The files in hybridauth/examples/ are vulnerable to a variety of security attacks that could compromise a Drupal site.

It would be ideal if this module had a hook_requirements implementation to look for those files and create a warning if they are found.

For example, see plupload.install line 47.

Comments

greggles created an issue.

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
CreditAttribution: greggles at CARD.com commented

BTW, I didn't find this issue, so don't give any credit to me for it. I've asked the hybridauth team if there is a CVE about this issue so that can be referenced in the hook_requirements message.

Also, I suggest creating a new release after adding this feature and making that new release a "security update" so that people are motivated to update to it. That way they will quickly find the examples folder and remove it to secure their site.

duozersk’s picture

duozersk
he/him
Primary language Russian
Location Moscow
CreditAttribution: duozersk at FFW commented

Greg,

Thank you for the report, will definitely do a patch... but what about a security release - shouldn't it then be first reported as a security issue? Cause when you try to mark release as security update - it explicitly stands that you should do it only if Security Team is involved.

AndyB

duozersk’s picture

duozersk
he/him
Primary language Russian
Location Moscow
CreditAttribution: duozersk at FFW commented

Greg,

I have just checked - there is no examples directory in the HybridAuth library downloads anymore... looks like they have removed it from the releases.

For reference - https://github.com/hybridauth/hybridauth/issues/302

AndyB

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
CreditAttribution: greggles at CARD.com commented

Since this code is not hosted on drupal.org we don't do a security advisory and it's OK to publish this issue in the public.

But it would be good to mark it as a 'security update' on the release node so that update.module can alert people to take action.

That's a compromise we can make to achieve as few "security advisory" emails as possible while still alerting interested users of this module about a release that can help them be more secure.

lyonyang’s picture

lyonyang CreditAttribution: lyonyang as a volunteer commented

Would like to be credited. :)

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
CreditAttribution: greggles at CARD.com commented

Great, thanks lyon.yang.s! BTW, not sure if it's intentional but your username visible to the world is currently your full email address. That can be changed to something shorter if you like ;)