====================================================================


                             CERT-Renater

                 Note d'Information No. 2018/VULN008
_____________________________________________________________________

DATE                : 16/01/2019

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Phone Field for Drupal versions
                        prior to 7.x-1.1,
                     Provision for Drupal versions prior to 7.x-3.170,
                     Aegir HTTPS for Drupal versions prior to 7.x-3.170.

=====================================================================
https://www.drupal.org/sa-contrib-2019-001
https://www.drupal.org/sa-contrib-2019-002
https://www.drupal.org/sa-contrib-2019-003
_____________________________________________________________________

Phone Field - Critical - SQL Injection - SA-CONTRIB-2019-001

Project: Phone Field
Date: 2019-January-09
Security risk: Critical 16∕25
               AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Uncommon
Vulnerability: SQL Injection


Description:

This module provides a phone field for Drupal 7 that supports the HTML5
tel:-schema.

In an API function that is not used by the module, the name for the
phone field is not sufficiently sanitised when using it in database
queries.

This vulnerability is mitigated by the fact that it affects an unused
function. A site is only vulnerable if it has custom code that uses the
phonefield_get_entity_id() function and exposes control over the $field
parameter to visitors to the site.


Solution:

Install the latest version:

    If you use the phonefield module for Drupal 7.x, upgrade to
phonefield 7.x-1.1

Also see the Phone Field project page.


Reported By:

    Drew Webber Provisional Security Team Member


Fixed By:

    Drew Webber Provisional Security Team Member
    Gisle Hannemyr


Coordinated By:

    Greg Knaddison of the Drupal Security Team
    Drew Webber Provisional Security Team Member

_____________________________________________________________________


Provision - Moderately critical - Access bypass - SA-CONTRIB-2019-002

Project: Provision
Version: 7.x-3.170
Date: 2019-January-09
Security risk: Moderately critical 12∕25
               AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default
Vulnerability: Access bypass


Description:

Aegir is a Web hosting control panel program that provides a
Drupal-based graphical interface designed to simplify deploying,
managing and upgrading an entire network of Drupal, Wordpress and
CiviCRM Web sites. The Provision module is a core piece of the Aegir
platform.

This module doesn't sufficiently shield multi-site installations or the
PHP source code.

This vulnerability is mitigated by the fact that the server must be
using Apache. For multi-site installations, the server must host
multiple sites on a common platform. Additionally an attacker must have
a knowledge about used filenames and the server.


Solution:

Install the latest version:

    If you use Aegir hosting system, upgrade to Provision 7.x-3.170

Also see the Provision project page.


Reported By:

    Cristian Segarra


Fixed By:

    Cristian Segarra
    Jon Pugh
    anarcat
    Herman van Rink
    Colan Schwartz


Coordinated By:

    Greg Knaddison of the Drupal Security Team
    Michael Hess of the Drupal Security Team
    Cash Williams of the Drupal Security Team

_____________________________________________________________________


Aegir HTTPS - Moderately critical - Access bypass - SA-CONTRIB-2019-003

Project: Aegir HTTPS
Version: 7.x-3.170
Date: 2019-January-09
Security risk: Moderately critical 12∕25
               AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default
Vulnerability: Access bypass


Description:

Aegir is a Web hosting control panel program that provides a
Drupal-based graphical interface designed to simplify deploying,
managing and upgrading an entire network of Drupal, Wordpress and
CiviCRM Web sites. The Hosting HTTPS module is a commonly used piece of
the Aegir platform.

This module doesn't sufficiently shield multi-site installations.

This vulnerability is mitigated by the fact that the server must be
using Apache and must host multiple sites on a common platform. An
attacker must have a knowledge about used filenames and the server.


Solution:

Install the latest version:

    If you use Aegir hosting system, upgrade to Aegir HTTPS 7.x-3.170

Also see the Aegir HTTPS project page.


Reported By:

    Cristian Segarra


Fixed By:

    Cristian Segarra
    Jon Pugh
    anarcat
    Herman van Rink
    Colan Schwartz


Coordinated By:

    Greg Knaddison of the Drupal Security Team
    Michael Hess of the Drupal Security Team
    Cash Williams of the Drupal Security Team



=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================