====================================================================

                               CERT-Renater

                   Note d'Information No. 2016/VULN074
_____________________________________________________________________

DATE                : 25/02/2016

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Drupal Core versions 6.x, 7.x, 8.x
                               prior to 6.38, 7.43, 8.0.4.

======================================================================
https://www.drupal.org/SA-CORE-2016-001
_____________________________________________________________________

Drupal Core - Critical - Multiple Vulnerabilities - SA-CORE-2016-001
Posted by Drupal Security Team on February 24, 2016 at 5:33pm

     * Advisory ID: SA-CORE-2016-001
     * Project: Drupal core [1]
     * Version: 6.x, 7.x, 8.x
     * Date: 2016-February-24
     * Security risk: 15/25 ( Critical)
       AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All [2]
     * Vulnerability: Multiple vulnerabilities


Description

.... File upload access bypass and denial of service (File module -
Drupal 7 and 8 - Moderately Critical)

A vulnerability exists in the File module that allows a malicious user
to view, delete or substitute a link to a file that the victim has
uploaded to a form while the form has not yet been submitted and
processed. If an attacker carries out this attack continuously, all
file uploads to a site could be blocked by deleting all temporary files
before they can be saved.

This vulnerability is mitigated by the fact that the attacker must have
permission to create content or comment and upload files as part of that
process.

.... Brute force amplification attacks via XML-RPC (XML-RPC server -
Drupal 6 and 7 - Moderately Critical)

The XML-RPC system allows a large number of calls to the same method to
be made at once, which can be used as an enabling factor in brute force
attacks (for example, attempting to determine user passwords by
submitting a large number of password variations at once).

This vulnerability is mitigated by the fact that you must have enabled a
module that provides an XML-RPC method that is vulnerable to brute-forcing.
There are no such modules in Drupal 7 core, but Drupal 6 core is
vulnerable via the Blog API module.  It is additionally mitigated if
flood control protection is in place for the method in question.

.... Open redirect via path manipulation (Base system - Drupal 6, 7 and
8 - Moderately Critical)

In Drupal 6 and 7, the current path can be populated with an external
URL.
This can lead to Open Redirect vulnerabilities.

This vulnerability is mitigated by the fact that it would only occur in
combination with custom code, or in certain cases if a user submits a
form shown on a 404 page with a specially crafted URL.

For Drupal 8 this is a hardening against possible browser flaws handling
certain redirect paths.

.... Form API ignores access restrictions on submit buttons (Form API -
         Drupal 6 - Critical)

An access bypass vulnerability was found that allows input to be
submitted, for example using JavaScript, for form button elements that
a user is not supposed to have access to because the button was blocked
by setting #access to FALSE in the server-side form definition.

This vulnerability is mitigated by the fact that the attacker must have
access to submit a form that has such buttons defined for it (for
example, a form that both administrators and non-administrators can
access, but where administrators have additional buttons available to
them).

.... HTTP header injection using line breaks (Base system - Drupal 6 -
         Moderately Critical)

A vulnerability in the drupal_set_header() function allows an HTTP
header injection attack to be performed if user-generated content is
passed as a header value on sites running PHP versions older than
5.1.2.  If the content contains line breaks the user may be able to set
arbitrary headers of their own choosing.

This vulnerability is mitigated by the fact that most hosts have newer
versions of PHP installed, and that it requires a module to be
installed on the site that allows user-submitted data to appear in HTTP
headers.

.... Open redirect via double-encoded 'destination' parameter (Base
system - Drupal 6 - Moderately Critical)

The drupal_goto() function in Drupal 6 improperly decodes the contents
of $_REQUEST['destination'] before using it, which allows the
function's open redirect protection to be bypassed and allows an
attacker to initiate a redirect to an arbitrary external URL.

This vulnerability is mitigated by that fact that the attack is not
possible for sites running on PHP 5.4.7 or greater.

.... Reflected file download vulnerability (System module - Drupal 6
and 7 - Moderately Critical)

Drupal core has a reflected file download vulnerability that could
allow an attacker to trick a user into downloading and running a file
with arbitrary JSON-encoded content.

This vulnerability is mitigated by the fact that the victim must be a
site administrator and that the full version of the attack only works
with certain web browsers.

.... Saving user accounts can sometimes grant the user all roles (User
module - Drupal 6 and 7 - Less Critical)

Some specific contributed or custom code may call Drupal's user_save()
API in a manner different than Drupal core.  Depending on the data that
has been added to a form or the array prior to saving, this can lead to
a user gaining all roles on a site.

