 45 minutes until the announcement -- if I haven't > heard anything by then and a module that the site is using is vulnerable > then I'm probably going to have to risk breaking things by either > disabling the module or upgrading it and I can't test this on the dev site > as it isn't working properly, so it might have to be done directly on the > live site. This isn't ideal. > > -- > Ticket URL: <https://trac.crin.org.archived.website/trac/ticket/77#comment:2> > CRIN Trac <https://trac.crin.org.archived.website/trac> > Trac project for CRIN website and servers. > -- Gillian Harrow *Child Rights International Network - CRIN* Unit 1.14 The Foundry 17 Oval Way London SE11 5RR United Kingdom E: gillian@crin.org T: +44 (0)20 3752 5484 Website: www.crin.org Twitter: @CRINwire
comment:4 in reply to: ↑ 3 Changed 2 years ago by chris
comment:5 Changed 2 years ago by gillian
Hi, I contacted the office and Peter is taking a day off today and Ben is on leave also! Spoke to Rachel who is kindly attempting to handle it and is contacting a senior development guy called Robert who (I hope) will contact you. They have your details. Let me know if you haven't heard anything. On 13 July 2016 at 14:42, CRIN Trac <trac@trac.crin.org> wrote: > #77: Drupal contrib - Highly Critical - Remote code execution PSA-2016-001 > ------------------------------------+----------------------------------- > Reporter: chris | Owner: chris > Type: defect | Status: new > Priority: major | Milestone: Maintenance > Component: drupal | Version: > Resolution: | Keywords: > Estimated Number of Hours: 0 | Add Hours to Ticket: 0 > Billable?: 1 | Total Hours: 0.25 > ------------------------------------+----------------------------------- > > Comment (by chris): > > Replying to [comment:3 gillian]: > > > > I will contact Code Positive by phone now. > > That's great, thanks. > > -- > Ticket URL: <https://trac.crin.org.archived.website/trac/ticket/77#comment:4> > CRIN Trac <https://trac.crin.org.archived.website/trac> > Trac project for CRIN website and servers. > -- Gillian Harrow *Child Rights International Network - CRIN* Unit 1.14 The Foundry 17 Oval Way London SE11 5RR United Kingdom E: gillian@crin.org T: +44 (0)20 3752 5484 Website: www.crin.org Twitter: @CRINwire
comment:6 Changed 2 years ago by gillian
Chris, From Rachel, Code Positive: I haven't had a reply from Robert yet. I've tried to access the dev site using Chrome and I'm running into the problem of it not working. However, I was able to successfully load it using Safari and Firebox browsers. Could Chris try that? Thanks, Rachel On 13 July 2016 at 14:17, CRIN Trac <trac@trac.crin.org> wrote: > #77: Drupal contrib - Highly Critical - Remote code execution PSA-2016-001 > ------------------------------------+----------------------------------- > Reporter: chris | Owner: chris > Type: defect | Status: new > Priority: major | Milestone: Maintenance > Component: drupal | Version: > Resolution: | Keywords: > Estimated Number of Hours: 0 | Add Hours to Ticket: 0 > Billable?: 1 | Total Hours: 0.25 > ------------------------------------+----------------------------------- > > Comment (by chris): > > I'm beginning to be a little concerned that I have had no response to this > ticket, we have 2 hours 45 minutes until the announcement -- if I haven't > heard anything by then and a module that the site is using is vulnerable > then I'm probably going to have to risk breaking things by either > disabling the module or upgrading it and I can't test this on the dev site > as it isn't working properly, so it might have to be done directly on the > live site. This isn't ideal. > > -- > Ticket URL: <https://trac.crin.org.archived.website/trac/ticket/77#comment:2> > CRIN Trac <https://trac.crin.org.archived.website/trac> > Trac project for CRIN website and servers. > -- Gillian Harrow *Child Rights International Network - CRIN* Unit 1.14 The Foundry 17 Oval Way London SE11 5RR United Kingdom E: gillian@crin.org T: +44 (0)20 3752 5484 Website: www.crin.org Twitter: @CRINwire
comment:7 follow-up: ↓ 9 Changed 2 years ago by peter
