Bug 1020777 - (CVE-2013-4445, CVE-2013-4446) CVE-2013-4445 CVE-2013-4446 drupal-context: multiple vulnerabilities
CVE-2013-4445 CVE-2013-4446 drupal-context: multiple vulnerabilities
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20131016,repo...
: Security
Depends On: 1020780 1020781 1020783 1020784 1020785
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-18 05:25 EDT by Ratul Gupta
Modified: 2015-08-06 13:32 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-03-06 23:19:48 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ratul Gupta 2013-10-18 05:25:49 EDT
Context, a drupal module, which allows you to manage contextual conditions and reactions for different portions of your site, was found to have two severe security issues.

First issue is that the module allows execution of PHP code via manipulation of a URL argument in a path used for AJAX operations when running in a configuration without a json_decode function provided by PHP or the PECL JSON library. The vulnerability is

This vulnerability is only exploitable on a server running a PHP version prior to 5.2 that does not have the json library installed.

Second issue is that the module uses Drupal's token scheme to restrict access to the json rendering of a block. This control mechanism is insufficient as Drupal's token scheme is designed to provide security between two different sessions (or a session and a non authenticated user) and is not designed to provide security within a session. The vulnerability is mitigated by needing blocks that have sensitive information.

The suggested fix is to update Drupal6-context to 6.x-3.2 and Drupal7-context to 7.x-3.0.

References:
http://seclists.org/fulldisclosure/2013/Oct/118
https://drupal.org/node/2113317
Comment 2 Ratul Gupta 2013-10-18 05:28:53 EDT
Created drupal6-context tracking bugs for this issue:

Affects: fedora-all [bug 1020780]
Affects: epel-6 [bug 1020783]
Comment 3 Ratul Gupta 2013-10-18 05:29:03 EDT
Created drupal7-context tracking bugs for this issue:

Affects: fedora-all [bug 1020781]
Affects: epel-all [bug 1020784]
Comment 4 Fedora Update System 2013-11-12 21:01:19 EST
drupal7-context-3.1-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2013-11-20 23:38:44 EST
drupal7-context-3.1-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2013-11-20 23:41:08 EST
drupal7-context-3.1-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2013-11-30 21:51:00 EST
drupal7-context-3.1-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2013-11-30 21:51:56 EST
drupal7-context-3.1-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Peter Borsa 2013-12-02 05:14:21 EST
It has been updated but one issue left. However I cannot see it because I get "access denied"

https://bugzilla.redhat.com/show_bug.cgi?id=1020785

Should I do anything else?
Comment 11 Shawn Iwinski 2014-03-06 16:07:29 EST
All dependant bugs are closed.  Should the owners of the packages close this bug or should you close it?

Note You need to log in before you can comment on or make changes to this bug.