Localization update - Moderately critical - Insecure server configuration - SA-CONTRIB-2019-072

Project: Localization update
Date: 2019-October-02
Security risk: Moderately critical 10∕25 
Vulnerability: Insecure server configuration

Description

This module enables you to automatically download and update the site's interface translation by fetching them from localize.drupal.org or any other Localization server.

The module doesn't sufficiently protect the directory it stores translation files in. It's conventional for directories which may be writeable to be protected by a .htaccess file to prevent malicious PHP files placed within them being executed by the webserver. This vulnerability is mitigated by the fact that an attacker typically wouldn't be able to place a malicious file in the module's storage directory.

Solution

Install the latest version:

If you use the Localization Update module for Drupal 7.x-1.x, upgrade to Localization Update 7.x-1.2
If you use the Localization Update module for Drupal 7.x-2.x, upgrade to Localization Update 7.x-2.3
Also see the Localization update project page.