Skip directly to content

Feed aggregator

SA-CONTRIB-2014-128 - Organic Groups Menu - Access bypass

Drupal Contrib Security Announcements - Wed, 12/17/2014 - 19:57
Description

This module enables you to associate menus with Organic Groups (OG). It allows you to create one or more menus per group, configure and apply menu permissions in a group context, add/edit menu links directly from the entity form, etc.

The module doesn't sufficiently check the menu parameters passed in the path, creating an access bypass vulnerability allowing an attacker to edit or delete any menu link on the site. There is also an information disclosure vulnerability of menu info.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer og menu".

This handles the same issue as SA-CONTRIB-2014-125, but due to a mistake made in tagging the release, the fix did not get included.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Organic Groups Menu (OG Menu) 6.x-2.x versions prior to 6.x-2.6
  • Organic Groups Menu (OG Menu) 7.x-2.x versions prior to 7.x-2.4

Organic Groups Menu (OG Menu) 7.x-3.0 and later versions are not affected.

Drupal core is not affected. If you do not use the contributed OG Menu module,
there is nothing you need to do.

Solution

Install the latest version:

  • If you use the OG Menu module for Drupal 6.x, upgrade to OG Menu 6.x-2.6
  • If you use the OG Menu module for Drupal 7.x and the OG module 7.x-1.x, upgrade to OG Menu 7.x-2.4
  • If you use the OG Menu module for Drupal 7.x and the OG module 7.x-2.x, no action is needed.

Also see the OG Menu project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2014-127 - School Administration - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 12/17/2014 - 18:57
Description

School Administration module enables you to keep records of all students and staff. With inner modules, it aims to be a complete school administration system.

The module failed to sanitize some node titles in messages, leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a user with the permission to create or edit a class node.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • School Administration 7.x-1.x versions prior to 7.x-1.8.

Drupal core is not affected. If you do not use the contributed module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-126 - Open Atrium - Multiple vulnerabilities

Drupal Contrib Security Announcements - Wed, 12/17/2014 - 18:09
Description

This distribution enables you to create an intranet.

Several of the sub modules included do not prevent CSRF on several menu callbacks.

Open Atrium Discussion also does not exit correctly after checking access on a several ajax callbacks, allowing anyone with "access content" to update and delete nodes.

Also, (alpha) module OG Subgroups contained a vulnerability that allowed access to child groups even if membership inheritance was disabled.

The vulnerabilities are mitigated by needing the sub modules enabled -- Open Atrium Sitemap, Open Atrium Discussion, and OpenA trium Admin Role and OA Teams, modules bundled with of Open Atrium Core.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Open Atrium 7.x-2.x versions prior to 7.x-2.26

Drupal core is not affected. If you do not use the contributed Open Atrium module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Open Atrium project page.

Reported by Fixed by
  • Hunter Fox of the Drupal Security Team & an Open Atrium maintainer
Coordinated by
  • Hunter Fox of the Drupal Security Team & an Open Atrium maintainer
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-125 - Organic Groups Menu - Access bypass

Drupal Contrib Security Announcements - Wed, 12/10/2014 - 20:08
Description

This module enables you to associate menus with Organic Groups (OG). It allows you to create one or more menus per group, configure and apply menu permissions in a group context, add/edit menu links directly from the entity form, etc.

The module doesn't sufficiently check the menu parameters passed in the path, creating an access bypass vulnerability allowing an attacker to edit or delete any menu link on the site. There is also an information disclosure vulnerability of menu info.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer og menu".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Organic Groups Menu (OG Menu) 6.x-2.x versions prior to 6.x-2.5.
  • Organic Groups Menu (OG Menu) 7.x-2.x versions prior to 7.x-2.3.
  • Organic Groups Menu (OG Menu) 7.x-3.x versions prior to 7.x-3.0

Drupal core is not affected. If you do not use the contributed OG Menu module,
there is nothing you need to do.

Solution

Install the latest version:

  • If you use the OG Menu module for Drupal 6.x, upgrade to OG Menu 6.x-2.5
  • If you use the OG Menu module for Drupal 7.x and the OG module 7.x-1.x, upgrade to OG Menu 7.x-2.3
  • If you use the OG Menu module for Drupal 7.x, and the OG module 7.x-2.x upgrade to OG Menu 7.x-3.0

Also see the OG Menu project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2014-124 - Poll Chart - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 12/10/2014 - 20:05
Description

This module enables users to have a block displaying the result of the last poll as a chart.

