Skip directly to content

Feed aggregator

SA-CONTRIB-2014-091 - Survey Builder - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 09/17/2014 - 15:07
Description

This module allows you to use the Form Builder module to provide an intuitive interface for building surveys, along with the back-end for storing surveys and their responses.

Cross Site Scripting (XSS)

When viewing surveys at "/surveys", the survey titles printed out are not sanitized. Any potentially dangerous code in the survey titles is also rendered.

This vulnerability is mitigated by the fact that a user must have the "Create Survey" permission to be able to set the survey titles.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • survey_builder 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Survey Builder module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Survey Builder project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at
https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies,
writing secure code for Drupal, and
securing your site.

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-090 Speech recognition - Multiple vulnerabilities

Drupal Contrib Security Announcements - Wed, 09/17/2014 - 14:55
Description

This module enables you to add speech recognition to forms, allowing site admins to enable experimental Speech Input API features on form inputs through the user interface.

Cross Site Scripting (XSS)

The module incorrectly prints fields without proper sanitization thereby opening a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer speech".

Cross Site Request Forgery (CSRF)

The module enables in-place configuration of form options via AJAX requests, but it doesn't sufficiently check the source of those requests, making possible for an attacker to cause a user to unknowingly make changes to the field configurations.

This vulnerability is mitigated by the fact that the attacked administrator must have a role with the permission "administer speech".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • All versions of Speech recognition.

Drupal core is not affected. If you do not use the contributed module, there is nothing you need to do.

Drupal core is not affected. If you do not use the contributed Speech recognition module,
there is nothing you need to do.

Solution

If you use the Speech recognition module you should uninstall it.

Also see the Speech recognition project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-089 - Geofield Yandex Maps - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 09/17/2014 - 14:40
Description

The Geofield Yandex Maps module provides a Geofield widget, Geofield formatter, Views handler, Form element and Text filter to allow Yandex maps to be added to a site.

The module does not sufficiently filter user-supplied text, resulting in a persistent Cross Site Scripting (XSS) vulnerability.

The vulnerability is mitigated by the fact that an attacker would need permission to create nodes or entities using the Geofield widget.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Geofield Yandex Maps 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Geofield Yandex Maps module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Geofield Yandex Maps project page.

Reported by
  • Matt V. (provisional member of the Drupal Security Team)
Fixed by
  • Matt V. (provisional member of the Drupal Security Team)
Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-088 - Mollom - Cross-site scripting (XSS)

Drupal Contrib Security Announcements - Wed, 09/17/2014 - 14:11
Description

Mollom is an "intelligent" content moderation web service which determines if a post is potentially spam; not only based on the posted content, but also on the past activity and reputation of the poster across multiple sites.

Mollom offers a feature to report submitted content as inappropriate which allows end users to indicate that a piece of site content is objectionable or out of place. When reporting content, the content title is not sufficiently sanitized to prevent cross-site scripting (XSS) attacks.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create content and the content type must be enabled for "Flag as Inappropriate" within the Mollom advanced configuration settings (which is not the default setting).

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Mollom 6.x-2.x versions from 6.x-2.7 to 6.x-2.10
  • Mollom 7.x-2.x versions from 7.x-2.9 to 7.x-2.10

Drupal core is not affected. If you do not use the contributed Mollom module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Mollom project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at href="https://www.drupal.org/contact">https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies,
writing secure code for Drupal, and
securing your site.

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2014-087 - Drupal Commerce - Information disclosure

Drupal Contrib Security Announcements - Wed, 09/10/2014 - 17:23
Description

Drupal Commerce is used to build eCommerce websites and applications of all sizes.

The commerce_order module can be used to create new user accounts where email addresses are used as user names. Since user names are not considered private information in Drupal this is an information disclosure of email addresses.

This vulnerability is mitigated by the fact that the commerce_checkout module must be enabled with the default rule configuration enabled that creates new user accounts when an anonymous user completes the checkout process.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Drupal Commerce 7.x-1.x versions prior to 7.x-1.10.

Drupal core is not affected. If you do not use the contributed Drupal Commerce module,
there is nothing you need to do.

