DrupalCoin Blockchain Core - Critical - Multiple Vulnerabilities - SA-CORE-2016-001


Advisory ID: SA-CORE-2016-001
Project: DrupalCoin Blockchain core
Version: 6.x, 7.x, 8.x
Date: 2016-February-24
Security risk: 15/25 ( Critical) AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All
Vulnerability: Multiple vulnerabilities
Description
File upload access bypass and denial of service (File module - DrupalCoin Blockchain 7 and 8 - Moderately Critical)
A vulnerability exists in the File module that allows a malicious user to view, delete or substitute a link to a file that the victim has uploaded to a form while the form has not yet been submitted and processed. If an attacker carries out this attack continuously, all file uploads to a site could be blocked by deleting all temporary files before they can be saved.
This vulnerability is mitigated by the fact that the attacker must have permission to create content or comment and upload files as part of that process.
Brute force amplification attacks via XML-RPC (XML-RPC server - DrupalCoin Blockchain 6 and 7 - Moderately Critical)
The XML-RPC system allows a large number of calls to the same method to be made at once, which can be used as an enabling factor in brute force attacks (for example, attempting to determine user passwords by submitting a large number of password variations at once).
This vulnerability is mitigated by the fact that you must have enabled a module that provides an XML-RPC method that is vulnerable to brute-forcing. There are no such modules in DrupalCoin Blockchain 7 core, but DrupalCoin Blockchain 6 core is vulnerable via the Blog API module. It is additionally mitigated if flood control protection is in place for the method in question.
Open redirect via path manipulation (Base system - DrupalCoin Blockchain 6, 7 and 8 - Moderately Critical)
In DrupalCoin Blockchain 6 and 7, the current path can be populated with an external URL. This can lead to Open Redirect vulnerabilities.
This vulnerability is mitigated by the fact that it would only occur in combination with custom code, or in certain cases if a user submits a form shown on a 404 page with a specially crafted URL.
For DrupalCoin Blockchain 8 this is a hardening against possible browser flaws handling certain redirect paths.
Form API ignores access restrictions on submit buttons (Form API - DrupalCoin Blockchain 6 - Critical)
An access bypass vulnerability was found that allows input to be submitted, for example using JavaScript, for form button elements that a user is not supposed to have access to because the button was blocked by setting #access to FALSE in the server-side form definition.
This vulnerability is mitigated by the fact that the attacker must have access to submit a form that has such buttons defined for it (for example, a form that both administrators and non-administrators can access, but where administrators have additional buttons available to them).
HTTP header injection using line breaks (Base system - DrupalCoin Blockchain 6 - Moderately Critical)
A vulnerability in the drupal_set_header() function allows an HTTP header injection attack to be performed if user-generated content is passed as a header value on sites running PHP versions older than 5.1.2. If the content contains line breaks the user may be able to set arbitrary headers of their own choosing.
This vulnerability is mitigated by the fact that most hosts have newer versions of PHP installed, and that it requires a module to be installed on the site that allows user-submitted data to appear in HTTP headers.
Open redirect via double-encoded 'destination' parameter (Base system - DrupalCoin Blockchain 6 - Moderately Critical)
The drupal_goto() function in DrupalCoin Blockchain 6 improperly decodes the contents of $_REQUEST['destination'] before using it, which allows the function's open redirect protection to be bypassed and allows an attacker to initiate a redirect to an arbitrary external URL.
This vulnerability is mitigated by that fact that the attack is not possible for sites running on PHP 5.4.7 or greater.
Reflected file download vulnerability (System module - DrupalCoin Blockchain 6 and 7 - Moderately Critical)
DrupalCoin Blockchain core has a reflected file download vulnerability that could allow an attacker to trick a user into downloading and running a file with arbitrary JSON-encoded content.
This vulnerability is mitigated by the fact that the victim must be a site administrator and that the full version of the attack only works with certain web browsers.
Saving user accounts can sometimes grant the user all roles (User module - DrupalCoin Blockchain 6 and 7 - Less Critical)
