SA-CONTRIB-2015-079 - Chaos tool suite (ctools) - Multiple vulnerabilities

This module provides a set of APIs and tools to improve the developer experience.

Access bypass in autocomplete (Drupal 7 only)

Among other many other things, CTools provides an autocomplete callback for finding entities by their titles or ID.

In CTools version 1.5, additional checks were created to defend against leaking titles for entities that the user doesn’t have access to. However, certain edge cases were found to leak this private data.

This vulnerability is mitigated by the fact that you must perform the autocomplete search on custom entities that don’t include an access query tag, or you must know the ID of the entity whose title you are trying to get.

Open redirect in confirmation pages (Drupal 6 and 7)

Also, CTools did not sanitize user provided URLs when processing confirmation delete pages, thereby exposing an open redirect attack vector.

This vulnerability is mitigated by the fact that a module using CTools must allow for users to insert a malicious external URL that is sent to the confirmation page.

CVE identifier(s) issued

• Access bypass: CVE-2015-4375 * Open redirect:CVE-2015-4398

Versions affected

• CTools 6.x-1.x versions prior to 6.x-1.12.
• CTools 7.x-1.x versions prior to 7.x-1.7.

Drupal core is not affected. If you do not use the contributed Chaos tool suite (ctools) module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the CTools module for Drupal 6.x, upgrade to CTools 6.x-1.12
• If you use the CTools module for Drupal 7.x, upgrade to CTools 7.x-1.7

Also see the Chaos tool suite (ctools) project page.

Reported by

• Richard Thomas
• Pere Orga of the Drupal Security Team

Fixed by

• Jakob Perry, the module maintainer
• Richard Thomas

Coordinated by

• David Snopek of the Drupal Security Team
• Pere Orga of the Drupal Security Team