SECURITY UPDATE: Islandora Scholar - Moderately Critical
Advisory ID: ISLANDORA-2017-01
Project: Islandora Scholar (core module)
Version: 7.x
Date: 2017-Jun-14
Security
risk: 14/25 (Moderately critical)
AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:Uncommon
---- DESCRIPTION ---
Islandora Scholar is a solution pack providing (among other features) content models for Theses and Citations, and provides derivatives for attached PDF files.
The Islandora Scholar module provides an opportunity for arbitrary system code execution from the admin pages. The permission required to access these pages is ‘access administration pages’ which is not marked as a trusted permission with security implications. All other modules that provide comparable administration pages require the trusted permission ‘administer site configuration’.
--- VERSIONS AFFECTED ---
Islandora Scholar versions prior to 7.x-1.10
Islandora core is not affected. If you have not enabled the Islandora Scholar module, then there is nothing you need to do.
--- SOLUTION ---
All versions of Islandora Scholar, from 7.x-1.3 through 7.x-1.9, as well as the 7.x-dev branch, have been patched. Security patch releases have been tagged for each previous release. Sites implementing the Scholar module are urged to either download the appropriate security patch release from Github or pull the latest commit for their specific branch immediately.
To pull the latest commit, on a release branch or on head for islandora/islandora_scholar, execute the following command:
`git pull`
After doing so, sites will need to re-configure permissions so that users who need to be able to administer site-wide configuration for the Scholar module have the appropriate roles. Bear in mind the caveat for the “Administer Site Configuration” permission - it should only be given to trusted roles.
--- COORDINATED BY ---
Islandora Security Response Team
--- Fixed by ---
Daniel Aitken
Rosie Le Faive
Daniel Lamb
Jordan Dukart
Don Richards
--- CONTACT AND MORE INFORMATION ---
Islandora security response team can be reached at security at islandora dot ca.
--
You received this message because you are subscribed to the Google Groups "islandora-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to islandora-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/islandora-dev/7bff0ba5-e99f-a6de-fb91-d0058bc36adf%40islandora.ca.
For more options, visit https://groups.google.com/d/optout.