This issue is mitigated by the fact that it requires contributed or
custom code that calls user_save() with an explicit category and code
that loads all roles into the array.

.... Email address can be matched to an account (User module - Drupal 7
and 8 - Less Critical)

In certain configurations where a user's email addresses could be used
to log in instead of their username, links to "have you forgotten your
password" could reveal the username associated with a particular email
address, leading to an information disclosure vulnerability.

This issue is mitigated by the fact that it requires a contributed
module to be installed that permits logging in with an email address,
and that it is only relevant on sites where usernames are typically
chosen to hide the users' real-life identities.

.... Session data truncation can lead to unserialization of user
provided data (Base system - Drupal 6 - Less Critical)

On certain older versions of PHP, user-provided data stored in a Drupal
session may be unserialized leading to possible remote code execution.

This issue is mitigated by the fact that it requires an unusual set of
circumstances to exploit and depends on the particular Drupal code that
is running on the site.  It is also believed to be mitigated by
upgrading to PHP 5.4.45, 5.5.29, 5.6.13, or any higher version.

- -------- CVE IDENTIFIER(S) ISSUED (# [3]) 
------------------------------------

     * /CVE identifiers [4] will be requested, and added upon issuance, in
       accordance with Drupal Security Team processes./

- -------- VERSIONS AFFECTED 
--------------------------------------------------

     * Drupal core 6.x with FileField module versions prior to 6.x-3.14.
      See SA-CONTRIB-2016-008 - FileField - Denial of Service [5].
     * Drupal core 6.x versions prior to 6.38
     * Drupal core 7.x versions prior to 7.43
     * Drupal core 8.0.x versions prior to 8.0.4

- -------- SOLUTION 
------------------------------------------------------------

Install the latest version:

     * If you use Drupal 6.x, upgrade to FileField [6] 6.x-3.14 and
       Drupal core 6.38 [7]
     * If you use Drupal 7.x, upgrade to Drupal core 7.43 [8]
     * If you use Drupal 8.0.x, upgrade to Drupal core 8.0.4 [9]

Also see the Drupal core [10] project page.

- -------- REPORTED BY 
---------------------------------------------------------

File upload access bypass and denial of service:

     * fnqgpc [11]

Brute force amplification attacks via XML-RPC:

     * Stephane Corlosquet [12] of the Drupal Security Team

Open redirect via path manipulation:

     * Francesco Placella [13]
     * Heine Deelstra [14] of the Drupal Security Team
     * Pere Orga [15] of the Drupal Security Team
     * Peter Wolanin [16] of the Drupal Security Team

Form API ignores access restrictions on submit buttons:

     * Gabor Hojtsy [17] of the Drupal Security Team
     * Damien Tournoud [18] of the Drupal Security Team
     * Daniel Kudwien [19]

HTTP header injection using line breaks:

     * Dave Hansen-Lange [20]

Open redirect via double-encoded 'destination' parameter:

     * Tarpinder Grewal [21]
     * Harry Taheem [22]
     * David Rothstein [23] of the Drupal Security Team

Reflected file download vulnerability:

     * Juho Nurminen [24]

Saving user accounts can sometimes grant the user all roles:

     * Dave Cohen [25]
     * Annie Gerard [26]

Email address can be matched to an account:

     * FengWen [27]
     * Jimmy Henderickx [28]

Session data truncation can lead to unserialization of user provided
data:

     * David Jardin of the Joomla Security Team
     * Damien Tournoud [29] of the Drupal Security Team
     * Heine Deelstra [30] of the Drupal Security Team

- -------- FIXED BY 
------------------------------------------------------------

File upload access bypass and denial of service:

     * fnqgpc [31]
     * Nathaniel Catchpole [32] of the Drupal Security Team
     * Ben Dougherty [33] of the Drupal Security Team
     * Lee Rowlands [34] of the Drupal Security Team
     * Sascha Grossenbacher [35]
     * Gábor Hojtsy [36] of the Drupal Security Team
     * Greg Knaddison [37] of the Drupal Security Team
     * Klaus Purer [38] of the Drupal Security Team
     * David Rothstein [39] of the Drupal Security Team
     * Stefan Ruijsenaars [40], provisional member of the Drupal Security
       Team
     * Cathy Theys [41], provisional member of the Drupal Security Team
     * Peter Wolanin [42] of the Drupal Security Team