Solution

Drupal Commerce 1.10 includes an update function that will change all user names on the site that look like email addresses. This can be a disruptive process for some sites and therefore must be enabled explicitly by the update administrator. If you don't run the default update function you need to make sure yourself that user names are not valid email addresses.

To enable the username cleaning update function, you must set the commerce_checkout_run_update_7103 variable to TRUE before running update.php or drush updb: You can either use $conf['commerce_checkout_run_update_7103'] = TRUE; in settings.php or drush vset commerce_checkout_run_update_7103 1.

Then install the latest version:

In case you don't want to apply the default update function you can just run update.php without the variable and the update function will be skipped.

Also see the Drupal Commerce project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-086 - Custom BreadCrumbs - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 09/10/2014 - 15:04
Description

Custom Breadcrumbs allows administrators to set up parametrized breadcrumb trails for different content types, views, panels, taxonomy vocabularies and terms, paths, and a simple API that allows contributed modules to enable custom breadcrumbs for module pages and theme templates.

User input is not properly sanitized in all use cases, opening a Cross Site Scripting (XSS) vulnerability.

The vulnerability is only present when the custom breadcrumb is configured with the <none> special identifier so that some of the breadcrumb items are not links. Typical example is that the last breadcrumb element is showing the current page title but is not a link. The XSS vulnerability is not triggered if all items of the breadcrumb are links and special identifier <none> is not used.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Custom Breadcrumbs 6.x-1.x versions prior to 6.x-1.6
  • Custom Breadcrumbs 6.x-2.x versions are NOT affected
  • Custom Breadcrumbs 7.x-2.x versions prior to 7.x-2.0-beta1

Drupal core is not affected. If you do not use the contributed Custom Breadcrumbs module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Custom Breadcrumbs project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies,
writing secure code for Drupal, and
securing your site.

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2014-085 - Ubercart - Information disclosure

Drupal Contrib Security Announcements - Wed, 09/10/2014 - 14:58
Description

The Ubercart module for Drupal provides a shopping cart and e-commerce features for Drupal.

The per-user order history view is not properly protected.

This vulnerability is mitigated by the fact that an attacker must have an account with the "view own orders" permission and can only view order IDs, dates, statuses and totals with the default configuration.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Ubercart 7.x-3.x versions prior to 7.x-3.7.

Drupal core is not affected. If you do not use the contributed Ubercart module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Ubercart project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies,
writing secure code for Drupal, and
securing your site.

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-084 - Avatar Uploader - Information Disclosure

Drupal Contrib Security Announcements - Wed, 09/03/2014 - 14:08
Description

The Avatar Uploader enables you to upload user pictures in a user-friendly way, like Quora and Facebook.

The module doesn't sufficiently check the picture path when a user crops the picture in the uploader panel allowing a malicious user to make specially crafted requests to obtain sensitive server files that are readable by the webserver user.

This vulnerability is mitigated by the fact that an attacker must know or guess the relative path out of the temporary directory and to the sensitive files.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Avatar_Uploader 6.x-1.x versions prior to 6.x-1.2
  • Avatar_Uploader 7.x-1.x versions prior to 7.x-1.0-beta5

Drupal core is not affected. If you do not use the contributed Avatar Uploader module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Avatar Uploader project page.

Reported by Fixed by Coordinated by
  • Greg Knaddison of the Drupal Security Team
  • Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    Drupal version: Drupal 6.xDrupal 7.x
    Categories: Security posts

    SA-CONTRIB-2014-083 - Rules Link - Cross Site Scripting (XSS)

    Drupal Contrib Security Announcements - Wed, 08/27/2014 - 14:17
    Description

    This module allows you to create links which trigger arbitrary functionality with the help of the Rules module.

    The module doesn't sufficiently sanitize the question and description strings when confirmation forms are displayed for triggering Rules links.

    This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer rules links".

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance
      with Drupal Security Team processes.
    Versions affected
    • Rules Link 7.x-1.x versions prior to 7.x-1.1.

    Drupal core is not affected. If you do not use the contributed Rules Link module,
    there is nothing you need to do.

    Solution

    Install the latest version:

    Also see the Rules Link project page.

    Reported by Fixed by Coordinated by Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

    Learn more about the Drupal Security team and their policies,
    writing secure code for Drupal, and securing your site.