Hi All The development site can take some time getting up and running. It normally loads after a few attempts...once the cache has been warmed up. Any changes to modules will also clear the cache so there will be a few reloads required to get it running. It's my son's last day at school today and I am helping to organise things, so am not really available. Chris, because Robert and Rachel are going to need to be doing a few other updates, it would be great if you could see what needs to be updated on the crin site. On Wed, 13 Jul 2016, 15:23 Gillian Harrow, <gillian@crin.org> wrote: > Chris, From Rachel, Code Positive: > I haven't had a reply from Robert yet. I've tried to access the dev site > using Chrome and I'm running into the problem of it not working. However, I > was able to successfully load it using Safari and Firebox browsers. Could > Chris try that? > > Thanks, > > Rachel > > On 13 July 2016 at 14:17, CRIN Trac <trac@trac.crin.org> wrote: > >> #77: Drupal contrib - Highly Critical - Remote code execution PSA-2016-001 >> ------------------------------------+----------------------------------- >> Reporter: chris | Owner: chris >> Type: defect | Status: new >> Priority: major | Milestone: Maintenance >> Component: drupal | Version: >> Resolution: | Keywords: >> Estimated Number of Hours: 0 | Add Hours to Ticket: 0 >> Billable?: 1 | Total Hours: 0.25 >> ------------------------------------+----------------------------------- >> >> Comment (by chris): >> >> I'm beginning to be a little concerned that I have had no response to >> this >> ticket, we have 2 hours 45 minutes until the announcement -- if I haven't >> heard anything by then and a module that the site is using is vulnerable >> then I'm probably going to have to risk breaking things by either >> disabling the module or upgrading it and I can't test this on the dev >> site >> as it isn't working properly, so it might have to be done directly on the >> live site. This isn't ideal. >> >> -- >> Ticket URL: <https://trac.crin.org.archived.website/trac/ticket/77#comment:2> >> CRIN Trac <https://trac.crin.org.archived.website/trac> >> Trac project for CRIN website and servers. >> > > > > -- > Gillian Harrow > > *Child Rights International Network - CRIN* > Unit 1.14 > The Foundry > 17 Oval Way > London > SE11 5RR > United Kingdom > > E: gillian@crin.org > T: +44 (0)20 3752 5484 > Website: www.crin.org > Twitter: @CRINwire >
comment:8 Changed 2 years ago by chris
- Add Hours to Ticket changed from 0 to 0.15
- Total Hours changed from 0.25 to 0.4
Replying to gillian:
Chris, From Rachel, Code Positive:
I haven't had a reply from Robert yet. I've tried to access the dev site
using Chrome and I'm running into the problem of it not working. However, I
was able to successfully load it using Safari and Firebox browsers. Could
Chris try that?
Ah, that isn't the reason but it did help me find some more out about it -- the problem is that the site works using HTTP (which I didn't realise):
But not HTTPS:
I'll see if there is a simple fix for this.
comment:9 in reply to: ↑ 7 ; follow-up: ↓ 10 Changed 2 years ago by chris
- Add Hours to Ticket changed from 0 to 0.2
- Total Hours changed from 0.4 to 0.6
Replying to peter:
Chris, because Robert and Rachel are going to need to be doing a few other
updates, it would be great if you could see what needs to be updated on the
crin site.
No problem. I'll check at 5pm what is effected and how best to ensure the site isn't vulnerable.
In terms of why it works using HTTP but not HTTPS, both sites have this env var set by Nginx and I don't know what else to look for...
fastcgi_param SITE_ENV crin_dev;
And in any case it has now been fixed by someone by the looks of it :-)
comment:10 in reply to: ↑ 9 Changed 2 years ago by chris
Replying to chris:
And in any case it has now been fixed by someone by the looks of it :-)
Oh no it hasn't:
But it does work if a en is appended to the site address -- that is good enough for this afternoon -- I'll be able to test any updates if needs be.
comment:11 Changed 2 years ago by gillian
Thanks Peter for responding on last day of school. Thanks again for your support, Chris. On 13 July 2016 at 15:54, CRIN Trac <trac@trac.crin.org> wrote: > #77: Drupal contrib - Highly Critical - Remote code execution PSA-2016-001 > ------------------------------------+----------------------------------- > Reporter: chris | Owner: chris > Type: defect | Status: new > Priority: major | Milestone: Maintenance > Component: drupal | Version: > Resolution: | Keywords: > Estimated Number of Hours: 0 | Add Hours to Ticket: 0 > Billable?: 1 | Total Hours: 0.6 > ------------------------------------+----------------------------------- > > Comment (by chris): > > Replying to [comment:9 chris]: > > > > And in any case it has now been fixed by someone by the looks of it :-) > > > > * https://dev.crin.org/en > > Oh no it hasn't: > > * https://dev.crin.org/ > > But it does work if a `en` is appended to the site address -- that is good > enough for this afternoon -- I'll be able to test any updates if needs be. > > -- > Ticket URL: <https://trac.crin.org.archived.website/trac/ticket/77#comment:10> > CRIN Trac <https://trac.crin.org.archived.website/trac> > Trac project for CRIN website and servers. > -- Gillian Harrow *Child Rights International Network - CRIN* Unit 1.14 The Foundry 17 Oval Way London SE11 5RR United Kingdom E: gillian@crin.org T: +44 (0)20 3752 5484 Website: www.crin.org Twitter: @CRINwire
