Skip directly to content

Feed aggregator

Shibboleth authentication - Moderately critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-129

Drupal Contrib Security Announcements - Wed, 06/24/2015 - 17:02
Description

Shibboleth authentication module allows users to log in and get permissions based on federated (SAML2) authentication.

The module didn't filter the text that is displayed as a login link.

This vulnerability was mitigated by the fact that an attacker must have a role with the permission Administer blocks.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Shibboleth authentication 6.x-4.x versions prior to 6.x-4.2.
  • Shibboleth authentication 7.x-4.x versions prior to 7.x-4.2.

Drupal core is not affected. If you do not use the contributed Shibboleth authentication module, there is nothing you need to do.

Solution

Also see the Shibboleth authentication project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

me aliases - Moderately Critical - Access Bypass - SA-CONTRIB-2015-128

Drupal Contrib Security Announcements - Wed, 06/24/2015 - 15:06
Description

'me aliases' module provides shortcut paths to current user's pages, eg user/me, blog/me, user/me/edit, tracker/me etc.

The view user argument handler for the 'me' module has an access bypass vulnerability where it does not check the supplied argument against the current user. This allows any user to access the content served by the view by substituting 'me' in the URL with a user id even when they don't have permission to access the content.

These only affects Views which use the Views 'me' user argument handler.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • me aliases 7.x-1.x versions prior to 7.x-1.2
  • me aliases 6.x-2.x versions prior to 6.x-2.10

Drupal core is not affected. If you do not use the contributed me aliases module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the 'me aliases' module for Drupal 7.x, upgrade to me 7.x-1.2
  • If you use the 'me aliases' module for Drupal 6.x, upgrade to me 6.x-2.10

Also see the me aliases project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

HybridAuth Social Login - Less Critical - Access bypass - SA-CONTRIB-2015-127

Drupal Contrib Security Announcements - Wed, 06/24/2015 - 14:55
Description

The HybridAuth Social Login module enables you to allow visitors to authenticate or login to a Drupal site using their identities from social networks like Facebook or Twitter.

The module allows account creation through social login when the configuration is set to allow user registration by administrators only.

This vulnerability is mitigated by the fact that a site must be configured to allow user registration by administrators only and that authenticated user accounts can access sensitive data that would otherwise not be shown to anonymous users.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • HybridAuth Social Login 7.x-2.x versions prior to 7.x-2.13.

Drupal core is not affected. If you do not use the contributed HybridAuth Social Login module, there is nothing you need to do.

Solution

Install the latest version:

Also see the HybridAuth Social Login project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Content Construction Kit (CCK) - Less Critical - Open Redirect - SA-CONTRIB-2015-126

Drupal Contrib Security Announcements - Wed, 06/17/2015 - 18:50
Description

The Content Construction Kit (CCK) project is a set of modules that allows you to add custom fields to nodes using a web browser.

CCK uses a "destinations" query string parameter in URLs to redirect users to new destinations after completing an action on a few administration pages. Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks.

See also: SA-CORE-2015-002

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Content Construction Kit (CCK) 6.x-2.x versions prior to 6.x-2.10.

Drupal core is not affected. If you do not use the contributed Content Construction Kit (CCK) module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Content Construction Kit (CCK) project page.

Reported by Fixed by
  • Pere Orga of the Drupal Security Team
  • Neil Drumm, module maintainer and member of the Drupal Security Team
Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x
Categories: Security posts

Acquia Cloud Site Factory Connector - Less Critical - Open Redirect - SA-CONTRIB-2015-125

Drupal Contrib Security Announcements - Wed, 06/17/2015 - 18:41
Description

Acquia Cloud Site Factory provides an environment and a robust set of tools that simplify management of many Drupal sites, allowing you to quickly deliver and manage any number of websites.

The module ships with a modified version of the core Overlay JavaScript file, which is vulnerable to an open redirect attack (see SA-CORE-2015-002).

Only sites with the Overlay module enabled are vulnerable.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Acquia Cloud Site Factory 7.x-1.x versions prior to 7.x-1.14

Drupal core is not affected. If you do not use the contributed Acquia Cloud Site Factory Connector module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Acquia Cloud Site Factory Connector project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

LABjs - Less Critical - Open Redirect - SA-CONTRIB-2015-124

Drupal Contrib Security Announcements - Wed, 06/17/2015 - 18:36
Description

The LABjs module integrates LABjs with Drupal for web performance optimization.

The module ships with a modified version of the core Overlay JavaScript file, which is vulnerable to an open redirect attack (see SA-CORE-2015-002).