The module doesn't sufficiently sanitize poll node titles when displaying the block.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create polls and the poll chart block must be enabled.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • poll_chart 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Poll Chart Block module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Poll Chart Block project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-123 - Postal Code - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 12/10/2014 - 18:38
Description

The Postal Code module enables you to implement postal code validation for several countries.

The module doesn't sufficiently sanitize certain data in the admin thereby opening a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with a permission that allows adding or editing fields to entity types such as "administer taxonomy terms" or "administer content types".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Postal Code 7.x-1.x versions prior to 7.x-1.9.

Drupal core is not affected. If you do not use the contributed Postal Code module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Postal Code project page.

Reported by
  • Matt Vance (provisional member of the Drupal Security Team)
Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-122 - MoIP - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 12/10/2014 - 18:28
Description

This module enables you to use Moip (a Brazilian payment method) with Drupal Commerce.

The module doesn't sufficiently filter the data passed by the automatic notifications, leaving the possibility for a malicious user to insert Cross Site Scripting (xss) attacks.

This vulnerability is mitigated by the fact that only sites running the dblog module are affected (this module is enabled by default).

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Moip 7.x-1.x versions prior to 7.x-1.4.

Drupal core is not affected. If you do not use the contributed MoIP module,
there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Moip module for Drupal 7.x, upgrade to Moip 7.x-1.4

Also see the MoIP project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-121 - Godwin's Law - Cross-Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 12/10/2014 - 18:20
Description

This module enables you to execute arbitrary Javascript by adding the script to the title of a node.

The module doesn't sufficiently sanitize Watchdog messages when viewing the detail view of a specific Watchdog notification. It improperly translated the message rather than using proper Watchdog message syntax.

This vulnerability is mitigated by the fact that an attacker must have a role allowing them to create nodes or edit the title of an existing node. It is further mitigated in that the script is only executed by admins when viewing a Watchdog notice when using dblog module (syslog users are not affected).

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Godwin's Law 7.x-1.0.

Drupal core is not affected. If you do not use the contributed Godwin's Law module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Godwin's Law project page.

Reported by Fixed by
  • tobby the module maintainer
Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-120 - Piwik Web Analytics - Information disclosure

Drupal Contrib Security Announcements - Wed, 12/10/2014 - 15:21
Description

This module enables you to integrate Drupal with Piwik Web Analytics.

The module leaks the site specific hash salt to authenticated users when user-id tracking is turned on.

This vulnerability is mitigated by the fact that user-id tracking must be turned on and the attacker needs to have an account on the site.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Piwik Web Analytics 7.x-2.6. Neither earlier nor later versions are affected.

Drupal core is not affected. If you do not use the contributed Piwik Web Analytics module,
there is nothing you need to do.

Solution

Install the latest version:

Affected sites are urged to generate a new hash salt and store it in settings.php.

Methods to generate a new hash salt
  • With drush:
    drush php-eval 'echo(drupal_random_key()) . "\n";'
  • With openssl:
    openssl rand -base64 32
How to replace the hash salt
  1. Open your settings.php file (e.g., sites/default/settings.php
  2. Locate the variable $drupal_hash_salt:
    <?php
    /**
     * Salt for one-time login links and cancel links, form tokens, etc.
     * [...]
     */
    $drupal_hash_salt = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX';
    ?>
  3. Replace the value and safe the file
  4. Flush all caches either from within the administrative UI (Administration » Configuration » Development » Performance) or by issuing drush cache-clear all
Effects caused by replacing the hash salt
  • Passwort reset links generated before the new hash salt will not work anymore. Affected users need to request a new password reset link.
  • Existing image style urls will stop working. A cache flush is necessary such that all <img> tags are updated.

If immediate installation / regeneration of the hash salt is not possible, then disable user-id tracking at once.

Also see the Piwik Web Analytics project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-119 - Google Analytics - Information disclosure

Drupal Contrib Security Announcements - Wed, 12/10/2014 - 15:09
Description

This module enables you to integrate Drupal with Google Analytics.

The module leaks the site specific hash salt to authenticated users when user-id tracking is turned on.

This vulnerability is mitigated by the fact that user-id tracking must be turned on and the attacker needs to have an account on the site.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Google Analytics 7.x-2.0. Neither earlier nor later versions are affected.

Drupal core is not affected. If you do not use the contributed Google Analytics module,
there is nothing you need to do.

Solution

Install the latest version:

Affected sites are urged to generate a new hash salt and store it in settings.php.