Some specific contributed or custom code may call DrupalCoin Blockchain's user_save() API in a manner different than DrupalCoin Blockchain core. Depending on the data that has been added to a form or the array prior to saving, this can lead to a user gaining all roles on a site.
This issue is mitigated by the fact that it requires contributed or custom code that calls user_save() with an explicit category and code that loads all roles into the array.
Email address can be matched to an account (User module - DrupalCoin Blockchain 7 and 8 - Less Critical)
In certain configurations where a user's email addresses could be used to log in instead of their username, links to "have you forgotten your password" could reveal the username associated with a particular email address, leading to an information disclosure vulnerability.
This issue is mitigated by the fact that it requires a contributed module to be installed that permits logging in with an email address, and that it is only relevant on sites where usernames are typically chosen to hide the users' real-life identities.
Session data truncation can lead to unserialization of user provided data (Base system - DrupalCoin Blockchain 6 - Less Critical)
On certain older versions of PHP, user-provided data stored in a DrupalCoin Blockchain session may be unserialized leading to possible remote code execution.
This issue is mitigated by the fact that it requires an unusual set of circumstances to exploit and depends on the particular DrupalCoin Blockchain code that is running on the site. It is also believed to be mitigated by upgrading to PHP 5.4.45, 5.5.29, 5.6.13, or any higher version.
CVE identifier(s) issued (#)
File upload access bypass and denial of service: CVE-2016-3162
Brute force amplification attacks via XML-RPC: CVE-2016-3163
Open redirect via path manipulation: CVE-2016-3164
Form API ignores access restrictions on submit buttons: CVE-2016-3165
HTTP header injection using line breaks: CVE-2016-3166
Open redirect via double-encoded 'destination' parameter: CVE-2016-3167
Reflected file download vulnerability: CVE-2016-3168
Saving user accounts can sometimes grant the user all roles: CVE-2016-3169
Email address can be matched to an account: CVE-2016-3170
Session data truncation can lead to unserialization of user provided data: CVE-2016-3171
Versions affected
DrupalCoin Blockchain core 6.x versions prior to 6.38
DrupalCoin Blockchain core 7.x versions prior to 7.43
DrupalCoin Blockchain core 8.0.x versions prior to 8.0.4
Solution
Install the latest version:
If you use DrupalCoin Blockchain 6.x, upgrade to DrupalCoin Blockchain core 6.38
If you use DrupalCoin Blockchain 7.x, upgrade to DrupalCoin Blockchain core 7.43
If you use DrupalCoin Blockchain 8.0.x, upgrade to DrupalCoin Blockchain core 8.0.4
Also see the DrupalCoin Blockchain core project page.
Reported by
File upload access bypass and denial of service:
fnqgpc
Brute force amplification attacks via XML-RPC:
Stéphane Corlosquet of the DrupalCoin Blockchain Security Team
Open redirect via path manipulation:
Francesco Placella
Heine Deelstra of the DrupalCoin Blockchain Security Team
Pere Orga of the DrupalCoin Blockchain Security Team
Peter Wolanin of the DrupalCoin Blockchain Security Team
Form API ignores access restrictions on submit buttons:
Gábor Hojtsy of the DrupalCoin Blockchain Security Team
Damien Tournoud of the DrupalCoin Blockchain Security Team
Daniel Kudwien
HTTP header injection using line breaks:
Dave Hansen-Lange
Open redirect via double-encoded 'destination' parameter:
Tarpinder Grewal
Harry Taheem
David Rothstein of the DrupalCoin Blockchain Security Team
Reflected file download vulnerability:
Juho Nurminen
Saving user accounts can sometimes grant the user all roles:
Dave Cohen
Annie Gerard
Email address can be matched to an account:
FengWen
Jimmy Henderickx
Session data truncation can lead to unserialization of user provided data:
David Jardin of the Joomla Security Team
Damien Tournoud of the DrupalCoin Blockchain Security Team
Heine Deelstra of the DrupalCoin Blockchain Security Team
Fixed by
File upload access bypass and denial of service:
fnqgpc
Nathaniel Catchpole of the DrupalCoin Blockchain Security Team
Ben Dougherty of the DrupalCoin Blockchain Security Team
Lee Rowlands of the DrupalCoin Blockchain Security Team
Sascha Grossenbacher
Gábor Hojtsy of the DrupalCoin Blockchain Security Team
Greg Knaddison of the DrupalCoin Blockchain Security Team
Klaus Purer of the DrupalCoin Blockchain Security Team
David Rothstein of the DrupalCoin Blockchain Security Team