Only sites with the Overlay module enabled are vulnerable.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • LABjs 7.x-1.x versions prior to 7.x-1.7.

Drupal core is not affected. If you do not use the contributed LABjs module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the LABjs module for Drupal 7.x, upgrade to LABjs 7.x-1.7.

Also see the LABjs project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

jQuery Update - Less Critical - Open Redirect - SA-CONTRIB-2015-123

Drupal Contrib Security Announcements - Wed, 06/17/2015 - 18:33
Description

The jQuery Update module enables you to update jQuery on your site.

The module ships with a modified version of the core Overlay JavaScript file, which is vulnerable to an open redirect attack (see SA-CORE-2015-002).

Only sites with the Overlay module enabled are vulnerable.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • jQuery Update 7.x-2.x versions prior to 7.x-2.6

Drupal core is not affected. If you do not use the contributed jQuery Update module, there is nothing you need to do.

Solution

Install the latest version:

Also see the jQuery Update project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Drupal Core - Critical - Multiple Vulnerabilities - SA-CORE-2015-002

Drupal Core Security Announcements - Wed, 06/17/2015 - 16:12
Description Impersonation (OpenID module - Drupal 6 and 7 - Critical)

A vulnerability was found in the OpenID module that allows a malicious user to log in as other users on the site, including administrators, and hijack their accounts.

This vulnerability is mitigated by the fact that the victim must have an account with an associated OpenID identity from a particular set of OpenID providers (including, but not limited to, Verisign, LiveJournal, or StackExchange).

Open redirect (Field UI module - Drupal 7 - Less critical)

The Field UI module uses a "destinations" query string parameter in URLs to redirect users to new destinations after completing an action on a few administration pages. Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks.

This vulnerability is mitigated by the fact that only sites with the Field UI module enabled are affected.

Drupal 6 core is not affected, but see the similar advisory for the Drupal 6 contributed CCK module: SA-CONTRIB-2015-126

Open redirect (Overlay module - Drupal 7 - Less critical)

The Overlay module displays administrative pages as a layer over the current page (using JavaScript), rather than replacing the page in the browser window. The Overlay module does not sufficiently validate URLs prior to displaying their contents, leading to an open redirect vulnerability.

This vulnerability is mitigated by the fact that it can only be used against site users who have the "Access the administrative overlay" permission, and that the Overlay module must be enabled.

Information disclosure (Render cache system - Drupal 7 - Less critical)

On sites utilizing Drupal 7's render cache system to cache content on the site by user role, private content viewed by user 1 may be included in the cache and exposed to non-privileged users.

This vulnerability is mitigated by the fact that render caching is not used in Drupal 7 core itself (it requires custom code or the contributed Render Cache module to enable) and that it only affects sites that have user 1 browsing the live site. Exposure is also limited if an administrative role has been assigned to the user 1 account (which is done, for example, by the Standard install profile that ships with Drupal core).

CVE identifier(s) issued
  • Impersonation (OpenID module - Drupal 6 and 7): CVE-2015-3234
  • Open redirect (Field UI module - Drupal 7): CVE-2015-3232
  • Open redirect (Overlay module - Drupal 7: CVE-2015-3233
  • Information disclosure (Render cache system - Drupal 7): CVE-2015-3231
Versions affected
  • Drupal core 6.x versions prior to 6.36
  • Drupal core 7.x versions prior to 7.38
Solution

Install the latest version:

Also see the Drupal core project page.

Reported by

Impersonation in the OpenID module:

Open redirect in the Field UI module:

Open redirect in the Overlay module:

Information disclosure in the render cache system:

Fixed by

Impersonation in the OpenID module:

Open redirect in the Field UI module:

Open redirect in the Overlay module:

Information disclosure in the render cache system:

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

Administration Views - Moderately Critical - Access Bypass - SA-CONTRIB-2015-122

Drupal Contrib Security Announcements - Wed, 06/17/2015 - 15:58
Description

This module replaces administrative overview/listing pages with Views for improved usability.

When combined with other contributed or custom modules, the Administration Views module improperly grants users access to administration pages including the permissions page.

This vulnerability is mitigated by the fact that it does not appear in the module itself, but only when combined with select other custom or contributed modules.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Administration Views 7.x-1.x versions prior to 7.x-1.4.

Drupal core is not affected. If you do not use the contributed Administration Views module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Administration Views project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

The eXtensible Catalog (XC) Drupal Toolkit - Critical - Cross Site Request Forgery (CSRF) - Unsupported - SA-CONTRIB-2015-121

Drupal Contrib Security Announcements - Wed, 06/17/2015 - 15:27
Description

The eXtensible Catalog Drupal Toolkit is a set of Drupal modules to harvest records of the XC Schema format from a Metadata Services Toolkit (MST).