comment:12 Changed 2 years ago by chris
- Add Hours to Ticket changed from 0 to 0.15
- Total Hours changed from 0.6 to 0.75
The Drupal modules that are installed on the dev server:
su - bitbucket
cd /var/www/dev/docroot/
drush pm-list
age Name Type Status Version
Administration Actions permissions (VBO) (actions_permissions) Module Not installed 7.x-3.1
Administration Administration Development tools (admin_devel) Module Not installed 7.x-3.0-rc4
Administration Administration menu (admin_menu) Module Enabled 7.x-3.0-rc4
Administration Administration menu Toolbar style Module Enabled 7.x-3.0-rc4
(admin_menu_toolbar)
Annotation Annotation (annotation) Module Not installed 7.x-1.x-dev
Annotation Annotator (annotator) Module Not installed 7.x-1.x-dev
Authentication User registration password Module Not installed 7.x-1.3
(user_registrationpassword)
CCK FileField Nginx Progress Module Enabled 7.x-2.3
(filefield_nginx_progress)
Chaos tool suite Bulk Export (bulk_export) Module Not installed 7.x-1.3
Chaos tool suite Chaos tools (ctools) Module Enabled 7.x-1.3
Chaos tool suite Chaos Tools (CTools) AJAX Example Module Not installed 7.x-1.3
(ctools_ajax_sample)
Chaos tool suite Chaos Tools (CTools) Plugin Example Module Not installed 7.x-1.3
(ctools_plugin_example)
Chaos tool suite Custom content panes (ctools_custom_content) Module Not installed 7.x-1.3
Chaos tool suite Custom rulesets (ctools_access_ruleset) Module Not installed 7.x-1.3
Chaos tool suite Page manager (page_manager) Module Not installed 7.x-1.3
Chaos tool suite Stylizer (stylizer) Module Not installed 7.x-1.3
Chaos tool suite Views content panes (views_content) Module Not installed 7.x-1.3
Core Aggregator (aggregator) Module Not installed 7.24
Core Block (block) Module Enabled 7.24
Core Blog (blog) Module Not installed 7.24
Core Book (book) Module Not installed 7.24
Core Color (color) Module Not installed 7.24
Core Comment (comment) Module Not installed 7.24
Core Contact (contact) Module Enabled 7.24
Core Content translation (translation) Module Enabled 7.24
Core Contextual links (contextual) Module Enabled 7.24
Core Dashboard (dashboard) Module Not installed 7.24
Core Database logging (dblog) Module Disabled 7.24
Core Field (field) Module Enabled 7.24
Core Field SQL storage (field_sql_storage) Module Enabled 7.24
Core Field UI (field_ui) Module Enabled 7.24
Core File (file) Module Enabled 7.24
Core Filter (filter) Module Enabled 7.24
Core Forum (forum) Module Not installed 7.24
Core Help (help) Module Not installed 7.24
Core Image (image) Module Enabled 7.24
Core List (list) Module Enabled 7.24
Core Locale (locale) Module Not installed 7.24
Core Menu (menu) Module Enabled 7.24
Core Node (node) Module Enabled 7.24
Core Number (number) Module Enabled 7.24
Core OpenID (openid) Module Not installed 7.24
Core Options (options) Module Enabled 7.24
Core Overlay (overlay) Module Not installed 7.24
Core Path (path) Module Enabled 7.24
Core PHP filter (php) Module Enabled 7.24
Core Poll (poll) Module Not installed 7.24
Core Project Browser (project_browser) Module Not installed 7.x-1.x-dev
Core RDF (rdf) Module Enabled 7.24
Core Search (search) Module Enabled 7.24
Core Shortcut (shortcut) Module Enabled 7.24
Core Statistics (statistics) Module Not installed 7.24
Core Syslog (syslog) Module Enabled 7.24
Core System (system) Module Enabled 7.24
Core Taxonomy (taxonomy) Module Enabled 7.24
Core Testing (simpletest) Module Not installed 7.24
Core Text (text) Module Enabled 7.24
Core Toolbar (toolbar) Module Not installed 7.24
Core Tracker (tracker) Module Not installed 7.24
Core Trigger (trigger) Module Enabled 7.24
Core Update manager (update) Module Not installed 7.24
Core User (user) Module Enabled 7.24
crin Country menu (country_menu) Module Enabled
crin CRIN Module (crinmodule) Module Enabled
crin CRIN Paths from old site (crinpath) Module Enabled
crin CRIN User to company (crinuser) Module Enabled
crin CRIN wiki pull (crinqp) Module Enabled
crin crinmigrate (crinmigrate) Module Enabled
crin custom_blocks (custom_blocks) Module Enabled
crin Search header images (search_header_images) Module Enabled
Custom enoc_banner (enoc_banner) Module Enabled