Brute force amplification attacks via XML-RPC:

     * Frederic G. Marand [43],  provisional member of the Drupal
       Security Team
     * Peter Wolanin [44] of the Drupal Security Team

Open redirect via path manipulation:

     * Nathaniel Catchpole [45] of the Drupal Security Team
     * Ben Dougherty [46] of the Drupal Security Team
     * Alan Evans [47]
     * Nate Haug [48]
     * Gábor Hojtsy [49] of the Drupal Security Team
     * Heine Deelstra [50] of the Drupal Security Team
     * David Stoline [51] of the Drupal Security Team
     * Damien McKenna [52] Provisional member of the Drupal Security Team
     * Pere Orga [53] of the Drupal Security Team
     * Francesco Placella [54]
     * Dave Reid [55] of the Drupal Security Team
     * David Rothstein [56] of the Drupal Security Team
     * Lee Rowlands [57] of the Drupal Security Team
     * David Snopek [58] of the Drupal Security Team
     * Cathy Theys [59], provisional member of the Drupal Security Team
     * Peter Wolanin [60] of the Drupal Security Team

Form API ignores access restrictions on submit buttons:

     * chx [61]
     * Daniel Kudwien [62]
     * Alex Bronstein [63] of the Drupal Security Team
     * Heine Deelstra [64] of the Drupal Security Team
     * Dmitri Gaskin [65]
     * Nate Haug [66]
     * John Morahan [67]
     * David Rothstein [68] of the Drupal Security Team
     * Damien Tournoud [69] of the Drupal Security Team
     * Peter Wolanin [70] of the Drupal Security Team

HTTP header injection using line breaks:

     * Dave Hansen-Lange [71]
     * David Rothstein [72] of the Drupal Security Team
     * Nathaniel Catchpole [73] of the Drupal Security Team
     * Klaus Purer [74] of the Drupal Security Team

Open redirect via double-encoded 'destination' parameter:

     * David Rothstein [75] of the Drupal Security Team
     * Alex Bronstein [76] of the Drupal Security Team

Reflected file download vulnerability:

     * Juho Nurminen [77]
     * David Rothstein [78] of the Drupal Security Team
     * Damien Tournoud [79] of the Drupal Security Team
     * Peter Wolanin [80] of the Drupal Security Team
     * Nate Haug [81]

Saving user accounts can sometimes grant the user all roles:

     * Dave Cohen [82]
     * Greg Knaddison [83] of the Drupal Security Team
     * Rick Manelius [84] of the Drupal Security Team
     * Balazs Nagykekesi [85]
     * David Rothstein [86] of the Drupal Security Team
     * Peter Wolanin [87] of the Drupal Security Team

Email address can be matched to an account:

     * Klaus Purer [88] of the Drupal Security Team
     * David Rothstein [89] of the Drupal Security Team

Session data truncation can lead to unserialization of user provided data:

     * Heine Deelstra [90] of the Drupal Security Team
     * Damien Tournoud [91] of the Drupal Security Team
     * David Rothstein [92] of the Drupal Security Team
     * Peter Wolanin [93] of the Drupal Security Team

- -------- COORDINATED BY 
------------------------------------------------------

     * The Drupal Security Team [94]
     * Cathy Theys, provisional member of the Drupal Security team [95]

- -------- CONTACT AND MORE INFORMATION 
----------------------------------------

The Drupal security team can be reached at security at drupal.org or
via the contact form at https://www.drupal.org/contact [96].

Learn more about the Drupal Security team and their policies [97],
writing secure code for Drupal [98], and  securing your site [99].

Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [100]

