Re: CVE requests for Drupal core (SA-CORE-2016-001)

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> https://www.drupal.org/SA-CORE-2016-001

> File upload access bypass and denial of service (File module - Drupal
> 7 and 8 - Moderately Critical)
>
> A vulnerability exists in the File module that allows a malicious user
> to view, delete or substitute a link to a file that the victim has
> uploaded to a form while the form has not yet been submitted and
> processed. If an attacker carries out this attack continuously, all
> file uploads to a site could be blocked by deleting all temporary
> files before they can be saved.
>
> This vulnerability is mitigated by the fact that the attacker must
> have permission to create content or comment and upload files as part
> of that process.

Use CVE-2016-3162.


> Brute force amplification attacks via XML-RPC (XML-RPC server - Drupal
> 6 and 7 - Moderately Critical)
>
> The XML-RPC system allows a large number of calls to the same method
> to be made at once, which can be used as an enabling factor in brute
> force attacks (for example, attempting to determine user passwords by
> submitting a large number of password variations at once).
>
> This vulnerability is mitigated by the fact that you must have enabled
> a module that provides an XML-RPC method that is vulnerable to
> brute-forcing. There are no such modules in Drupal 7 core, but Drupal
> 6 core is vulnerable via the Blog API module. It is additionally
> mitigated if flood control protection is in place for the method in
> question.

Use CVE-2016-3163.


> Open redirect via path manipulation (Base system - Drupal 6, 7 and 8 -
> Moderately Critical)
>
> In Drupal 6 and 7, the current path can be populated with an external
> URL. This can lead to Open Redirect vulnerabilities.
>
> This vulnerability is mitigated by the fact that it would only occur
> in combination with custom code, or in certain cases if a user submits
> a form shown on a 404 page with a specially crafted URL.
>
> For Drupal 8 this is a hardening against possible browser flaws
> handling certain redirect paths.

Use CVE-2016-3164.


> Form API ignores access restrictions on submit buttons (Form API -
> Drupal 6 - Critical)
>
> An access bypass vulnerability was found that allows input to be
> submitted, for example using JavaScript, for form button elements that
> a user is not supposed to have access to because the button was
> blocked by setting #access to FALSE in the server-side form
> definition.
>
> This vulnerability is mitigated by the fact that the attacker must
> have access to submit a form that has such buttons defined for it (for
> example, a form that both administrators and non-administrators can
> access, but where administrators have additional buttons available to
> them).

Use CVE-2016-3165.


> HTTP header injection using line breaks (Base system - Drupal 6 -
> Moderately Critical)
>
> A vulnerability in the drupal_set_header() function allows an HTTP
> header injection attack to be performed if user-generated content is
> passed as a header value on sites running PHP versions older than
> 5.1.2. If the content contains line breaks the user may be able to set
> arbitrary headers of their own choosing.
>
> This vulnerability is mitigated by the fact that most hosts have newer
> versions of PHP installed, and that it requires a module to be
> installed on the site that allows user-submitted data to appear in
> HTTP headers.

Use CVE-2016-3166. (This issue has a CVE ID because the Drupal vendor
has issued a security advisory. A different vendor, in response to
a similar report, could choose to take the position that PHP 5.1.x
is obsolete, and the product offers no expectation of correct
behavior with 5.1.x.)


> Open redirect via double-encoded 'destination' parameter (Base system
> - Drupal 6 - Moderately Critical)
>
> The drupal_goto() function in Drupal 6 improperly decodes the contents
> of $_REQUEST['destination'] before using it, which allows the
> function's open redirect protection to be bypassed and allows an
> attacker to initiate a redirect to an arbitrary external URL.
>
> This vulnerability is mitigated by that fact that the attack is not
> possible for sites running on PHP 5.4.7 or greater.

Use CVE-2016-3167. (This issue has a CVE ID because the Drupal vendor
has issued a security advisory. A different vendor, in response to
a similar report, could choose to take the position that PHP 5.4.x
is obsolete, and the product offers no expectation of correct
behavior with 5.4.x.)