Date/Time Date (date) Module Enabled 7.x-2.6
Date/Time Date All Day (date_all_day) Module Enabled 7.x-2.6
Date/Time Date API (date_api) Module Enabled 7.x-2.6
Date/Time Date Context (date_context) Module Not installed 7.x-2.6
Date/Time Date Migration (date_migrate) Module Not installed 7.x-2.6
Date/Time Date Popup (date_popup) Module Enabled 7.x-2.6
Date/Time Date Repeat API (date_repeat) Module Not installed 7.x-2.6
Date/Time Date Repeat Field (date_repeat_field) Module Not installed 7.x-2.6
Date/Time Date Tools (date_tools) Module Not installed 7.x-2.6
Date/Time Date Views (date_views) Module Enabled 7.x-2.6
Development Devel (devel) Module Disabled 7.x-1.3
Development Devel generate (devel_generate) Module Not installed 7.x-1.3
Development Devel node access (devel_node_access) Module Not installed 7.x-1.3
Development Hacked! (hacked) Module Not installed 7.x-2.0-beta5
Development Menu import (menu_import) Module Enabled 7.x-1.7
Development Migrate (migrate) Module Not installed 7.x-2.5
Development Migrate Example (migrate_example) Module Not installed 7.x-2.5
Development Migrate UI (migrate_ui) Module Not installed 7.x-2.5
Development Reroute emails (reroute_email) Module Not installed 7.x-1.2
Domain Access Domain Access (domain) Module Enabled 7.x-3.10
Domain Access Domain Alias (domain_alias) Module Enabled 7.x-3.10
Domain Access Domain Configuration (domain_conf) Module Enabled 7.x-3.10
Domain Access Domain Content (domain_content) Module Enabled 7.x-3.10
Domain Access Domain Navigation (domain_nav) Module Enabled 7.x-3.10
Domain Access Domain Settings (domain_settings) Module Enabled 7.x-3.10
Domain Access Domain Source (domain_source) Module Not installed 7.x-3.10
Domain Access Domain Strict (domain_strict) Module Not installed 7.x-3.10
Domain Access Domain Theme (domain_theme) Module Enabled 7.x-3.10
Domain Access Domain Views (domain_views) Module Enabled 7.x-1.5-patch
ed
Domain Access Subfolders Domain (subfolders_domain) Module Not installed 7.x-2.7
Drupy Domain custom search (domain_custom_search) Module Enabled
Drupy Effusion Mailchimp (effusion_mailchimp) Module Not installed
Drupy effusioncommon (effusioncommon) Module Enabled
Drupy effusiondash (effusiondash) Module Not installed
Drupy effusiontestuser (effusiontestuser) Module Not installed
Drupy Enoc Blocks (enoc_blocks) Module Enabled
Drupy SAK (Swiss Army Knife) (sak) Module Not installed
Entityforms Entityform Anonymous (entityform_anonymous) Module Not installed 7.x-2.0-beta4
Entityforms Entityforms (entityform) Module Enabled 7.x-2.0-beta4
Entityforms Entityforms Notifications Module Enabled 7.x-2.0-beta4
(entityform_notifications)
Example modules Variable example (variable_example) Module Not installed 7.x-2.3
Features Date Migration Example (date_migrate_example) Module Not installed 7.x-2.6
Features entityform_test (entityform_test) Module Not installed 7.x-2.0-beta4
Features Features (features) Module Not installed 7.x-2.0
Fieldgroup Fieldgroup Test (field_group_test) Module Not installed 7.x-1.3
Fields Block reference (blockreference) Module Not installed 7.x-1.13
Fields Entity Reference (entityreference) Module Not installed 7.x-1.0-rc1
Fields Entity Reference Behavior Example Module Not installed 7.x-1.0-rc1
(entityreference_behavior_example)
Fields Field collection (field_collection) Module Enabled 7.x-1.0-beta5
Fields Field extract (field_extract) Module Enabled 7.x-1.x-dev
Fields Fieldgroup (field_group) Module Enabled 7.x-1.3
Fields File Field Sources (filefield_sources) Module Not installed 7.x-1.6
Fields Google Map Field (google_map_field) Module Enabled 7.x-2.4-patch
ed
Fields Google Map Field - Extend Module Enabled
(google_map_field_extend)
Fields Node Reference (node_reference) Module Enabled 7.x-2.1
Fields References (references) Module Enabled 7.x-2.1
Fields Term Reference Tree (term_reference_tree) Module Enabled 7.x-1.10
Fields URL (url) Module Enabled 7.x-1.0
Fields User Reference (user_reference) Module Not installed 7.x-2.1
Knowledge Base User Dashboard (user_dashboard) Module Not installed 7.x-1.2
Linkedin LinkedIn (linkedin) Module Not installed 7.x-1.x-dev
Linkedin LinkedIn Authentication (linkedin_auth) Module Not installed 7.x-1.x-dev
Linkedin Linkedin profile integration (linkedin_profile) Module Not installed 7.x-1.x-dev
Linkedin LinkedIn Signup (linkedin_signup) Module Not installed
Linkedin LinkedIn status update (linkedin_status) Module Not installed 7.x-1.x-dev
Mail Mail System (mailsystem) Module Enabled 7.x-2.34
Mail Mime Mail (mimemail) Module Enabled 7.x-1.0-beta1
Mail Mime Mail Action (mimemail_action) Module Not installed 7.x-1.0-beta1