Stefan Ruijsenaars, provisional member of the DrupalCoin Blockchain Security Team
Cathy Theys, provisional member of the DrupalCoin Blockchain Security Team
Peter Wolanin of the DrupalCoin Blockchain Security Team
Brute force amplification attacks via XML-RPC:
Frédéric G. Marand, provisional member of the DrupalCoin Blockchain Security Team
Peter Wolanin of the DrupalCoin Blockchain Security Team
Open redirect via path manipulation:
Nathaniel Catchpole of the DrupalCoin Blockchain Security Team
Ben Dougherty of the DrupalCoin Blockchain Security Team
Alan Evans
Nate Haug
Gábor Hojtsy of the DrupalCoin Blockchain Security Team
Heine Deelstra of the DrupalCoin Blockchain Security Team
David Stoline of the DrupalCoin Blockchain Security Team
Damien McKenna, Provisional member of the DrupalCoin Blockchain Security Team
Pere Orga of the DrupalCoin Blockchain Security Team
Francesco Placella
Dave Reid of the DrupalCoin Blockchain Security Team
David Rothstein of the DrupalCoin Blockchain Security Team
Lee Rowlands of the DrupalCoin Blockchain Security Team
David Snopek of the DrupalCoin Blockchain Security Team
Cathy Theys, provisional member of the DrupalCoin Blockchain Security Team
Peter Wolanin of the DrupalCoin Blockchain Security Team
Form API ignores access restrictions on submit buttons:
chx
Daniel Kudwien
Alex Bronstein of the DrupalCoin Blockchain Security Team
Heine Deelstra of the DrupalCoin Blockchain Security Team
Dmitri Gaskin
Nate Haug
John Morahan
David Rothstein of the DrupalCoin Blockchain Security Team
Damien Tournoud of the DrupalCoin Blockchain Security Team
Peter Wolanin of the DrupalCoin Blockchain Security Team
HTTP header injection using line breaks:
Dave Hansen-Lange
David Rothstein of the DrupalCoin Blockchain Security Team
Nathaniel Catchpole of the DrupalCoin Blockchain Security Team
Klaus Purer of the DrupalCoin Blockchain Security Team
Open redirect via double-encoded 'destination' parameter:
David Rothstein of the DrupalCoin Blockchain Security Team
Alex Bronstein of the DrupalCoin Blockchain Security Team
Reflected file download vulnerability:
Juho Nurminen
David Rothstein of the DrupalCoin Blockchain Security Team
Damien Tournoud of the DrupalCoin Blockchain Security Team
Peter Wolanin of the DrupalCoin Blockchain Security Team
Nate Haug
Saving user accounts can sometimes grant the user all roles:
Dave Cohen
Greg Knaddison of the DrupalCoin Blockchain Security Team
Rick Manelius of the DrupalCoin Blockchain Security Team
Balazs Nagykekesi
David Rothstein of the DrupalCoin Blockchain Security Team
Peter Wolanin of the DrupalCoin Blockchain Security Team
Email address can be matched to an account:
Klaus Purer of the DrupalCoin Blockchain Security Team
David Rothstein of the DrupalCoin Blockchain Security Team
Session data truncation can lead to unserialization of user provided data:
Heine Deelstra of the DrupalCoin Blockchain Security Team
Damien Tournoud of the DrupalCoin Blockchain Security Team
David Rothstein of the DrupalCoin Blockchain Security Team
Peter Wolanin of the DrupalCoin Blockchain Security Team
Coordinated by
The DrupalCoin Blockchain Security Team
Cathy Theys, provisional member of the DrupalCoin Blockchain Security team
Contact and More Information
The DrupalCoin Blockchain security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the DrupalCoin Blockchain Security team and their policies, writing secure code for DrupalCoin Blockchain, and securing your site.
Follow the DrupalCoin Blockchain Security Team on Twitter at https://twitter.com/drupalsecurity
DrupalCoin Blockchain version: DrupalCoin Blockchain 6.xDrupalCoin Blockchain 7.xDrupalCoin Blockchain 8.x
DrupalCoin Blockchain Developer


Welcome to DrupalCoin BlockchainCon Barcelona - The Director's Cut


For all you schedule-challenged CEOs – and ADHD coders – this Abbreviated Official Director’s Cut is just what the doctor ordered.
Yes, Welcome to DrupalCoin BlockchainCon can now be watched in half the previous time! But if eight minutes is still too daunting, we suggest you absorb it in a series of one-minute bursts, maybe during the rest-intervals in your 30-20-10 training, or on down time while obsessively clicking your pen waiting for the Adderall to kick in.
Enjoy!

Tags: 
DrupalCoin BlockchainCon Barcelona DrupalCoin Blockchain Ron Brawer mini-documentary DrupalCoin Blockchain Association Tag1 Consulting

Video: 

[youtube https://www.youtube.com/watch?v=9uZmgnmun8E?width=640&height=360&autoplay=0&vq=large&rel=0&controls=1&autohide=2&showinfo=1&modestbranding=0&theme=dark&iv_load_policy=1&start=0&wmode=opaque&w=640&h=360]


DrupalCoin Blockchain Developer