> Reflected file download vulnerability (System module - Drupal 6 and 7
> - Moderately Critical)
>
> Drupal core has a reflected file download vulnerability that could
> allow an attacker to trick a user into downloading and running a file
> with arbitrary JSON-encoded content.
>
> This vulnerability is mitigated by the fact that the victim must be a
> site administrator and that the full version of the attack only works
> with certain web browsers.

Use CVE-2016-3168.


> Saving user accounts can sometimes grant the user all roles (User
> module - Drupal 6 and 7 - Less Critical)
>
> Some specific contributed or custom code may call Drupal's user_save()
> API in a manner different than Drupal core. Depending on the data that
> has been added to a form or the array prior to saving, this can lead
> to a user gaining all roles on a site.
>
> This issue is mitigated by the fact that it requires contributed or
> custom code that calls user_save() with an explicit category and code
> that loads all roles into the array.

Use CVE-2016-3169.


> Email address can be matched to an account (User module - Drupal 7 and
> 8 - Less Critical)
>
> In certain configurations where a user's email addresses could be used
> to log in instead of their username, links to "have you forgotten your
> password" could reveal the username associated with a particular email
> address, leading to an information disclosure vulnerability.
>
> This issue is mitigated by the fact that it requires a contributed
> module to be installed that permits logging in with an email address,
> and that it is only relevant on sites where usernames are typically
> chosen to hide the users' real-life identities.

Use CVE-2016-3170.


> Session data truncation can lead to unserialization of user provided
> data (Base system - Drupal 6 - Less Critical)
>
> On certain older versions of PHP, user-provided data stored in a
> Drupal session may be unserialized leading to possible remote code
> execution.
>
> This issue is mitigated by the fact that it requires an unusual set of
> circumstances to exploit and depends on the particular Drupal code
> that is running on the site. It is also believed to be mitigated by
> upgrading to PHP 5.4.45, 5.5.29, 5.6.13, or any higher version.

Use CVE-2016-3171.


We may be sending a separate reply about the "And also for the
FileField contributed module" part.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJW6JQLAAoJEL54rhJi8gl5ySQQAI4bneFzYhM+2x9p8M9zDwF0
qZbMerp4yXeB+w4ejBBUv73k03xXveRwOabDiT0N4Rub/njlUUhmqtOLHuOZ21WU
wYPGYxZHEVLmsiDCYu6W55aE114CywC+uWEay6o6Nk55y5EGRrZzwQjYPwSJdbl+
/D4ArePHQkw5+mclilaFVKvhd8t01AVaH8x5cyfGYTZVJRjL6O6032fEbTgGcz6c
mEZ2cpHZYsOAvn5I0i0SKq5xTK3UK+mzt23n8toP2k2E9bFOjqIej49hQMsIKF0O
ixZn1J08J5stumLUDPMcu1L1kwr5/6+C24f5Um67q0zlL5W6jshpUUzXXe4nxBom
vr9cC2hqMk1tkjBmKvylS7BLk5VblL8rSsUjZ6UxbL+gvusdblPnTpzvw1ldlG61
fgp5e27yOFYKuOrd6/OO79zmJFGWo+mRweumJOZpKdP8H4x58IMF5eZSzFhVSuzS
EVKFKOHVwPVF1nQ3j81KyDxe4vNtCCjIy6eKJyctkHMn8Q21VlkTGjvDVcO8qfOA
oUV/JKn2ad/Pl4TN4LDT6KDss6zHCM+EvlX+mLdy4Oa13rs+N29Ek5VxLGjaEe9p
77yXCYPIO64dxUqlU+/bKH3f/fRBDv0fjLt3nWUol0e26RTmAbIn/T6xRdFCB2Qb
infW+eF3l8hqc0Y9K27J
=f4nY
-----END PGP SIGNATURE-----