Mail Mime Mail CSS Compressor (mimemail_compress) Module Disabled 7.x-1.0-beta1
Mail Simplenews (simplenews) Module Enabled 7.x-1.1-patch
ed
Mail Simplenews Content Selection (scs) Module Enabled 7.x-2.0
Mail Simplenews Content Selection Views Integration Module Enabled 7.x-2.0
(scs_views)
Mail Simplenews rules (simplenews_rules) Module Enabled 7.x-1.1
MailChimp MailChimp (mailchimp) Module Disabled 7.x-3.6+11-de
v
MailChimp MailChimp Activity (mailchimp_activity) Module Not installed 7.x-3.6+11-de
v
MailChimp MailChimp Campaigns (mailchimp_campaign) Module Not installed 7.x-3.6+11-de
v
MailChimp MailChimp Lists (mailchimp_lists) Module Disabled 7.x-3.6+11-de
v
MailChimp MailChimp Signup (mailchimp_signup) Module Disabled 7.x-3.6+11-de
v
Media File entity (file_entity) Module Not installed 7.x-1.3
Media IMCE (imce) Module Enabled 7.x-1.7
Media Media (media) Module Not installed 7.x-1.3
Media Media Internet Sources (media_internet) Module Not installed 7.x-1.3
Media Media: SoundCloud (media_soundcloud) Module Not installed 7.x-1.0
Migrate Examples Migrate example - Oracle (migrate_example_oracle) Module Not installed 7.x-2.5
Migrate Examples migrate_example_baseball Module Not installed 7.x-2.5
(migrate_example_baseball)
Multilingual Localization update (l10n_update) Module Disabled 7.x-1.0-beta3
Multilingual - Block languages (i18n_block) Module Enabled 7.x-1.10
Internationalization
Multilingual - Contact translation (i18n_contact) Module Enabled 7.x-1.10
Internationalization
Multilingual - Field translation (i18n_field) Module Enabled 7.x-1.10
Internationalization
Multilingual - Internationalization (i18n) Module Enabled 7.x-1.10
Internationalization
Multilingual - Menu translation (i18n_menu) Module Enabled 7.x-1.10
Internationalization
Multilingual - Multilingual content (i18n_node) Module Enabled 7.x-1.10
Internationalization
Multilingual - Multilingual forum (i18n_forum) Module Not installed 7.x-1.10
Internationalization
Multilingual - Multilingual select (i18n_select) Module Enabled 7.x-1.10
Internationalization
Multilingual - Path translation (i18n_path) Module Enabled 7.x-1.10
Internationalization
Multilingual - Profile2 translation (profile2_i18n) Module Not installed 7.x-1.3
Internationalization
Multilingual - Rules translation (rules_i18n) Module Not installed 7.x-2.6
Internationalization
Multilingual - String translation (i18n_string) Module Enabled 7.x-1.10
Internationalization
Multilingual - Synchronize translations (i18n_sync) Module Enabled 7.x-1.10
Internationalization
Multilingual - Taxonomy translation (i18n_taxonomy) Module Enabled 7.x-1.10
Internationalization
Multilingual - Translation redirect (i18n_redirect) Module Disabled 7.x-1.10
Internationalization
Multilingual - Translation sets (i18n_translation) Module Enabled 7.x-1.10
Internationalization
Multilingual - User mail translation (i18n_user) Module Enabled 7.x-1.10
Internationalization
Multilingual - Variable translation (i18n_variable) Module Enabled 7.x-1.10
Internationalization
OAuth OAuth (oauth_common) Module Enabled 7.x-3.1
OAuth OAuth Provider UI (oauth_common_providerui) Module Not installed 7.x-3.1
Organic groups Profile2 group access (profile2_og_access) Module Not installed 7.x-1.3
Other Advanced help (advanced_help) Module Not installed 7.x-1.0
Other Advanced help example (help_example) Module Not installed 7.x-1.0
Other Backup and Migrate (backup_migrate) Module Enabled 7.x-2.8
Other Big Menu (bigmenu) Module Enabled 7.x-1.2
Other Block Class (block_class) Module Enabled 7.x-2.3
Other Chosen (chosen) Module Disabled 7.x-2.0-alpha
2
Other Combined Term reference field (combined_termref) Module Enabled 7.x-1.0-beta1
Other Cookie Control (cookiecontrol) Module Enabled 7.x-1.6
Other Cookie Control for Google Analytics Module Not installed 7.x-1.6
(cookie_googleanalytics)
Other Cookie Control HTML class (cookie_html) Module Not installed 7.x-1.6
Other Disqus (disqus) Module Disabled 7.x-1.10
Other Entity API (entity) Module Enabled 7.x-1.2
Other Entity Rules (entity_rules) Module Enabled 7.x-1.0-alpha
4
Other Entity to Text (entity2text) Module Enabled 7.x-1.0-alpha
2
Other Entity tokens (entity_token) Module Enabled 7.x-1.2
Other Facebook OAuth (fboauth) Module Not installed 7.x-1.6
Other Footnotes (footnotes) Module Not installed 7.x-2.5
Other Footnotes with Views (footnotes_views) Module Not installed 7.x-2.5
Other Google Fonts (google_fonts) Module Enabled 7.x-2.3
Other Habitat (habitat) Module Enabled 7.x-1.0
Other Habitat UI (habitat_ui) Module Enabled 7.x-1.0