The XC NCIP Provider module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause a user with "administer ncip providers" permission to alter NCIP providers by getting their browser to make a request to a specially-crafted URL.

This vulnerability is mitigated by the fact that only sites that have the XC NCIP Provider module enabled are affected.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions of The eXtensible Catalog (XC) Drupal Toolkit

Drupal core is not affected. If you do not use the contributed The eXtensible Catalog (XC) Drupal Toolkit module, there is nothing you need to do.

Solution

If you use The eXtensible Catalog (XC) Drupal Toolkit you should uninstall it.

Also see the The eXtensible Catalog (XC) Drupal Toolkit project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

Inline Entity Form - Less critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-120

Drupal Contrib Security Announcements - Wed, 06/17/2015 - 15:13
Description

The Inline Entity Form module provides a field widget for inline management (creation, modification, removal) of referenced entities.

The module doesn't sufficiently sanitize user supplied text, thereby exposing a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to create/edit fields.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Inline Entity Form 7.x-1.x versions prior to 7.x-1.6.

Drupal core is not affected. If you do not use the contributed Inline Entity Form module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Inline Entity Form project page.

Reported by
  • Matt Vance, provisional member of the Drupal Security Team
Fixed by
  • Matt Vance, provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Apache Solr Real-Time - Critical - Access Bypass - SA-CONTRIB-2015-119

Drupal Contrib Security Announcements - Wed, 06/17/2015 - 14:48
Description

This module allows content-changes to be committed to Apache Solr in real-time.

The module doesn't check the status of an entity being indexed which means that unpublished content will get indexed by Solr and the title and partial content may be exposed to any user who has permission to search site content.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Apache Solr Real-Time 7.x-2.x versions prior to 7.x-2.2.

Drupal core is not affected. If you do not use the contributed Apache Solr Real-Time module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Apache Solr Real-Time project page.

Reported by Fixed by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

HTTP Strict Transport Security - Moderately Critical - Logical Error - SA-CONTRIB-2015-118

Drupal Contrib Security Announcements - Wed, 06/17/2015 - 14:18
Description

The contributed HSTS module makes it easy for site administrators to implement HTTP Strict Transport Security (HSTS) by setting the Strict-Transport-Security header on each page generated by Drupal.

HSTS module provides a configuration UI for the HSTS "include subdomains" directive, which indicates that the browser should apply the HSTS policy to all subdomains on the site's domain.

HSTS module did not implement the "include subdomains" directive correctly (it is misspelled as include_subdomains rather than includeSubDomains). As a result, the HSTS policy was not applied to subdomains as site administrators had expected.

This vulnerability is mitigated by the fact that only subdomains where HSTS was expected to be enabled are affected and an attacker would still need to execute a man-in-the-middle attack to exploit the issue.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • HSTS 7.x-1.x versions prior to 7.x-1.2.
  • HSTS 6.x-1.x versions prior to 6.x-1.1.

Drupal core is not affected. If you do not use the contributed HTTP Strict Transport Security module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the HSTS module for Drupal 7.x, upgrade to HSTS 7.x-1.2
  • If you use the HSTS module for Drupal 6.x, upgrade to HSTS 6.x-1.1

Also see the HTTP Strict Transport Security project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

Novalnet Payment Module Drupal Commerce - Critical - SQL Injection - Unsupported - SA-CONTRIB-2015-117

Drupal Contrib Security Announcements - Wed, 06/03/2015 - 16:24
Description

This module enables you add the Novalnet payment service provider to Drupal Commerce.

The module fails to sanitize a database query by not using the database API properly, thereby leading to a SQL Injection vulnerability. Since the affected path is not protected against CSRF, a malicious user can exploit this vulnerability by triggering a request to a specially-crafted URL.

This vulnerability is mitigated by the fact that the malicious request must come from a specific Novalnet IP address.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions of Novalnet Payment Module Drupal Commerce module

Drupal core is not affected. If you do not use the contributed Novalnet Payment Module Drupal Commerce module, there is nothing you need to do.

Solution

If you use the Novalnet Payment Module Drupal Commerce module you should uninstall it.

Also see the Novalnet Payment Module Drupal Commerce project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Novalnet Payment Module Ubercart - Critical - SQL Injection - Unsupported - SA-CONTRIB-2015-116

Drupal Contrib Security Announcements - Wed, 06/03/2015 - 16:22
Description

This module enables you add the Novalnet payment service provider to Ubercart.

