====================================================================

                               CERT-Renater

                    Note d'Information No. 2016/VULN256
_____________________________________________________________________

DATE                : 16/06/2016

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running DRUPAL core version 7.x, 8.x prior
                                      to 7.44, 8.1.3.

======================================================================
https://www.drupal.org/SA-CORE-2016-002
____________________________________________________________________


View online: https://www.drupal.org/SA-CORE-2016-002

     * Advisory ID: DRUPAL-SA-CORE-2016-002
     * Project: Drupal core [1]
     * Version: 7.x, 8.x
     * Date: 2016-June-15
     * Security risk: 11/25 ( Moderately Critical)
       AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2]
     * Vulnerability: Access bypass, Multiple vulnerabilities

- -------- DESCRIPTION 
---------------------------------------------------------

.... Saving user accounts can sometimes grant the user all roles (User 
module
         - Drupal 7 - Moderately Critical)

A vulnerability exists in the User module, where if some specific
contributed or custom code triggers a rebuild of the user profile form,
a registered user can be granted all user roles on the site. This would
typically result in the user gaining administrative access.

This issue is mitigated by the fact that it requires contributed or
custom code that performs a form rebuild during submission of the user
profile form.

.... Views can allow unauthorized users to see Statistics information
(Views module - Drupal 8 - Less Critical)

An access bypass vulnerability exists in the Views module, where users
without the "View content count" permission can see the number of hits
collected by the Statistics module for results in the view.

This issue is mitigated by the fact that the view must be configured to
show a "Content statistics" field, such as "Total views", "Views today"
or "Last visit".

The same vulnerability exists in the Drupal 7 Views module (see
SA-CONTRIB-2016-036 [3]).


- -------- CVE IDENTIFIER(S) ISSUED 
--------------------------------------------

     * /A CVE identifier [4] will be requested, and added upon issuance,
      in accordance with Drupal Security Team processes./

- -------- VERSIONS AFFECTED 
---------------------------------------------------

     * Drupal core 7.x versions prior to 7.44
     * Drupal core 8.x versions prior to 8.1.3

- -------- SOLUTION 
------------------------------------------------------------

Install the latest version:

     * If you use Drupal 7.x, upgrade to Drupal core 7.44
     * If you use Drupal 8.x, upgrade to Drupal core 8.1.3

Also see the Drupal core [5] project page.

- -------- REPORTED BY 
---------------------------------------------------------

Saving user accounts can sometimes grant the user all roles:

     * alfaguru [6]

Views can allow unauthorized users to see Statistics information:

     * Nickolay Leshchev [7]

- -------- FIXED BY 
------------------------------------------------------------

Saving user accounts can sometimes grant the user all roles:

     * Ben Dougherty [8] of the Drupal Security Team
     * Balazs Nagykekesi [9]
     * David Rothstein [10] of the Drupal Security Team
     * Lee Rowlands [11] of the Drupal Security Team
     * Stefan Ruijsenaars [12] of the Drupal Security Team
     * vlad.k [13]
     * Peter Wolanin [14] of the Drupal Security Team

Views can allow unauthorized users to see Statistics information:

     * Nathaniel Catchpole [15] of the Drupal Security Team
     * Greg Knaddison [16] of the Drupal Security Team
     * Nickolay Leshchev [17]
     * Stefan Ruijsenaars [18] of the Drupal Security Team
     * David Snopek [19] of the Drupal Security Team
     * Daniel Wehner [20]
     * xjm [21] of the Drupal Security Team

- -------- COORDINATED BY 
------------------------------------------------------

The Drupal Security Team

- -------- CONTACT AND MORE INFORMATION 
----------------------------------------

The Drupal security team can be reached at security at drupal.org or
via the contact form at https://www.drupal.org/contact [22].

Learn more about the Drupal Security team and their policies [23],
writing secure code for Drupal [24], and  securing your site [25].

Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [26]


[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/node/2749333
[4] http://cve.mitre.org/
[5] https://www.drupal.org/project/drupal
[6] https://www.drupal.org/user/112814
[7] https://www.drupal.org/user/982724
[8] https://www.drupal.org/user/1852732
[9] https://www.drupal.org/user/21231
[10] https://www.drupal.org/user/124982
[11] https://www.drupal.org/user/395439
[12] https://www.drupal.org/user/551886
[13] https://www.drupal.org/user/731068
[14] https://www.drupal.org/user/49851
[15] https://www.drupal.org/user/35733
[16] https://www.drupal.org/user/36762
[17] https://www.drupal.org/user/982724
[18] https://www.drupal.org/user/551886
[19] https://www.drupal.org/user/266527
[20] https://www.drupal.org/user/99340
[21] https://www.drupal.org/user/65776
[22] https://www.drupal.org/contact
[23] https://www.drupal.org/security-team
[24] https://www.drupal.org/writing-secure-code
[25] https://www.drupal.org/security/secure-configuration
[26] https://twitter.com/drupalsecurity

==========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================