Other ImageField Focus (imagefield_focus) Module Enabled 7.x-1.0-patch
ed
Other ImageField Focus Adjust (imagefield_focus_adjust) Module Enabled 7.x-1.0
Other Legal (legal) Module Enabled 7.x-1.5
Other LESS CSS Preprocessor (less) Module Not installed 7.x-3.0
Other LESS CSS Preprocessor - DEMO (less_demo) Module Not installed 7.x-3.0
Other Libraries (libraries) Module Enabled 7.x-2.1
Other Login one time (login_one_time) Module Not installed 7.x-2.8
Other LoginToboggan (logintoboggan) Module Enabled 7.x-1.3
Other LoginToboggan Content Access Integration Module Not installed 7.x-1.3
(logintoboggan_content_access_integration)
Other LoginToboggan Rules Integration Module Not installed 7.x-1.3
(logintoboggan_rules)
Other LoginToboggan Variable Integration Module Not installed 7.x-1.3
(logintoboggan_variable)
Other Menu attributes (menu_attributes) Module Enabled 7.x-1.0-rc2
Other Menu Block (menu_block) Module Enabled 7.x-2.3-patch
ed
Other Menu Block Export (menu_block_export) Module Not installed 7.x-2.3
Other Menu Node API (menu_node) Module Enabled 7.x-1.2
Other Menu Node Views (menu_node_views) Module Enabled 7.x-1.x-dev-p
atched
Other Menu position (menu_position) Module Enabled 7.x-1.1
Other Menu Trail By Path (menu_trail_by_path) Module Enabled 7.x-2.0
Other Module filter (module_filter) Module Enabled 7.x-1.8
Other MultiBlock (multiblock) Module Enabled 7.x-1.1
Other Node Convert (node_convert) Module Not installed 7.x-1.1
Other Pathauto (pathauto) Module Enabled 7.x-1.2
Other PHP Authentication shield (shield) Module Not installed 7.x-1.2
Other Profile2 (profile2) Module Not installed 7.x-1.3
Other Profile2 pages (profile2_page) Module Not installed 7.x-1.3
Other Quicktabs (quicktabs) Module Enabled 7.x-3.6
Other Quicktabs Styles (quicktabs_tabstyles) Module Enabled 7.x-3.6
Other Redirect (redirect) Module Enabled 7.x-1.0-rc1
Other Session API (session_api) Module Not installed 7.x-1.0-rc1
Other Stage File Proxy (stage_file_proxy) Module Not installed 7.x-1.7
Other Stager (stager) Module Not installed 7.x-1.2
Other String Overrides (stringoverrides) Module Disabled 7.x-1.8
Other String Overrides Migrate Module Not installed 7.x-1.8
(stringoverrides_migrate)
Other Token (token) Module Enabled 7.x-1.5
Other Transliteration (transliteration) Module Enabled 7.x-3.1
Other Twitter (twitter) Module Enabled 7.x-5.8
Other Twitter actions (twitter_actions) Module Not installed 7.x-5.8
Other Twitter Post (twitter_post) Module Not installed 7.x-5.8
Other Twitter Signin (twitter_signin) Module Not installed 7.x-5.8
Panels Mini panels (panels_mini) Module Not installed 7.x-3.3
Panels Panel nodes (panels_node) Module Not installed 7.x-3.3
Panels Panels (panels) Module Not installed 7.x-3.3
Panels Panels In-Place Editor (panels_ipe) Module Not installed 7.x-3.3
Path management Global Redirect (globalredirect) Module Enabled 7.x-1.5
Performance and scalability Entity cache (entitycache) Module Enabled 7.x-1.2
Performance and scalability Memcache (memcache) Module Enabled 7.x-1.5
Performance and scalability Memcache Admin (memcache_admin) Module Enabled 7.x-1.5
Rules Rules (rules) Module Enabled 7.x-2.6
Rules Rules Scheduler (rules_scheduler) Module Not installed 7.x-2.6
Rules Rules UI (rules_admin) Module Not installed 7.x-2.6
Search Custom Search (custom_search) Module Not installed 7.x-1.12
Search Custom Search Blocks (custom_search_blocks) Module Not installed 7.x-1.12
Search Custom Search Internationalization Module Not installed 7.x-1.12
(custom_search_i18n)
Search Custom Search Taxonomy (custom_search_taxonomy) Module Not installed 7.x-1.12
Search Database search (search_api_db) Module Enabled 7.x-1.2
Search Search API (search_api) Module Enabled 7.x-1.6
Search Search facets (search_api_facetapi) Module Enabled 7.x-1.6
Search Search views (search_api_views) Module Enabled 7.x-1.6
Search Toolkit Apache Solr Access (apachesolr_access) Module Not installed 7.x-1.6
Search Toolkit Apache Solr framework (apachesolr) Module Enabled 7.x-1.6
Search Toolkit Apache Solr Multisite Search Module Enabled 7.x-1.0
(apachesolr_multisitesearch)
Search Toolkit Apache Solr search (apachesolr_search) Module Enabled 7.x-1.6
Search Toolkit Current Search Blocks (current_search) Module Not installed 7.x-1.3
Search Toolkit Facet API (facetapi) Module Enabled 7.x-1.3
Spam control CAPTCHA (captcha) Module Disabled 7.x-1.1
Spam control Honeypot (honeypot) Module Enabled 7.x-1.17
Spam control Image CAPTCHA (image_captcha) Module Not installed 7.x-1.1
Spam control reCAPTCHA (recaptcha) Module Disabled 7.x-1.11
Spam control reCAPTCHA Mailhide (recaptcha_mailhide) Module Not installed 7.x-1.11
