Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Drupal Security Team on
- Advisory ID: DRUPAL-SA-CONTRIB-2014-023
- Project: Project Issue File Review (third-party module)
- Version: 6.x
- Date: 2014-February-26
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
Description
The Project Issue File Review (PIFR) module provides an abstracted client-server model and plugin API for performing distributed operations such as code review and testing, with a focus on supporting Drupal development.
Two scenarios were identified where the module does not sufficiently sanitize user provided input, exposing the 'server' component of the module to cross-site scripting vulnerabilities.
The first scenario is mitigated by the fact that an attacker must have a role with the 'manage PIFR environments' administrative permission.
The second scenario is mitigated by the fact that an attacker must be able to initiate testing of a patch specially crafted to exploit the vulnerability on the PIFR testing environment, have the testing execute successfully on a PIFR client, and have the client provide the testing results back to the PIFR server component.
As one common purpose of this module is to provide validation and testing of user-supplied patches, users of the PIFR module should always consider the 'PIFR client' component of this module as insecure and untrusted, by design. The 'PIFR client' component should always be maintained in a separate network environment, isolated from the 'PIFR server' component or other critical infrastructure.
There have been no known exploits of this vulnerability observed or reported on any servers running the PIFR module, including those within Drupal.org's automated testing environment.
CVE identifier(s) issued
- CVE-2014-8765
Versions affected
- Project_Issue_File_Review 6.x-2.x versions prior to 6.x-2.17.
Drupal core is not affected. If you do not use the contributed Project Issue File Review module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the PIFR module for Drupal 6.x, upgrade to Project Issue File Review 6.x-2.17. Be sure to review and consider the associated release notes for all intermediary releases when upgrading.
Also see the Project Issue File Review project page.
Reported by
- Wim Leers
- Jeremy Thorson the module maintainer
Fixed by
- Neil Drumm of the Drupal Security Team
- Michael Hess of the Drupal Security Team
- Jeremy Thorson the module maintainer
Coordinated by
- Michael Hess of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
