- Issue created by @tedbow
the file name of the temporary staging and Composer home directory can be anticipated, since it always only includes the permanent site ID of the Drupal instance. This allows adversaries with access to the temporary filesystem to create a temporary directory with the same name owned by the attackers before the directory could be created by the module. This grants attackers full file permissions on the directory, allowing them to delete and overwrite the stage directories and its content with malicious code. This could be abused to execute code in the name of the OS user executing the PHP binary, which is often www-data on apache2 and nginx installations, in order to backdoor the application.
Affected file:
automatic_updates/package_manager/src/PathLocator.php
Affected code:
public function getStagingRoot(): string {
$site_id = $this->configFactory->get('system.site')->get('uuid');
return $this->fileSystem->getTempDirectory() . DIRECTORY_SEPARATOR .
'.package_manager' . $site_id;
Additionally affected:
automatic_updates/package_manager/src/ProcessFactory.php::getComposerHomePath
To mitigate this issue, it is recommended to use a fresh name generated from a full cryptographic random number generator with sufficient entropy when creating files within a temporary directory. While doing so, it is vital to never re-use an old name, which could have been observed and logged by attackers beforehand. By doing so, attackers will be restricted from anticipating the directory’s generated name and prevented from obtaining file permissions on any directory within the file path of the staging directory.
Active
3.0
Code