====================================================================

                               CERT-Renater

                   Note d'Information No. 2016/VULN334
_____________________________________________________________________

DATE                : 22/09/2016

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Drupal Core versions 8.x prior to
                                               8.1.10.

=====================================================================
https://www.drupal.org/SA-CORE-2016-004
____________________________________________________________________


- -------- DESCRIPTION 
---------------------------------------------------------

Users who have rights to edit a node, can set the visibility on
comments for that node.

     * Advisory ID: DRUPAL-SA-CORE-2016-004
     * Project: Drupal core [1]
     * Version:li  8.x
     * Date: 2016-September-21
     * Security risk: 18/25 ( Critical)
       AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:Default [2]
     * Vulnerability:

- -------- DESCRIPTION 
---------------------------------------------------------

*Users without "Administer comments" can set comment visibility on
nodes they can edit. (Less critical)*

Users who have rights to edit a node, can set the visibility on
comments for that node. This should be restricted to those who have
the administer comments permission.

*Cross-site Scripting in http exceptions (critical) *

An attacker could create a specially crafted url, which could execute
arbitrary code in the victim's browser if loaded.  Drupal was not
properly sanitizing an exception

*Full config export can be downloaded without administrative permissions
(critical) *

The system.temporary route would allow the download of a full config
export.
The full config export should be limited to those with Export
configuration permission.

- -------- CVE IDENTIFIER(S) ISSUED 
--------------------------------------------

     * /A CVE identifier [3] will be requested, and added upon issuance,
in accordance with Drupal Security Team processes./

- -------- VERSIONS AFFECTED 
---------------------------------------------------

8.x

- -------- SOLUTION 
------------------------------------------------------------

Upgrade to Drupal 8.1.10

- -------- REPORTED BY 
---------------------------------------------------------

*Users without "Administer comments" can set comment visibility on
nodes they can edit.*
     * Quintus Maximus [4]
     * Kier Heyl [5]

*XSS in http exceptions*
     * Ivan [6]

*Full config export can be downloaded without administrative permissions  *
     * Anton Shubkin [7]

- -------- FIXED BY 
------------------------------------------------------------

*Users without "Administer comments" can set comment visibility on
nodes they can edit.*
     * Lee Rowlands of the Drupal Security Team [8]
     * Stefan Ruijsenaars of the Drupal Security Team [9]
     * Andrey Postnikov [10]
     * Daniel Wehner [11]

*XSS in http exceptions*
     * xjm of the Drupal Security Team [12]
     * Daniel Wehner [13]
     * Alex Pott of the Drupal Security Team [14]
     * Cash Williams of the Drupal Security Team [15]
     * Pere Orga of the Drupal Security Team [16]
     * David Snopek of the Drupal Security Team [17]
     * Heine Deelstra of the Drupal Security Team

*Full config export can be downloaded without administrative permissions  *
     * Nathaniel Catchpole of the Drupal Security Team [18]
     * Alex Pott of the Drupal Security Team [19]
     * Anton Shubkin [20]
     * xjm of the Drupal Security Team [21]
     * Peter Wolanin of the Drupal Security Team [22]

- -------- COORDINATED BY 
------------------------------------------------------

The Drupal Security Team [23]

- -------- CONTACT AND MORE INFORMATION 
----------------------------------------

The Drupal security team can be reached at security at drupal.org or
via the contact form at https://www.drupal.org/contact [24].

Learn more about the Drupal Security team and their policies [25],
writing secure code for Drupal [26], and  securing your site [27].

Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [28]


[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://www.drupal.org/u/q2u
[5] https://www.drupal.org/u/kierheyl
[6] https://www.drupal.org/user/556138
[7] https://www.drupal.org/user/1060446
[8] http://www.drupal.org/u/larowlan
[9] https://www.drupal.org/u/stefanr-0
[10] https://www.drupal.org/user/118908
[11] https://www.drupal.org/user/99340
[12] https://www.drupal.org/user/65776
[13] https://www.drupal.org/user/99340
[14] https://www.drupal.org/user/157725
[15] https://www.drupal.org/user/421070
[16] https://www.drupal.org/u/pere-orga
[17] https://www.drupal.org/u/dsnopek
[18] https://www.drupal.org/u/catch
[19] https://www.drupal.org/user/157725
[20] https://www.drupal.org/user/1060446
[21] https://www.drupal.org/user/65776
[22] https://www.drupal.org/user/49851
[23] https://www.drupal.org/security-team
[24] https://www.drupal.org/contact
[25] https://www.drupal.org/security-team
[26] https://www.drupal.org/writing-secure-code
[27] https://www.drupal.org/security/secure-configuration
[28] https://twitter.com/drupalsecurity

==========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================