View online: https://www.drupal.org/SA-CORE-2016-004

——– DESCRIPTION
———————————————————

Users who have rights to edit a node, can set the visibility on comments for
that node.

* Advisory ID: DRUPAL-SA-CORE-2016-004
* Project: Drupal core [1]
* Version:li 8.x
* Date: 2016-September-21
* Security risk: 18/25 ( Critical)
AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:Default [2]
* Vulnerability:

——– DESCRIPTION
———————————————————

*Users without “Administer comments” can set comment visibility on nodes they
can edit. (Less critical)*
Users who have rights to edit a node, can set the visibility on comments for
that node. This should be restricted to those who have the administer
comments permission.

*Cross-site Scripting in http exceptions (critical) *
An attacker could create a specially crafted url, which could execute
arbitrary code in the victim’s browser if loaded. Drupal was not properly
sanitizing an exception

*Full config export can be downloaded without administrative permissions
(critical) *
The system.temporary route would allow the download of a full config export.
The full config export should be limited to those with Export configuration
permission.
——– CVE IDENTIFIER(S) ISSUED
——————————————–

* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./

——– VERSIONS AFFECTED
—————————————————

8.x

——– SOLUTION
————————————————————

Upgrade to Drupal 8.1.10

——– REPORTED BY
———————————————————

*Users without “Administer comments” can set comment visibility on nodes they
can edit.*
* Quintus Maximus [4]
* Kier Heyl [5]

*XSS in http exceptions*
* Ivan [6]

*Full config export can be downloaded without administrative permissions *
* Anton Shubkin [7]

——– FIXED BY
————————————————————

*Users without “Administer comments” can set comment visibility on nodes they
can edit.*
* Lee Rowlands of the Drupal Security Team [8]
* Stefan Ruijsenaars of the Drupal Security Team [9]
* Andrey Postnikov [10]
* Daniel Wehner [11]

*XSS in http exceptions*
* xjm of the Drupal Security Team [12]
* Daniel Wehner [13]
* Alex Pott of the Drupal Security Team [14]
* Cash Williams of the Drupal Security Team [15]
* Pere Orga of the Drupal Security Team [16]
* David Snopek of the Drupal Security Team [17]
* Heine Deelstra of the Drupal Security Team

*Full config export can be downloaded without administrative permissions *
* Nathaniel Catchpole of the Drupal Security Team [18]
* Alex Pott of the Drupal Security Team [19]
* Anton Shubkin [20]
* xjm of the Drupal Security Team [21]
* Peter Wolanin of the Drupal Security Team [22]

——– COORDINATED BY
——————————————————

The Drupal Security Team [23]

——– CONTACT AND MORE INFORMATION
—————————————-

The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [24].

Learn more about the Drupal Security team and their policies [25], writing
secure code for Drupal [26], and securing your site [27].

Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [28]

[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://www.drupal.org/u/q2u
[5] https://www.drupal.org/u/kierheyl
[6] https://www.drupal.org/user/556138
[7] https://www.drupal.org/user/1060446
[8] http://www.drupal.org/u/larowlan
[9] https://www.drupal.org/u/stefanr-0
[10] https://www.drupal.org/user/118908
[11] https://www.drupal.org/user/99340
[12] https://www.drupal.org/user/65776
[13] https://www.drupal.org/user/99340
[14] https://www.drupal.org/user/157725
[15] https://www.drupal.org/user/421070
[16] https://www.drupal.org/u/pere-orga
[17] https://www.drupal.org/u/dsnopek
[18] https://www.drupal.org/u/catch
[19] https://www.drupal.org/user/157725
[20] https://www.drupal.org/user/1060446
[21] https://www.drupal.org/user/65776
[22] https://www.drupal.org/user/49851
[23] https://www.drupal.org/security-team
[24] https://www.drupal.org/contact
[25] https://www.drupal.org/security-team
[26] https://www.drupal.org/writing-secure-code
[27] https://www.drupal.org/security/secure-configuration
[28] https://twitter.com/drupalsecurity

_______________________________________________
Security-news mailing list
Security-news@drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news