Statistics Piwik Web Analytics (piwik) Module Enabled 7.x-2.7
Taxonomy Taxonomy CSV import/export (taxonomy_csv) Module Disabled 7.x-5.10
Taxonomy Taxonomy Manager (taxonomy_manager) Module Enabled 7.x-1.0-patch
ed
Taxonomy Term Merge (term_merge) Module Not installed 7.x-1.0
Taxonomy menu Taxonomy menu (taxonomy_menu) Module Enabled 7.x-1.4
User interface Autocomplete Deluxe (autocomplete_deluxe) Module Enabled 7.x-2.0-beta3
User interface CKEditor (ckeditor) Module Enabled 7.x-1.13-patc
hed
User interface Footnotes Wysiwyg (footnotes_wysiwyg) Module Not installed 7.x-2.5
User interface jQuery Update (jquery_update) Module Enabled 7.x-2.3
User interface jQuery waypoints (waypoints) Module Not installed 7.x-1.0
User interface Uniform (uniform) Module Not installed 7.x-1.10
User interface Uniform Cancel (uniform_cancel) Module Not installed
Variable Variable (variable) Module Enabled 7.x-2.3
Variable Variable admin (variable_admin) Module Not installed 7.x-2.3
Variable Variable advanced (variable_advanced) Module Not installed 7.x-2.3
Variable Variable realm (variable_realm) Module Enabled 7.x-2.3
Variable Variable store (variable_store) Module Enabled 7.x-2.3
Variable Variable views (variable_views) Module Not installed 7.x-2.3
Views Better Exposed Filters (better_exposed_filters) Module Enabled 7.x-3.0-beta3
Views Draggableviews (draggableviews) Module Not installed 7.x-2.0
Views Views (views) Module Enabled 7.x-3.7
Views Views Autocomplete Filters Module Enabled 7.x-1.0
(views_autocomplete_filters)
Views Views Bulk Operations (views_bulk_operations) Module Enabled 7.x-3.1
Views Views Data Export (views_data_export) Module Enabled 7.x-3.0-beta8
Views Views Infinite Scroll (views_infinite_scroll) Module Not installed 7.x-1.1
Views Views Slideshow (views_slideshow) Module Enabled 7.x-3.1
Views Views Slideshow: Cycle (views_slideshow_cycle) Module Enabled 7.x-3.1
Views Views UI (views_ui) Module Enabled 7.x-3.7
Views Views UI: Edit Basic Settings (views_ui_basic) Module Enabled 7.x-1.3
Webform Webform (webform) Module Disabled 7.x-3.20
Webform Webform Link (webform_link) Module Disabled 7.x-1.1
Webform Webform Term Options (webform_term_opts) Module Not installed 7.x-1.1
Core Bartik (bartik) Theme Disabled 7.24
Core Garland (garland) Theme Disabled 7.24
Core Seven (seven) Theme Enabled 7.24
Core Stark (stark) Theme Disabled 7.24
Other CRIN (crin) Theme Enabled
Other enoc (enoc) Theme Enabled
Other Zen (zen) Theme Disabled 7.x-5.4
5 minutes until the announcement is available here:
Version 0, edited 2 years ago
by chris
(next)
comment:13 Changed 2 years ago by chris
Announcement on Twitter:
Highly Critical RCE contrib SA's: http://ow.ly/bUHe302d4aZ & http://ow.ly/fm6e302d4dD & http://ow.ly/dV8Z302d4fw If you use one, update now
https://twitter.com/drupalsecurity/status/753257873392668673
comment:14 Changed 2 years ago by chris
- Add Hours to Ticket changed from 0 to 0.15
- Total Hours changed from 0.75 to 0.9
I have found no evidence that any of the 3 vunerable modules are installed on the dev server so I assume that the live server is also safe, panic over!
Webform Multiple File Upload - Critical - Remote Code Execution - SA-CONTRIB-2016-038
The Webform Multiple File Upload module allows users to upload multiple files on a Webform.
The Webform Multifile File Upload module contains a Remote Code Execution (RCE) vulnerability where form inputs will be unserialized and a specially crafted form input may trigger arbitrary code execution depending on the libraries available on a site.
This vulnerability is mitigated by the fact that an attacker must have the ability to submit a Webform with a Multiple File Input field. Further, a site must have an object defined with methods that are invoked at wake/destroy that include code that can be leveraged for malicious purposes. Drupal 7 Core contains one such class which can be used to delete arbitrary files, but contributed or custom classes may include methods that can be leveraged for RCE.
Note: this vulnerability exists in the Webform Multiple File Upload (webform_multifile) module. There is a similarly named module Webform Multiple File (webform_multiple_file) which is not related to this issue.
This doesn't appear to be installed or enabled:
drush pm-list | grep -i webform Webform Webform (webform) Module Disabled 7.x-3.20 Webform Webform Link (webform_link) Module Disabled 7.x-1.1 Webform Webform Term Options (webform_term_opts) Module Not installed 7.x-1.1
And even if it was I would assume that only editors have file upload permissions?
