See https://www.drupal.org/sa-contrib-2018-063

This vulnerability has a lower risk in Drupal 6 than in Drupal 7! This is because you can't pass shell commands to execute using the HTTP basic auth user/pass - you need to either (1) have an admin permission to put those commands into Drupal variables, or (2) have permission to put <script> in nodes while also using the dompdf generation tool.

CommentFileSizeAuthor
#4 interdiff.txt547 bytesdsnopek
#4 SA-CONTRIB-2018-063.patch2.08 KBdsnopek
#2 SA-CONTRIB-2018-063.patch2.06 KBdsnopek
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

dsnopek created an issue. See original summary.

dsnopek’s picture

dsnopek
he/him
Primary language English
Location USA
CreditAttribution: dsnopek at myDropWizard commented
Issue summary: View changes
Status: Active » Needs review
FileSize
SA-CONTRIB-2018-063.patch2.06 KB

Updated the issue summary about risk.

And patch is attached for review!

dsnopek’s picture

dsnopek
he/him
Primary language English
Location USA
CreditAttribution: dsnopek at myDropWizard commented
Status: Needs review » Fixed

Committed to d6lts repo

dsnopek’s picture

dsnopek
he/him
Primary language English
Location USA
CreditAttribution: dsnopek at myDropWizard commented
Status: Fixed » Needs review
FileSize
SA-CONTRIB-2018-063.patch2.08 KB
interdiff.txt547 bytes

An error was found in this patch, which actually fails to prevent part of the security issue. Here's an updated patch and interdiff.

FYI, this part of the security issue (and really the D6 variant of the issue in general) is only exploitable by folks who have the 'administer print' permission, which should only be trusted users anyway.

dsnopek’s picture

dsnopek
he/him
Primary language English
Location USA
CreditAttribution: dsnopek at myDropWizard commented
Status: Needs review » Fixed

Committed to repo!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.