[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] #cve-identifiers-issued
[4] http://cve.mitre.org/
[5] https://www.drupal.org/node/2674854
[6] https://www.drupal.org/project/filefield
[7] https://www.drupal.org/drupal-6.38-release-notes
[8] https://www.drupal.org/drupal-7.43-release-notes
[9] https://www.drupal.org/drupal-8.0.4-release-notes
[10] https://www.drupal.org/project/drupal
[11] https://www.drupal.org/u/fnqgpc
[12] https://www.drupal.org/u/scor
[13] https://www.drupal.org/u/plach
[14] https://www.drupal.org/u/heine
[15] https://www.drupal.org/u/pere-orga
[16] https://www.drupal.org/u/pwolanin
[17] https://www.drupal.org/u/g%C3%A1bor-hojtsy
[18] https://www.drupal.org/u/damien-tournoud
[19] https://www.drupal.org/u/sun
[20] https://www.drupal.org/u/dalin
[21] https://www.drupal.org/u/tarpinder
[22] https://www.drupal.org/u/htaheem
[23] https://www.drupal.org/u/david_rothstein
[24] https://www.drupal.org/u/juho-nurminen-2ns
[25] https://www.drupal.org/u/dave-cohen
[26] https://www.drupal.org/u/agerard
[27] https://www.drupal.org/u/fengwen
[28] https://www.drupal.org/u/strykaizer
[29] https://www.drupal.org/u/damien-tournoud
[30] https://www.drupal.org/u/heine
[31] https://www.drupal.org/u/fnqgpc
[32] https://www.drupal.org/u/catch
[33] https://www.drupal.org/u/benjy
[34] https://www.drupal.org/u/larowlan
[35] https://www.drupal.org/u/berdir
[36] https://www.drupal.org/u/g%C3%A1bor-hojtsy
[37] https://www.drupal.org/u/greggles
[38] https://www.drupal.org/u/klausi
[39] https://www.drupal.org/u/david_rothstein
[40] https://www.drupal.org/u/stefan.r
[41] https://www.drupal.org/u/yesct
[42] https://www.drupal.org/u/pwolanin
[43] https://www.drupal.org/u/fgm
[44] https://www.drupal.org/u/pwolanin
[45] https://www.drupal.org/u/catch
[46] https://www.drupal.org/u/benjy
[47] https://www.drupal.org/u/alan-evans
[48] https://www.drupal.org/u/quicksketch
[49] https://www.drupal.org/u/g%C3%A1bor-hojtsy
[50] https://www.drupal.org/u/heine
[51] https://www.drupal.org/u/dstol
[52] https://www.drupal.org/u/damienmckenna
[53] https://www.drupal.org/u/pere-orga
[54] https://www.drupal.org/u/plach
[55] https://www.drupal.org/u/dave-reid
[56] https://www.drupal.org/u/david_rothstein
[57] https://www.drupal.org/u/larowlan
[58] https://www.drupal.org/u/dsnopek
[59] https://www.drupal.org/u/yesct
[60] https://www.drupal.org/u/pwolanin
[61] https://www.drupal.org/u/chx
[62] https://www.drupal.org/u/sun
[63] https://www.drupal.org/u/effulgentsia
[64] https://www.drupal.org/u/heine
[65] https://www.drupal.org/u/dmitrig01
[66] https://www.drupal.org/u/quicksketch
[67] https://www.drupal.org/u/john-morahan
[68] https://www.drupal.org/u/david_rothstein
[69] https://www.drupal.org/u/damien-tournoud
[70] https://www.drupal.org/u/pwolanin
[71] https://www.drupal.org/u/dalin
[72] https://www.drupal.org/u/david_rothstein
[73] https://www.drupal.org/u/catch
[74] https://www.drupal.org/u/klausi
[75] https://www.drupal.org/u/david_rothstein
[76] https://www.drupal.org/u/effulgentsia
[77] https://www.drupal.org/u/juho-nurminen-2ns
[78] https://www.drupal.org/u/david_rothstein
[79] https://www.drupal.org/u/damien-tournoud
[80] https://www.drupal.org/u/pwolanin
[81] https://www.drupal.org/u/quicksketch
[82] https://www.drupal.org/u/dave-cohen
[83] https://www.drupal.org/u/greggles
[84] https://www.drupal.org/u/rickmanelius
[85] https://www.drupal.org/u/nagba
[86] https://www.drupal.org/u/david_rothstein
[87] https://www.drupal.org/u/pwolanin
[88] https://www.drupal.org/u/klausi
[89] https://www.drupal.org/u/david_rothstein
[90] https://www.drupal.org/u/heine
[91] https://www.drupal.org/u/damien-tournoud
[92] https://www.drupal.org/u/david_rothstein
[93] https://www.drupal.org/u/pwolanin
[94] https://www.drupal.org/security-team
[95] https://www.drupal.org/u/YesCT
[96] https://www.drupal.org/contact
[97] https://www.drupal.org/security-team
[98] https://www.drupal.org/writing-secure-code
[99] https://www.drupal.org/security/secure-configuration
[100] https://twitter.com/drupalsecurity


==========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================