Aegir - Moderately Critical - Code Execution Prevention - SA-CONTRIB-2015-113

By Drupal Security Team on 20 May 2015 at 19:02 UTC

Advisory ID: DRUPAL-SA-CONTRIB-2014-113
Project: Hostmaster (Aegir) (third-party module)
Version: 6.x, 7.x
Date: 2015-May-20
Security risk: 13/25 ( Moderately Critical) AC:Complex/A:Admin/CI:All/II:Some/E:Theoretical/TD:Default
Vulnerability: Arbitrary PHP code execution

Description

The Aegir Hosting System enables you to deploy and manage Drupal sites.

When writing Apache vhost files for hosted sites on a common platform (multi-site), Aegir doesn't block execution of code uploaded to another site on the same platform.

This vulnerability is mitigated by the fact that an attacker must already have compromised another site, on the same multi-site install, sufficiently to upload executable code to its files directory.

CVE identifier(s) issued

CVE-2015-5501

Versions affected

Aegir Hosting System 6.x-2.x versions prior to 6.x-2.4.
Aegir Hosting System 7.x-3.x versions prior to 7.x-3.0-beta2.

Drupal core is not affected. If you do not use the contributed Hostmaster (Aegir) distribution,
there is nothing you need to do.

Solution

Install the latest version:

If you use the Aegir Hosting System for Drupal 6.x, upgrade to Aegir 6.x-2.4
If you use the Aegir Hosting System for Drupal 7.x, upgrade to Aegir 7.x-3.0-beta2

After installation you need to run a verify task on all hosted sites. The easiest method is to use the Views Bulk Operations on the hosting/sites page.

Also see the Hostmaster (Aegir) project page.