oss-sec mailing list archives
Re: CVE requests for Drupal contributed modules (from 2016-009 to 2016-014)
From: cve-assign () mitre org
Date: Thu, 17 Mar 2016 11:23:01 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Prepopulate - Access Bypass - SA-CONTRIB-2016-009 https://www.drupal.org/node/2679503
The Prepopulate module does not adequately prevent a user from overwriting arbitrary parts of $_REQUEST. It also does not prevent pre-populating certain fields that are not displayed or manipulating markup fields to alter elements of the user interface.
Versions affected
Prepopulate 7.x-2.x versions prior to 7.x-2.1.
http://cgit.drupalcode.org/prepopulate/commit/prepopulate.module?id=16cdb63cc3b256dd785e029ec17f92ddf80cc443
Use CVE-2016-3187 for the issue associated with deleting the "parse_str(base64_decode($_REQUEST['pp']), $_REQUEST);" lines, and use CVE-2016-3188 for the issue associated with changing the value of $limited_types. (The 16cdb63cc3b256dd785e029ec17f92ddf80cc443 commit message does not seem closely related to the 16cdb63cc3b256dd785e029ec17f92ddf80cc443 code changes.) Our understanding is that the Prepopulate module was packaged in, for example, Fedora 23. The prepopulate-6.x-2.2.tar.gz file shipped in drupal6-prepopulate-2.2-4.fc23.src.rpm apparently does not have the 16cdb63cc3b256dd785e029ec17f92ddf80cc443 changes. Thus, we feel that the best available information is that CVE-2016-3187 and CVE-2016-3188 affects or affected, at least, Fedora 23. (For example, see the http://fedora.mirror.lstn.net/releases/23/Everything/source/SRPMS/d/drupal6-prepopulate-2.2-4.fc23.src.rpm package file.) (We understand that Drupal 6 end-of-life was last month according to the https://www.drupal.org/drupal-6-eol post. We also understand that http://pkgs.fedoraproject.org/cgit/rpms/drupal6-prepopulate.git/commit?id=d77963c300289b6be29b5dc08d0662fc698068f4 exists. However, drupal6-prepopulate-2.2-4.fc23 may still be in use on many Fedora 23 systems.) We may be sending a separate reply about the USASearch, Google Analytics Counter, Hubspot CTA, Node Notify, and Fieldable Panels Panes issues. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJW6srrAAoJEL54rhJi8gl5J/4P/0g7s1pjL7lsg4sc3vN41r6v +1i0ucO28tfGhM13QxqNfR1RqUZ3W40dlWz2Lum6NvudbkGZaY+Jzph4BT9RW1n2 80ruiuamYF3escBnWvssSdIjwl2ibwsKFzzjyrvArdcZpnI6pwGFWPKLbN4pGyoz WSi+Ow067aqeSJVonW98AlxF4udVTrQJQi1wmhiW0jOE+7zk1rAwkVUgLlWCDJLB dVnopSr/FN2ewTkkJrAfBSfqQBGe7XNrnYCzefdBv7JgAARzkPc1jJzdC8oy3AIL TiyDVo6O/fi4j4pd01TVUc8Yh7kGilDdk7BPyptH4KPrGG8yS8SmLY2WSoR3gpa8 iBvw6o9X0HuXFo9IGrSBsd6LUt/+dYkqOH4JN2dxj9rxKlqv+4zlGHqM8mP/xGaw 4tCy7ekDTpEEQNSSzZDLtrDtaYbtHztC2EQ+fUp8iTmh1OKayWPGHNj/+unChR+q 0QqQt483QarClETgwUtVQCwqUBT90nS0RFvG5FKCAGRurfWXR0b0jXtQPmECZj6k wlJinmq4yAPfHVEjm1/5pGANAcihuLUxVdvpw8ZbsAJRSg2wEvxSCILb4Av+OaxF o5q0Nlekcn3FxKNz4hpr+ra5CWy7i/KDhjAuH6rarNMWA2sDLOM18TjyL9Pax0xy etw4zEaMsg3o2WgpI6qS =huG5 -----END PGP SIGNATURE-----
Current thread:
- CVE requests for Drupal contributed modules (from 2016-009 to 2016-014) Pere Orga (Mar 04)
- Re: CVE requests for Drupal contributed modules (from 2016-009 to 2016-014) cve-assign (Mar 17)