The module fails to sanitize a database query by not using the database API properly, thereby leading to a SQL Injection vulnerability. Since the affected path is not protected against CSRF, a malicious user can exploit this vulnerability by triggering a request to a specially-crafted URL.

This vulnerability is mitigated by the fact that the malicious request must come from a specific Novalnet IP address.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions of Novalnet Payment Module Ubercart module

Drupal core is not affected. If you do not use the contributed Novalnet Payment Module Ubercart module, there is nothing you need to do.

Solution

If you use the Novalnet Payment Module Ubercart module you should uninstall it.

Also see the Novalnet Payment Module Ubercart project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

Chamilo integration - Less Critical - Open Redirect - SA-CONTRIB-2015-115

Drupal Contrib Security Announcements - Wed, 05/27/2015 - 17:51
Description

Chamilo integration module integrates Drupal with Chamilo LMS.

The module has an Open Redirect vulnerability, it doesn't sufficiently check passed parameters in the URL. An attacker could trick users to visit malicious sites without realizing it.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Chamilo integration 7.x-1.x versions prior to 7.x-1.2

Drupal core is not affected. If you do not use the contributed Chamilo integration module, there is nothing you need to do.

Solution

Also see the Chamilo integration project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Storage API - Moderately Critical - Access Bypass - SA-CONTRIB-2015-114

Drupal Contrib Security Announcements - Wed, 05/27/2015 - 17:06
Description

The Storage API module creates an underlying agnostic storage layer for Drupal using many different underlying storage methods. Storage API can be used to create fields for entities to hold data.

The module failed to restrict access to the Storage API fields attached to entities that are not nodes.

This is mitigated by the fact that only entities with fields using storage classes that have access restrictions are affected (they don't have by default).

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Storage API 7.x-1.x versions prior to 7.x-1.8.

Drupal core is not affected. If you do not use the contributed Storage API module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Storage API project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Aegir - Moderately Critical - Code Execution Prevention - SA-CONTRIB-2015-113

Drupal Contrib Security Announcements - Wed, 05/20/2015 - 19:02
Description

The Aegir Hosting System enables you to deploy and manage Drupal sites.

When writing Apache vhost files for hosted sites on a common platform (multi-site), Aegir doesn't block execution of code uploaded to another site on the same platform.

This vulnerability is mitigated by the fact that an attacker must already have compromised another site, on the same multi-site install, sufficiently to upload executable code to its files directory.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Aegir Hosting System 6.x-2.x versions prior to 6.x-2.4.
  • Aegir Hosting System 7.x-3.x versions prior to 7.x-3.0-beta2.

Drupal core is not affected. If you do not use the contributed Hostmaster (Aegir) distribution,
there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Aegir Hosting System for Drupal 6.x, upgrade to Aegir 6.x-2.4
  • If you use the Aegir Hosting System for Drupal 7.x, upgrade to Aegir 7.x-3.0-beta2

After installation you need to run a verify task on all hosted sites. The easiest method is to use the Views Bulk Operations on the hosting/sites page.

Also see the Hostmaster (Aegir) project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

Navigate - Moderately Critical - Multiple Vulnerabilities - Unsupported - SA-CONTRIB-2015-112

Drupal Contrib Security Announcements - Wed, 05/20/2015 - 17:37
Description

Navigate is a customizable navigation tool for Drupal.

Access Bypass

In certain situations the module does not adequately check content permissions, allowing a malicious user with "navigate view" permission to modify custom widgets and create new widget database records.

Cross-site scripting

The module also doesn't sufficiently filter text, creating an XSS vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permissions "navigate view", "navigate_custom use" and either "navigate customize" or "navigate administer".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected

All versions of Navigate module.

Drupal core is not affected. If you do not use the contributed Navigate module,
there is nothing you need to do.

Solution

If you use the Navigate module you should uninstall it.

Also see the Navigate project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Categories: Security posts

Shipwire - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-111

Drupal Contrib Security Announcements - Wed, 05/20/2015 - 17:24
Description

The Shipwire API module handles communication with the Shipwire shipping service.

The Shipwire module doesn't check view permission for the shipments overview page when installed (admin/shipwire/shipments). Limited non-public information is displayed on the page.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Shipwire 7.x-1.x versions prior to 7.x-1.03.

Drupal core is not affected. If you do not use the contributed Shipwire module,
there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Shipwire module for Drupal 7.x, please upgrade to Shipwire 7.x-1.03 or greater.
  • Check the settings have been updated by navigating to Structure -> Views -> Shipwire shipment. Under 'Page settings' make sure that 'Access' is set to 'Permission' -> 'View all Shipwire Shipments'.

Also see the Shipwire project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Categories: Security posts

Pages