Aegir - Moderately Critical - Code Execution Prevention - SA-CONTRIB-2015-113

The Aegir Hosting System enables you to deploy and manage Drupal sites.

When writing Apache vhost files for hosted sites on a common platform (multi-site), Aegir doesn’t block execution of code uploaded to another site on the same platform.

This vulnerability is mitigated by the fact that an attacker must already have compromised another site, on the same multi-site install, sufficiently to upload executable code to its files directory.

CVE identifier(s) issued

• CVE-2015-5501

Versions affected

• Aegir Hosting System 6.x-2.x versions prior to 6.x-2.4.
• Aegir Hosting System 7.x-3.x versions prior to 7.x-3.0-beta2.

Drupal core is not affected. If you do not use the contributed Hostmaster (Aegir) distribution,
there is nothing you need to do.

Solution

Install the latest version:

• If you use the Aegir Hosting System for Drupal 6.x, upgrade to Aegir 6.x-2.4
• If you use the Aegir Hosting System for Drupal 7.x, upgrade to Aegir 7.x-3.0-beta2

After installation you need to run a verify task on all hosted sites. The easiest method is to use the Views Bulk Operations on the hosting/sites page.

Also see the Hostmaster (Aegir) project page.

Reported by

• Gaël Gosset

Fixed by

• Herman van Rink, a maintainer of the Aegir Hosting System.

Coordinated by

• Michael Hess of the Drupal Security Team