Coder - Highly Critical - Remote Code Execution - SA-CONTRIB-2016-039
There are no mitigating factors. The module does not need to be enabled for this to be exploited. Its presence on the file system and being reachable from the web are sufficient.
drush pm-list | grep -i coder
Not installed.
RESTWS - Highly critical - Remote code execution - SA-CONTRIB-2016-040
This module enables you to expose Drupal entities as RESTful web services.
RESTWS alters the default page callbacks for entities to provide additional functionality.
A vulnerability in this approach allows an attacker to send specially crafted requests resulting in arbitrary PHP execution.
There are no mitigating factors. This vulnerability can be exploited by anonymous users.
drush pm-list | grep -i rest
Not installed.
comment:15 Changed 2 years ago by gillian
Hope that is a sign of relief I can make?
Thanks Chris. I'm leaving at 6pm this evening so you aware.
Best
On 13 July 2016 at 17:10, CRIN Trac <trac@trac.crin.org> wrote:
> #77: Drupal contrib - Highly Critical - Remote code execution PSA-2016-001
> ------------------------------------+-----------------------------------
> Reporter: chris | Owner: chris
> Type: defect | Status: new
> Priority: major | Milestone: Maintenance
> Component: drupal | Version:
> Resolution: | Keywords:
> Estimated Number of Hours: 0 | Add Hours to Ticket: 0.15
> Billable?: 1 | Total Hours: 0.75
> ------------------------------------+-----------------------------------
> Changes (by chris):
>
> * hours: 0 => 0.15
> * totalhours: 0.75 => 0.9
>
>
> Comment:
>
> I have found no evidence that any of the 3 vunerable modules are installed
> on the dev server so I assume that the live server is also safe, panic
> over!
>
> == Webform Multiple File Upload - Critical - Remote Code Execution - SA-
> CONTRIB-2016-038 ==
>
> > The Webform Multiple File Upload module allows users to upload multiple
> files on a Webform.
> >
> > The Webform Multifile File Upload module contains a Remote Code
> Execution (RCE) vulnerability where form inputs will be unserialized and a
> specially crafted form input may trigger arbitrary code execution
> depending on the libraries available on a site.
> >
> > This vulnerability is mitigated by the fact that an attacker must have
> the ability to submit a Webform with a Multiple File Input field. Further,
> a site must have an object defined with methods that are invoked at
> wake/destroy that include code that can be leveraged for malicious
> purposes. Drupal 7 Core contains one such class which can be used to
> delete arbitrary files, but contributed or custom classes may include
> methods that can be leveraged for RCE.
> >
> > ''Note: this vulnerability exists in the Webform Multiple File Upload
> (webform_multifile) module. There is a similarly named module Webform
> Multiple File (webform_multiple_file) which is not related to this
> issue.''
> >
> > https://www.drupal.org/node/2765573
>
> This doesn't appear to be installed or enabled:
>
> {{{
> drush pm-list | grep -i webform
> Webform Webform (webform)
> Module Disabled 7.x-3.20
> Webform Webform Link (webform_link)
> Module Disabled 7.x-1.1
> Webform Webform Term Options
> (webform_term_opts) Module Not installed
> 7.x-1.1
> }}}
>
> And even if it was I would assume that only editors have file upload
> permissions?
>
> == Coder - Highly Critical - Remote Code Execution - SA-CONTRIB-2016-039
> ==
>
> > There are no mitigating factors. The module does not need to be enabled
> for this to be exploited. Its presence on the file system and being
> reachable from the web are sufficient.
> >
> > https://www.drupal.org/node/2765573
>
> {{{
> drush pm-list | grep -i coder
> }}}
>
> Not installed.
>
> == RESTWS - Highly critical - Remote code execution - SA-CONTRIB-2016-040
> ==
>
> > This module enables you to expose Drupal entities as RESTful web
> services.
> >
> > RESTWS alters the default page callbacks for entities to provide
> additional functionality.
> >
> > A vulnerability in this approach allows an attacker to send specially
> crafted requests resulting in arbitrary PHP execution.
> >
> > There are no mitigating factors. This vulnerability can be exploited by
> anonymous users.
> >
> > https://www.drupal.org/node/2765567
>
> {{{
> drush pm-list | grep -i rest
> }}}
>
> Not installed.
>
> --
> Ticket URL: <https://trac.crin.org.archived.website/trac/ticket/77#comment:14>
> CRIN Trac <https://trac.crin.org.archived.website/trac>
> Trac project for CRIN website and servers.
>
--
Gillian Harrow
*Child Rights International Network - CRIN*
Unit 1.14
The Foundry
17 Oval Way
London
SE11 5RR
United Kingdom
E: gillian@crin.org
T: +44 (0)20 3752 5484
Website: www.crin.org
Twitter: @CRINwire
Note: See
TracTickets for help on using
tickets.
I'm beginning to be a little concerned that I have had no response to this ticket, we have 2 hours 45 minutes until the announcement -- if I haven't heard anything by then and a module that the site is using is vulnerable then I'm probably going to have to risk breaking things by either disabling the module or upgrading it and I can't test this on the dev site as it isn't working properly, so it might have to be done directly on the live site. This isn't ideal.