Methods to generate a new hash salt
  • With drush:
    drush php-eval 'echo(drupal_random_key()) . "\n";'
  • With openssl:
    openssl rand -base64 32
How to replace the hash salt
  1. Open your settings.php file (e.g., sites/default/settings.php
  2. Locate the variable $drupal_hash_salt:
    <?php
    /**
     * Salt for one-time login links and cancel links, form tokens, etc.
     * [...]
     */
    $drupal_hash_salt = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX';
    ?>
  3. Replace the value and safe the file
  4. Flush all caches either from within the administrative UI (Administration » Configuration » Development » Performance) or by issuing drush cache-clear all
Effects caused by replacing the hash salt
  • Password reset links generated before the new hash salt will not work anymore. Affected users need to request a new password reset link.
  • Existing image style urls will stop working. A cache flush is necessary such that all <img> tags are updated.

If immediate installation / regeneration of the hash salt is not possible, then disable user-id tracking at once.

Also see the Google Analytics project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-118 - Administer Users by Role - Access Bypass - Unsupported

Drupal Contrib Security Announcements - Wed, 12/10/2014 - 15:03
Description

This module enables site builders to set up fine-grained permissions for allowing users to edit and delete other users.

The module doesn't sufficiently validate access permissions, enabling users who supposedly have limited permissions to grant themselves more permissions.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer users". While this is usually a permission only granted to trusted users the Administer Users by Role module intends to limit the permission so that users cannot elevate their own permissions, but it fails to do so in certain scenarios.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • administerusersbyrole 6.x - all versions

Drupal core is not affected. If you do not use the contributed Administer Users by Role module,
there is nothing you need to do.

Solution
  • If you use the administerusersbyrole module for Drupal 6.x, disable and uninstall the module

Also see the Administer Users by Role project page.

Reported by Fixed by

not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x
Categories: Security posts

SA-CONTRIB-2014-117 - Hierarchical Select - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 12/03/2014 - 18:30
Description

The Hierarchical Select module provides a "hierarchical_select" form element, which is a greatly enhanced way for letting the user select items in a taxonomy. The module does not sanitize some of the user-supplied data before displaying it, leading to two Cross Site Scripting (XSS) vulnerabilities that may lead to a malicious user gaining full administrative access.

The first vulnerability is mitigated by the fact that the attacker must have a role with the "administer taxonomy" permission; specifically the attacker must be able to create or modify taxonomy terms and then modify the term title. Only Hierarchical Select field instances with the "Save term lineage" option enabled in the widget settings are vulnerable.

The second vulnerability is mitigated by the fact that an attacker must have a permission to administer fields on an entity type, for example the "administer taxonomy" permission to manage fields on taxonomy terms, the "administer users" permission to manage fields on users or the "administer content type" permission to manage fields on comments or nodes.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Hierarchical Select 6.x versions prior to 6.x-3.9.

Drupal core is not affected. If you do not use the contributed Hierarchical Select module,
there is nothing you need to do.

Solution

Install the latest version:

After installing the latest version, clear all caches so that no malicious code will linger in any cached data.

Also see the Hierarchical Select project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x
Categories: Security posts

SA-CONTRIB-2014-116 -Webform Invitation - Cross Site Scripting

Drupal Contrib Security Announcements - Wed, 12/03/2014 - 14:18
Description

This module enables you to create custom invitation codes for Webforms.

The module failed to sanitize node titles.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Webform: Create new content", "Webform: Edit own content" and/or "Webform: Edit any content".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Webform Invitation 7.x-1.x versions prior to 7.x-1.3.
  • Webform Invitation 7.x-2.x versions prior to 7.x-2.4.

Drupal core is not affected. If you do not use the contributed Webform Invitation module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Webform Invitation project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-115 - Form Builder - Cross-Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 11/19/2014 - 20:34
Description

The Form Builder module enables users to build entire Form API structures through a graphical, AJAX-like interface.

The module doesn't sufficiently sanitize form titles in some cases.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create forms in another module that depends on Form Builder, such as Survey Builder, Webform, or others.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Form Builder 7.x-1.x versions prior to 7.x-1.6.
  • Form Builder 6.x-1.x versions prior to 6.x-1.6.

Drupal core is not affected. If you do not use the contributed Form Builder module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Form Builder project page.

Reported by
  • Matt Vance provisional member of the Drupal Security Team
Fixed by Coordinated by
  • Matt Vance provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2014-114 - Tournament - Cross Site Scripting

Drupal Contrib Security Announcements - Wed, 11/19/2014 - 20:11
Description

This project allows you to create various types of tournaments (as nodes) and associated teams, tournaments, and matches.

There are several cases in the project where an account username, node title, and team entity title are not correctly filtered before being displayed to a user.

It is possible to create nodes or entities containing XSS or usernames could be imported with XSS in the strings or created via an add-on module like LDAP or similar.