    Drupal version: Drupal 7.x
    Categories: Security posts

    SA-CONTRIB-2014-082 - Marketo MA - Cross Site Scripting (XSS)

    Drupal Contrib Security Announcements - Wed, 08/20/2014 - 16:16
    Description

    The Marketo MA module adds Marketo marketing automation tracking capability to your website as well as the ability to capture lead data during user registration and via webform integration. It consists of a base module as well as Marketo MA User Webform and Marketo MA User sub-modules.

    The Marketo MA Webform and Marketo MA User modules included with the Marketo MA module incorrectly print field titles without proper sanitization thereby opening a Cross Site Scripting (XSS) vulnerability.

    The vulnerability in Marketo MA Webform is mitigated by the fact that an attacker must have permissions which allows them to create Webform fields, "create webform content" and manage their Marketo relationship, "administer marketo webform settings".

    The vulnerability in Marketo MA User is mitigated by the fact that an attacker must have a permission which allows them to create fields (such as "administer users") and manage Marketo MA configuration, "administer marketo".

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance
      with Drupal Security Team processes.
    Versions affected
    • Marketo MA 7.x-1.3 and all earlier version.

    Drupal core is not affected. If you do not use the contributed Marketo MA module,
    there is nothing you need to do.

    Solution

    Install the latest version:

    Also see the Marketo MA project page.

    Reported by Fixed by Coordinated by Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    Categories: Security posts

    SA-CONTRIB-2014-081 - Site Banner - Cross Site Scripting (XSS)

    Drupal Contrib Security Announcements - Wed, 08/20/2014 - 14:08
    Description

    The Site Banner module enables you to display a banner at the top and bottom of a Drupal site.

    This module incorrectly prints existing context settings without proper sanitization, opening a Cross Site Scripting (XSS) vulnerability.

    This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer contexts" from the Context UI module.

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance
      with Drupal Security Team processes.
    Versions affected
    • Site Banner 7.x-4.x versions prior to 7.x-4.0.
    • Site Banner 7.x-1.x versions prior to 7.x-1.1.

    Drupal core is not affected. If you do not use the contributed module,
    there is nothing you need to do.

    Solution

    Install the latest version:

    Also see the project page.

    Reported by Fixed by Coordinated by Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    Drupal version: Drupal 7.x
    Categories: Security posts

    SA-CONTRIB-2013-080 - Social Stats - Cross Site Scripting (XSS)

    Drupal Contrib Security Announcements - Wed, 08/20/2014 - 14:02
    Description

    The Social Stats module enables you to collect statistics from various social networks and use that data with the Views module as field data, sort criteria, or filter criteria.

    The module does not sufficiently filter user-supplied text that is stored in the configuration, resulting in a persistent Cross Site Scripting vulnerability (XSS).

    This vulnerability is mitigated by the fact that an attacker must have a role with the permission "[Content Type]: Create new content".

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance
      with Drupal Security Team processes.
    Versions affected
    • Social Stats 7.x-1.x versions prior to 7.x-1.5.

    Drupal core is not affected. If you do not use the contributed Social Stats module,
    there is nothing you need to do.

    Solution

    Install the latest version:

    • If you use the Social Stats module for Drupal 7.x, upgrade to 7.x-1.5

    Also see the Social Stats project page.

    Reported by Fixed by Coordinated by Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    Drupal version: Drupal 7.x
    Categories: Security posts

    SA-CONTRIB-2013-079 - RedHen CRM - Cross Site Scripting (XSS)

    Drupal Contrib Security Announcements - Wed, 08/20/2014 - 13:58
    Description

    The RedHen CRM project contains the redhen_dedup module which enables you to find duplicate contacts in the CRM.

    The redhen_dedup module doesn't sufficiently filter administrator-entered text when deduping contacts as which creates a Cross Site Scripting (XSS) vulnerability.

    The vulnerability is mitigated by the fact that an attacker needs the permission "administer redhen contacts".

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance
      with Drupal Security Team processes.
    Versions affected
    • RedHen CRM 7.x-1.x versions prior to 7.x-1.8.

    Drupal core is not affected. If you do not use the contributed RedHen CRM module,
    there is nothing you need to do.

