Pixeldust Drupal Support Service

Security advisories: Drupal maintenance support plans Core – Multiple Vulnerabilities – SA-CORE-2020-006

Advisory ID: DRUPAL-SA-CONTRIB-2020-006
Project: Drupal maintenance support plans core
Version: 7.x, 8.x
Date: 2020-October-17
Description
Content moderation – Moderately critical – Access bypass – Drupal maintenance support plans 8
In some conditions, content moderation fails to check a users access to use certain transitions, leading to an access bypass.
In order to fix this issue, the following changes have been made to content moderation which may have implications for backwards compatibility:
ModerationStateConstraintValidator
Two additional services have been injected into this service. Anyone subclassing this service must ensure these additional dependencies are passed to the constructor, if the constructor has been overridden.
StateTransitionValidationInterface
An additional method has been added to this interface. Implementations of this interface which do not extend the StateTransitionValidation should implement this method.
Implementations which do extend from the StateTransitionValidation should ensure any behavioural changes they have made are also reflected in this new method.

User permissions
Previously users who didn’t have access to use any content moderation transitions were granted implicit access to update content provided the state of the content did not change. Now access to an associated transition will be validated for all users in scenarios where the state of content does not change between revisions.
Reported by
Roland Kovacsics
attilatilman
Fixed by
Jess of the Drupal maintenance support plans Security Team
Lee Rowlands of the Drupal maintenance support plans Security Team
Wim Leers
Daniel Wehner
Sam Becker
Drupal Update
Alex Pott of the Drupal maintenance support plans Security Team
External URL injection through URL aliases – Moderately Critical – Open Redirect – Drupal maintenance support plans 7 and Drupal maintenance support plans 8
The path module allows users with the ‘administer paths’ to create pretty URLs for content.
In certain circumstances the user can enter a particular path that triggers an open redirect to a malicious url.
The issue is mitigated by the fact that the user needs the administer paths permission to exploit.
Reported by
dyates
Fixed by
Dave Reid of the Drupal maintenance support plans Security Team
David Rothstein of the Drupal maintenance support plans Security Team
Peter Wolanin of the Drupal maintenance support plans Security Team
Jess of the Drupal maintenance support plans Security Team
Alex Bronstein of the Drupal maintenance support plans Security Team
Nathaniel Catchpole of the Drupal maintenance support plans Security Team
Lee Rowlands of the Drupal maintenance support plans Security Team
Ted Bowman Provisional member of the Drupal maintenance support plans Security Team
Anonymous Open Redirect – Moderately Critical – Open Redirect – Drupal maintenance support plans 8
Drupal maintenance support plans core and contributed modules frequently use a “destination” query string parameter in URLs to redirect users to a new destination after completing an action on the current page. Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks.
This vulnerability has been publicly documented.
RedirectResponseSubscriber event handler removal
As part of the fix, Drupal maintenance support plansCoreEventSubscriberRedirectResponseSubscriber::sanitizeDestination has been removed, although this is a public function, it is not considered an API as per our API policy for event subscribers.
If you have extended that class or are calling that method, you should review your implementation in line with the changes in the patch. The existing function has been removed to prevent a false sense of security.
Reported by
Brian Osborne
Fixed by
Michael Hess of the Drupal maintenance support plans Security Team
Wim Leers
Alex Pott of the Drupal maintenance support plans Security Team
Grant Gaudet
Lee Rowlands of the Drupal maintenance support plans Security Team
Nathaniel Catchpole of the Drupal maintenance support plans Security Team
Jess of the Drupal maintenance support plans Security Team
Injection in DefaultMailSystem::mail() – Critical – Remote Code Execution – Drupal maintenance support plans 7 and Drupal maintenance support plans 8
When sending email some variables were not being sanitized for shell arguments, which could lead to remote code execution.
Reported by
Damien Tournoud
Fixed by
Lee Rowlands of the Drupal maintenance support plans Security Team
Sascha Grossenbacher
Daniel Wehner
Klaus Purer
Damien Tournoud
Stefan Ruijsenaars of the Drupal maintenance support plans Security Team
David Rothstein of the Drupal maintenance support plans Security Team
David Snopek of the Drupal maintenance support plans Security Team
Jess of the Drupal maintenance support plans Security Team
Wim Leers
Peter Wolanin of the Drupal maintenance support plans Security Team
Ted Bowman Provisional member of the Drupal maintenance support plans Security Team
Contextual Links validation – Critical – Remote Code Execution – Drupal maintenance support plans 8
The Contextual Links module doesn’t sufficiently validate the requested contextual links.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “access contextual links”.
Reported by
Nick Booher
Fixed by
Lee Rowlands of the Drupal maintenance support plans Security Team
Nick Booher
Samuel Mortenson of the Drupal maintenance support plans Security Team
Wim Leers
Alex Pott of the Drupal maintenance support plans Security Team
Solution
Upgrade to the most recent version of Drupal maintenance support plans 7 or 8 core.
If you are running 7.x, upgrade to Drupal maintenance support plans 7.60.
If you are running 8.6.x, upgrade to Drupal maintenance support plans 8.6.2.
If you are running 8.5.x or earlier, upgrade to Drupal maintenance support plans 8.5.8.
Minor versions of Drupal maintenance support plans 8 prior to 8.5.x are not supported and do not receive security coverage, so sites running older versions should update to the above 8.5.x release immediately. 8.5.x will receive security coverage until May 2021.
Source: New feed

This article was republished from its original source.
Call Us: 1(800)730-2416

Pixeldust is a 20-year-old web development agency specializing in Drupal and WordPress and working with clients all over the country. With our best in class capabilities, we work with small businesses and fortune 500 companies alike. Give us a call at 1(800)730-2416 and let’s talk about your project.

Let's Talk About a Project

FREE Drupal SEO Audit

Test your site below to see which issues need to be fixed. We will fix them and optimize your Drupal site 100% for Google and Bing. (Allow 30-60 seconds to gather data.)

Powered by

Security advisories: Drupal maintenance support plans Core – Multiple Vulnerabilities – SA-CORE-2020-006

On-Site Drupal SEO Master Setup

We make sure your site is 100% optimized (and stays that way) for the best SEO results.

With Pixeldust On-site (or On-page) SEO we make changes to your site’s structure and performance to make it easier for search engines to see and understand your site’s content. Search engines use algorithms to rank sites by degrees of relevance. Our on-site optimization ensures your site is configured to provide information in a way that meets Google and Bing standards for optimal indexing.

This service includes:

  • Pathauto install and configuration for SEO-friendly URLs.
  • Meta Tags install and configuration with dynamic tokens for meta titles and descriptions for all content types.
  • Install and fix all issues on the SEO checklist module.
  • Install and configure XML sitemap module and submit sitemaps.
  • Install and configure Google Analytics Module.
  • Install and configure Yoast.
  • Install and configure the Advanced Aggregation module to improve performance by minifying and merging CSS and JS.
  • Install and configure Schema.org Metatag.
  • Configure robots.txt.
  • Google Search Console setup snd configuration.
  • Find & Fix H1 tags.
  • Find and fix duplicate/missing meta descriptions.
  • Find and fix duplicate title tags.
  • Improve title, meta tags, and site descriptions.
  • Optimize images for better search engine optimization. Automate where possible.
  • Find and fix the missing alt and title tag for all images. Automate where possible.
  • The project takes 1 week to complete.
MASTER YOUR DRUPAL SEO
Pixeldust and Pantheon Drupal Development
256