SECURITY UPDATE: Islandora Scholar - Moderately Critical

44 views
Skip to first unread message

Daniel Lamb

unread,
Jun 14, 2017, 4:59:02 PM6/14/17
to isla...@googlegroups.com, island...@googlegroups.com

SECURITY UPDATE: Islandora Scholar - Moderately Critical

 

  • Advisory ID: ISLANDORA-2017-01

  • Project: Islandora Scholar (core module)

  • Version: 7.x

  • Date: 2017-Jun-14

  • Security risk: 14/25 (Moderately critical)
    AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:Uncommon

 

---- DESCRIPTION ---

 

Islandora Scholar is a solution pack providing (among other features) content models for Theses and Citations, and provides derivatives for attached PDF files.

 

The Islandora Scholar module provides an opportunity for arbitrary system code execution from the admin pages. The permission required to access these pages is ‘access administration pages’ which is not marked as a trusted permission with security implications. All other modules that provide comparable administration pages require the trusted permission ‘administer site configuration’.

 

--- VERSIONS AFFECTED ---

  • Islandora Scholar versions prior to 7.x-1.10

 

Islandora core is not affected. If you have not enabled the Islandora Scholar module, then there is nothing you need to do.

 

--- SOLUTION ---

 

  • All versions of Islandora Scholar, from 7.x-1.3 through 7.x-1.9, as well as the 7.x-dev branch, have been patched. Security patch releases have been tagged for each previous release.  Sites implementing the Scholar module are urged to either download the appropriate security patch release from Github or pull the latest commit for their specific branch immediately.

    • To download a the release from Github, visit the scholar release page and download the .zip or .tar.gz file for the patch release that corresponds to the release you are currently using.

    • To pull the latest commit, on a release branch or on head for islandora/islandora_scholar, execute the following command:

      • `git pull`

  • After doing so, sites will need to re-configure permissions so that users who need to be able to administer site-wide configuration for the Scholar module have the appropriate roles. Bear in mind the caveat for the “Administer Site Configuration” permission - it should only be given to trusted roles.

 

--- COORDINATED BY ---

 

Islandora Security Response Team

 

--- Fixed by ---

  • Daniel Aitken

  • Rosie Le Faive

  • Daniel Lamb

  • Jordan Dukart

  • Don Richards

 

--- CONTACT AND MORE INFORMATION ---

 

Islandora security response team can be reached at security at islandora dot ca.

Mark Jordan

unread,
Jun 14, 2017, 5:09:11 PM6/14/17
to island...@googlegroups.com, isla...@googlegroups.com
Nice work Security Response Team,

Mark
--
You received this message because you are subscribed to the Google Groups "islandora-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to islandora-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/islandora-dev/7bff0ba5-e99f-a6de-fb91-d0058bc36adf%40islandora.ca.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages