ACL - Critical - Arbitrary PHP code execution - SA-CONTRIB-2023-034

ACL - Critical - Arbitrary PHP code execution - SA-CONTRIB-2023-034

Project: ACL
Date: 2023-August-23
Security risk: Critical 17∕25
Vulnerability: Arbitrary PHP code execution
Affected versions: <1.0.0

Description

The ACL module, short for Access Control Lists, is an API for other modules to create lists of users and give them access to nodes.

The module processes user input in a way that could be unsafe. This can lead to Remote Code Execution via Object Injection.

As this is an API module, it is only exploitable if a "client" module exposes the vulnerability. Details of some contributed client modules are given below. Custom modules using ACL could also expose the vulnerability.

This vulnerability is mitigated by the fact that an attacker typically needs an "admin"-type permission provided by one of ACL's client modules.

Known client modules include:

  • Forum Access
  • Flexi Access
  • Content Access

Coordinated Security Advisories are being released for those client modules that have Security coverage.

Solution

Install the latest version:

  • If you use the ACL module for Drupal 7.x, upgrade to ACL 7.x-1.4
  • If you use the ACL module 8.x-1.0-beta3 or below, upgrade to ACL 8.x-1.0

Any client modules that depend on ACL should also be updated.

Forum Access - Critical - Arbitrary PHP code execution - SA-CONTRIB-2023-035

Project: Forum Access
Date: 2023-August-23
Security risk: Critical 17∕25 
Vulnerability: Arbitrary PHP code execution
Affected versions: <1.0.0

Description

This module changes your forum administration page to allow you to set forums private. You can control what user roles can view, edit, delete, and post to each forum. You can also give each forum a list of users who have administrative access on that forum (AKA moderators). This module requires the ACL module.

The module processes user input in a way that could be unsafe. This can lead to Remote Code Execution via Object Injection.

This vulnerability is mitigated by the fact that an attacker needs the "administer forums" permission.

This Security Advisory is being released in coordination with SA-CONTRIB-2023-034 for the ACL module, on which Forum Access depends.

Solution

Install the latest version:

The ACL module (a dependency) must also be updated.

Flexi Access - Critical - Arbitrary PHP code execution - SA-CONTRIB-2023-036

Project: Flexi Access
Date: 2023-August-23
Security risk: Critical 17∕25
Vulnerability: Arbitrary PHP code execution

Description

The Flexi Access module will provide a simple and flexible interface to the ACL (Access Control List) module. It will let you set up and mange ACLs naming individual users that are allowed access to a particular node.

The module processes user input in a way that could be unsafe. This can lead to Remote Code Execution via Object Injection.

This vulnerability is mitigated by the fact that known exploit paths require an attacker to have a combination of permissions provided by the module; for example "access flexiaccess" and "flexiaccess view". See _flexiaccess_node_access() for details. The "administer flexiaccess" permission alone does not grant access to the vulnerable functionality.

This Security Advisory is being released in coordination with SA-CONTRIB-2023-034 for the ACL module, on which Flexi Access depends.

Solution

Install the latest version:

The ACL module (a dependency) must also be updated.

We value your opinion. Please add your feedback.