    Solution

    Install the latest version:

    Also see the RedHen CRM project page.

    Reported by Fixed by Coordinated by Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    Drupal version: Drupal 7.x
    Categories: Security posts

    SA-CONTRIB-2014-078 - Notify - Access bypass

    Drupal Contrib Security Announcements - Wed, 08/13/2014 - 16:39
    Description

    The notify module allows users to subscribe to periodic emails which include all new or revised content and/or comments of specific content types, much like the daily newsletters sent by some websites.

    The Notify module does not sufficiently check whether the user has access to recently added or updated nodes and all the fields within the node before including the nodes in notification emails to a given user. This will expose node titles and potentially node teasers and fields to users who should not see them.

    This vulnerability is mitigated by the fact that a site must use some form of access control and must be configured to include nodes with protected content in notifications.

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance
      with Drupal Security Team processes.
    Versions affected
    • Notify 7.x-1.0.

    Drupal core is not affected. If you do not use the contributed Notify module,
    there is nothing you need to do.

    Solution

    Install the latest version:

    • If you use the Notify module for Drupal 7.x, upgrade to Notify 7.x-1.1

    Also see the Notify project page.

    Reported by Fixed by Coordinated by Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    Drupal version: Drupal 7.x
    Categories: Security posts

    SA-CONTRIB-2014-077 - TableField - Cross Site Scripting (XSS)

    Drupal Contrib Security Announcements - Wed, 08/13/2014 - 13:40
    Description

    This module enables you to create a field attached to a entity which stores tabular data. The module doesn't sufficiently sanitize the field help text when presented to a privileged user.

    This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer content types" or "administer taxonomy".

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance
      with Drupal Security Team processes.
    Versions affected
    • TableField 7.x-2.x versions prior to 7.x-2.3.
    • TableField versions for Drupal 6 are NOT affected.

    Drupal core is not affected. If you do not use the contributed TableField module,
    there is nothing you need to do.

    Solution

    Install the latest version:

    Also see the TableField project page.

    Reported by Fixed by Coordinated by Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    Drupal version: Drupal 7.x
    Categories: Security posts

    SA-CONTRIB-2014-076 - Fasttoggle - Access bypass

    Drupal Contrib Security Announcements - Wed, 08/06/2014 - 20:16
    Description

    This module enables you to quickly toggle various user, node and field related settings via ajax links.

    The recent 7.x-1.3 and 1.4 releases of the module include a rewrite of the access control which doesn't correctly implement support for the user status (allow/block) link.

    This vulnerability is mitigated by the fact that the administrator must enable the link in the fasttoggle configuration and allow user profiles to be viewed by anonymous or logged in users. For user 1 to be affected, the administrator must also enable the fasttoggle setting that allows that account to be blocked via fasttoggle.

    All uses of the Fasttoggle module are logged, so any invocations of the exploit will be recorded. Accounts can only be blocked or unblocked via the exploit.

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance
      with Drupal Security Team processes.
    Versions affected

    Drupal core is not affected. If you do not use the contributed Fasttoggle module,
    there is nothing you need to do.

    Solution

    Install the latest version:

    Also see the Fasttoggle project page.

    Reported by Fixed by Coordinated by Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    Categories: Security posts

    SA-CONTRIB-2014-075 - Biblio Autocomplete - SQL injection and Access Bypass

    Drupal Contrib Security Announcements - Wed, 08/06/2014 - 19:42
    Description

    This module provides functionality for AJAX based auto-completion of fields in the Biblio node type (provided by the Biblio module) using previously entered values and third party services.

    The submodule "Biblio self autocomplete" for previously entered values doesn't sufficiently sanitize user input as it is used in a database query.

    Additionally, the AJAX autocompletion callback itself was not properly secured, thus potentially allowing any visitor access to the data, including the anonymous user.

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance
      with Drupal Security Team processes.
    Versions affected

    Drupal core is not affected. If you do not use the contributed Biblio Autocomplete module,
    there is nothing you need to do.

    Solution

    Install the latest version:

    Additionally there is a new permission "access biblio autocomplete" for accessing the search. You need to give this permission to users with write permissions on Biblio nodes.

    Also see the Biblio Autocomplete project page.

