====================================================================


                             CERT-Renater

                 Note d'Information No. 2018/VULN173
_____________________________________________________________________

DATE                : 26/04/2018

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running JSON API for Drupal versions prior
                        to 8.x-1.16,
                     DRD Agent for Drupal versions prior
                        to 8.x-3.14, 8.x-3.7, 7.x-3.5,
                     Media for Drupal versions prior to 7.x-2.19,
                     Display Suite for Drupal versions prior to
                      7.x-2.15, 7.x-1.10,
                     Menu Import and Export versions prior to 8.x-1.2,
                     Exif versions prior to 8.x-1.1.

=====================================================================
https://www.drupal.org/sa-contrib-2018-021
https://www.drupal.org/sa-contrib-2018-022
https://www.drupal.org/sa-contrib-2018-020
https://www.drupal.org/sa-contrib-2018-019
https://www.drupal.org/sa-contrib-2018-018
https://www.drupal.org/sa-contrib-2018-017
_____________________________________________________________________

JSON API - Moderately critical - Cross Site Request Forgery -
SA-CONTRIB-2018-021
Project: JSON API
Version: 8.x-1.15
Date: 2018-April-25
Security risk:
Moderately critical 11∕25
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Uncommon
Vulnerability: Cross Site Request Forgery


Description:

This module provides a JSON API standards-compliant API for accessing
and manipulating Drupal content and configuration entities.

The module doesn't provide CSRF protection when processing authenticated
traffic using cookie-based authentication.

This vulnerability is mitigated by the fact that an attacker must be
allowed to create or modify entities of a certain type, and a very
specific and uncommon CORS configuration that allows all other
pre-checks to be skipped.


Solution:

Install the latest version:

    If you use the JSON API module for Drupal 8.x, upgrade to 8.x-1.16

Reported By:

    Mateu Aguiló Bosch (e0ipso)

Fixed By:

    Mateu Aguiló Bosch (e0ipso)
    Wim Leers
    Daniel Wehner (dawehner)
    Gabe Sullice

Coordinated By:

    Michael Hess of the Drupal Security Team

_____________________________________________________________________

DRD Agent - Critical - PHP object injection - SA-CONTRIB-2018-022
Project: DRD Agent
Date: 2018-April-25
Security risk:
Critical 15∕25 AC:None/A:None/CI:None/II:Some/E:Theoretical/TD:All
Vulnerability: PHP object injection


Description:

This module enables you to monitor and manage any number of remote
Drupal sites and aggregate useful information for administrators in a
central dashboard.

The modules (DRD and DRD Agent) encrypt the data which is exchanged
between them but in order to do so, they use the PHP
serialize/unserialize functions instead of the json_encode/json_decode
combination. As the unserialize function is called on unauthenticated
content, this introduces a PHP object injection vulnerability.


Solution:

Install the latest version:

    If you use the DRD module for Drupal 8.x, upgrade to DRD 8.x-3.14
    If you use the DRD Agent module for Drupal 8.x, upgrade to DRD Agent
     8.x-3.7
    If you use the DRD Agent module for Drupal 7.x, upgrade to DRD Agent
     7.x-3.5

Reported By:

    David Snopek of the Drupal Security Team

Fixed By:

    David Snopek of the Drupal Security Team
    Jürgen Haas

Coordinated By:

    David Snopek of the Drupal Security Team
____________________________________________________________________

Media - Critical - Remote Code Execution - SA-CONTRIB-2018-020
Project: Media
Version: 7.x-2.18
Date: 2018-April-25
Security risk:
Critical 18∕25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:All
Vulnerability: Remote Code Execution


Description:

The Media module provides an extensible framework for managing files and
multimedia assets, regardless of whether they are hosted on your own
site or a third party site.

The module contained a vulnerability similar to SA-CORE-2018-004,
leading to a possible remote code execution (RCE) attack.


Solution:

Install the latest version:

    If you use the Media module for Drupal 7.x-2.x, upgrade to Media
    7.x-2.19

Coordinated By:

    Dave Reid the module maintainer and member of the Drupal Security
    Team

____________________________________________________________________

Display Suite - Critical - Cross site scripting (XSS) - SA-CONTRIB-2018-019
Project: Display Suite
Version: 7.x-2.14
         7.x-1.9
Date: 2018-April-18
Security risk:
Critical 17∕25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:Default
Vulnerability: Cross site scripting (XSS)


Description:

Display Suite allows you to take full control over how your content is
displayed using a drag and drop interface.

The module doesn't sufficiently validate view modes provided dynamically
via URLs leading to a reflected cross site scripting (XSS) attack.

This vulnerability is mitigated only by the fact that most modern
browsers protect against reflected XSS via the url.
Solution:

    If you use the Display Suite module for Drupal 7.x-1.x, upgrade to
     Display Suite 7.x-1.10
    If you use the Display Suite module for Drupal 7.x-2.x, upgrade to
     Display Suite 7.x-2.15

Reported By:

    Liz Pringi

Fixed By:

    Kristof De Jaeger the module maintainer

Coordinated By:

    Rick Manelius of the Drupal Security Team
    Greg Knaddison of the Drupal Security Team

____________________________________________________________________

Menu Import and Export - Critical - Access bypass - SA-CONTRIB-2018-018
Project: Menu Import and Export
Version: 8.x-1.0
Date: 2018-April-18
Security risk:
Critical 17∕25 AC:Basic/A:None/CI:Some/II:Some/E:Exploit/TD:Uncommon
Vulnerability: Access bypass


Description:

This module helps in exporting and importing Menu Items via the
administrative interface.

The module does not properly restrict access to administrative pages,
allowing anonymous users to export and import menu links.

There is no mitigation for this vulnerability.


Solution:

Update to Menu Import and Export 8.x-1.2.

Reported By:

    Nathan Dentzau

Fixed By:

    Sandeep Reddy

Coordinated By:

    Samuel Mortenson of the Drupal Security Team
    Michael Hess of the Drupal Security Team
____________________________________________________________________

Exif - Critical - Access bypass - SA-CONTRIB-2018-017
Project: Exif
Version: 8.x-1.x-dev
Date: 2018-March-21
Security risk:
Critical 16∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All
Vulnerability: Access bypass


Description:

This module enables you to retrieve image metadata and use them in
fields or title.

The module doesn't sufficiently restrict access to module setting pages
thereby causing an access bypass vulnerability.

This vulnerability is mitigated by the fact that an attacker must have
permission to create entities of certain content entity types.


Solution:

Install the latest version:

    If you use the Exif module for Drupal 8.x, upgrade to Exif 8.x-1.1

Reported By:

    Jean-Francois Hovinne

Fixed By:

    jphautin
    Jean-Francois Hovinne

Coordinated By:

    Damien McKenna


==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================