Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Project:
Date:
2019-January-09
Vulnerability:
Access bypass
Description:
Aegir is a Web hosting control panel program that provides a Drupal-based graphical interface designed to simplify deploying, managing and upgrading an entire network of Drupal, Wordpress and CiviCRM Web sites. The Provision module is a core piece of the Aegir platform.
This module doesn't sufficiently shield multi-site installations or the PHP source code.
This vulnerability is mitigated by the fact that the server must be using Apache. For multi-site installations, the server must host multiple sites on a common platform. Additionally an attacker must have a knowledge about used filenames and the server.
Solution:
Install the latest version:
- If you use Aegir hosting system, upgrade to Provision 7.x-3.170
Also see the Provision project page.
Reported By:
Coordinated By:
- Greg Knaddison of the Drupal Security Team
- Michael Hess of the Drupal Security Team
- Cash Williams of the Drupal Security Team