    Reported by Fixed by Coordinated by Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    Categories: Security posts

    SA-CORE-2014-004 - Drupal core - Denial of service

    Drupal Core Security Announcements - Wed, 08/06/2014 - 17:41
    Description

    Drupal 6 and Drupal 7 include an XML-RPC endpoint which is publicly available (xmlrpc.php). The PHP XML parser used by this XML-RPC endpoint is vulnerable to an XML entity expansion attack and other related XML payload attacks which can cause CPU and memory exhaustion and the site's database to reach the maximum number of open connections. Any of these may lead to the site becoming unavailable or unresponsive (denial of service).

    All Drupal sites are vulnerable to this attack whether XML-RPC is used or not.

    In addition, a similar vulnerability exists in the core OpenID module (for sites that have this module enabled).

    This is a joint release as the XML-RPC vulnerability also affects WordPress (see the announcement).

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance
      with Drupal Security Team processes.
    Versions affected
    • Drupal core 7.x versions prior to 7.31.
    • Drupal core 6.x versions prior to 6.33.
    Solution

    Install the latest version:

    If you are unable to install the latest version of Drupal immediately, you can alternatively remove the xmlrpc.php file from the root of Drupal core (or add a rule to .htaccess to prevent access to xmlrpc.php) and disable the OpenID module. These steps are sufficient to mitigate the vulnerability in Drupal core if your site does not require the use of XML-RPC or OpenID functionality. However, this mitigation will not be effective if you are using a contributed module that exposes Drupal's XML-RPC API at a different URL (for example, the Services module); updating Drupal core is therefore strongly recommended.

    Also see the Drupal core project page.

    Reported by Fixed by Coordinated by Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    Drupal version: Drupal 6.xDrupal 7.x
    Categories: Security posts

    SA-CONTRIB-2014-074 - Storage API - Code execution prevention

    Drupal Contrib Security Announcements - Wed, 07/30/2014 - 19:24
    • Advisory ID: DRUPAL-SA-CONTRIB-2014-074
    • Project: (third-party module)
    • Version: 7.x
    • Date: 2014-July-30
    • Security risk: (Less Critical)
    • Vulnerability: Arbitrary PHP code execution
    Description

    Storage API is a low-level framework for managed file storage and serving.

    The module creates an .htaccess file in the files directory to prevent code execution, but copied the Drupal core file and wasn't updated to include the improved file contents after SA-CORE-2013-003.

    This vulnerability is mitigated by the fact that it only relates to a defense in depth mechanism, and sites would only be vulnerable if they are hosted on a server which contains code that does not use protections similar to those found in Drupal's file API to manage uploads in a safe manner.

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance
      with Drupal Security Team processes.
    Versions affected

    Drupal core is not affected. If you do not use the contributed module,
    there is nothing you need to do.

    Solution

    Install the latest version:

    Also see the project page.

    Reported by

    Reported publicly outside the Drupal Security Team reporting process.

    Fixed by Coordinated by Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    Categories: Security posts

    SA-CONTRIB-2014-073- Date - Cross Site Scripting (XSS)

    Drupal Contrib Security Announcements - Wed, 07/30/2014 - 15:25
    • Advisory ID: DRUPAL-SA-CONTRIB-2014-073
    • Project: Date (third-party module)
    • Version: 7.x
    • Date: 2014-July-30
    • Security risk: Moderately Critical
    • Vulnerability: Cross Site Scripting
    Description

    Date module provides flexible date/time field type Date field and a Date API that other modules can use.

    The module incorrectly prints date field titles without proper sanitization thereby opening a Cross Site Scripting (XSS) vulnerability.

    The vulnerability is mitigated by the fact that an attacker must have a permission to create Date fields, such as "administer taxonomy" to add date fields on taxonomy terms.

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance
      with Drupal Security Team processes.
    Versions affected

    Drupal core is not affected. If you do not use the contributed Date module,
    there is nothing you need to do.

    Solution

    Install the latest version:

    • If you use the date module for Drupal 7.x, upgrade to Date 7.x-2.8

    Also see the Date project page.

    Reported by Fixed by Coordinated by Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    Drupal version: Drupal 7.x
    Categories: Security posts

    Pages