This vulnerability is mitigated by the fact that an attacker must have a role with the permissions "Create new teams" or "Tournament: Create new content" or "Match: Create new content" or the ability to create users with an XSS payload in the usernames (Drupal core's input validation prevents XSS payloads in usernames).

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Tournament 7.x-1.x any version

Drupal core is not affected. If you do not use the contributed Tournament module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Tournament project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-113 - Secure Password Hashes - Denial of Service

Drupal Contrib Security Announcements - Wed, 11/19/2014 - 19:54
Description

This module enables a more secure password storage for Drupal 6 by back-porting the code used in Drupal 7 core.

A vulnerability in this API allows an attacker to send specially crafted requests resulting in CPU and memory exhaustion. This may lead to the site becoming unavailable or unresponsive (denial of service).

This vulnerability can be exploited by anonymous users

See also: https://www.drupal.org/SA-CORE-2014-006

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Secure Password Hashes 6.x-2.x versions prior to 6.x-2.1.

Drupal core is not affected. If you do not use the contributed Secure Password Hashes module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Secure Password Hashes project page.

Reported by Fixed by
  • Peter Wolanin the module maintainer and Drupal Security Team member
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x
Categories: Security posts

Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2014-006

Drupal Core Security Announcements - Wed, 11/19/2014 - 18:21
Description Session hijacking (Drupal 6 and 7)

A specially crafted request can give a user access to another user's session, allowing an attacker to hijack a random session.

This attack is known to be possible on certain Drupal 7 sites which serve both HTTP and HTTPS content ("mixed-mode"), but it is possible there are other attack vectors for both Drupal 6 and Drupal 7.

Denial of service (Drupal 7 only)

Drupal 7 includes a password hashing API to ensure that user supplied passwords are not stored in plain text.

A vulnerability in this API allows an attacker to send specially crafted requests resulting in CPU and memory exhaustion. This may lead to the site becoming unavailable or unresponsive (denial of service).

This vulnerability can be exploited by anonymous users.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Drupal core 6.x versions prior to 6.34.
  • Drupal core 7.x versions prior to 7.34.
Solution

Install the latest version:

If you have configured a custom password.inc file for your Drupal 7 site you also need to make sure that it is not prone to the same denial of service vulnerability. See also the similar security advisory for the Drupal 6 contributed Secure Password Hashes module: SA-CONTRIB-2014-113

Also see the Drupal core project page.

Reported by

Session hijacking:

Denial of service:

Fixed by

Session hijacking:

Denial of service:

Coordinated by
  • The Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2014-112 - Node Field - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 11/19/2014 - 18:06
Description

Node Field module allows you to add custom extra fields to single Drupal nodes.

The module doesn't sufficiently sanitize user input for some of the module's internal fields. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create nodes.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Node Field 7.x-2.x versions prior to 7.x-2.45.

Drupal core is not affected. If you do not use the contributed Node Field module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Node Field project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-111 - Protected Pages - Password Protection Bypass

Drupal Contrib Security Announcements - Wed, 11/19/2014 - 17:56
Description

Protected Pages modules allows the administrator to secure any page in your website by password by configuring a add path and the associated password.

The module did not sufficiently protect variations on the protected path.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Protected Pages 7.x-2.x versions prior to 7.x-2.2.

Drupal core is not affected. If you do not use the contributed Protected Pages module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Protected Pages project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-109 - Freelinking - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 11/12/2014 - 15:14
Description

The Freelinking module implements a filter framework for easier creation of HTML links to other pages on the site or to external sites.

The module does not sanitize the node title when providing a link to the node, opening a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that the person creating the content containing the link must have a role that allows use of an unsafe text format (e.g. "Full HTML"), or the Freelinking filter must be placed after all text sanitizion filters (e.g. "Limit allowed HTML tags") in an otherwise safe text format (e.g. "Filtered HTML").

Please note that this vulnerability also existed the freelinking_nodetitle.inc in versions prior to 6.x-3.4 and 7.x-3.4, but this was patched in releases 6.x-3.4 and 7.x-3.4.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Freelinking 6.x-x.x versions prior to 6.x-3.5.
  • Freelinking 7.x-x.x versions prior to 7.x-3.5.

Drupal core is not affected. If you do not use the contributed Freelinking module,
there is nothing you need to do.

Solution

Install the latest version:

Please note that the plugin freelinking_path.inc contains multible vulnerabilities and was removed in the releases 6.x-3.3 and 7.x-3.3. You should check to see if this file is still present, and if it is: Remove it from the plugin sub-directory before you install the latest version.

Also see the Freelinking project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at
https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies,
writing secure code for Drupal, and
securing your site.

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

Pages