Skip directly to content

Feed aggregator

SA-CONTRIB-2014-043 - Custom Search - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 04/23/2014 - 15:41
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-043
  • Project: Custom Search (third-party module)
  • Version: 6.x, 7.x
  • Date: 2014-April-23
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

The Custom Search module alters the default search box to provide some options like in advanced search, but directly in the search box.

The module doesn't sanitize taxonomy vocabulary labels before display leading to a persistent cross site scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that it requires the attacker to have the permission "administer taxonomy."

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Custom Search 6.x-1.x versions prior to 6.x-1.13.
  • Custom Search 7.x-1.x versions prior to 7.x-1.15.

Drupal core is not affected. If you do not use the contributed Custom Search module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Custom Search project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.


Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2014-042 - Internationalization - Access Bypass

Drupal Contrib Security Announcements - Wed, 04/23/2014 - 15:39
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-042
  • Project: Internationalization (third-party module)
  • Version: 7.x
  • Date: 2014-April-23
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

This module enables you to build multilingual Drupal sites providing missing translation features for Drupal core.

The module doesn't sufficiently check content access permissions and under certain circumstances allows users with the "access content" permission to see path aliases from unpublished nodes.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Internationalization 7.x-1.x versions prior to 7.x-1.11.

Drupal core is not affected. If you do not use the contributed Internationalization module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Internationalization project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.


Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CORE-2014-002 - Drupal core - Information Disclosure

Drupal Core Security Announcements - Wed, 04/16/2014 - 19:50
  • Advisory ID: DRUPAL-SA-CORE-2014-002
  • Project: Drupal core
  • Version: 6.x, 7.x
  • Date: 2014-April-16
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Information Disclosure
Description

Drupal's form API has built-in support for temporary storage of form state, for example user input. This is often used on multi-step forms, and is required on Ajax-enabled forms in order to allow the Ajax calls to access and update interim user input on the server.

When pages are cached for anonymous users (either by Drupal or by an external system), form state may leak between anonymous users. As a consequence there is a chance that interim form input recorded for one anonymous user (which may include sensitive or private information, depending on the nature of the form) will be disclosed to other users interacting with the same form at the same time. This especially affects multi-step Ajax forms because the window of opportunity (i.e. the time span between user input and final form submission) is indeterminable.

This vulnerability is mitigated by the fact that Drupal core does not expose any such forms to anonymous users by default. However, contributed modules or individual sites which leverage the Drupal Form API under the aforementioned conditions might be vulnerable.

Note: This security release introduces small API changes which may require code updates on sites that expose Ajax or multi-step forms to anonymous users, and where the forms are displayed on pages that are cached (either by Drupal or by an external system). See the Drupal 6.31 release notes and Drupal 7.27 release notes for more information.

CVE identifier(s) issued
  • CVE-2014-2983
Versions affected
  • Drupal core 6.x versions prior to 6.31.
  • Drupal core 7.x versions prior to 7.27.
Solution

Install the latest version:

Also see the Drupal core project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CORE-2014-002 - Drupal core - Information Disclosure

Drupal Core Security Announcements - Wed, 04/16/2014 - 19:50
  • Advisory ID: DRUPAL-SA-CORE-2014-002
  • Project: Drupal core
  • Version: 6.x, 7.x
  • Date: 2014-April-16
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Information Disclosure
Description

Drupal's form API has built-in support for temporary storage of form state, for example user input. This is often used on multi-step forms, and is required on Ajax-enabled forms in order to allow the Ajax calls to access and update interim user input on the server.

When pages are cached for anonymous users (either by Drupal or by an external system), form state may leak between anonymous users. As a consequence there is a chance that interim form input recorded for one anonymous user (which may include sensitive or private information, depending on the nature of the form) will be disclosed to other users interacting with the same form at the same time. This especially affects multi-step Ajax forms because the window of opportunity (i.e. the time span between user input and final form submission) is indeterminable.

This vulnerability is mitigated by the fact that Drupal core does not expose any such forms to anonymous users by default. However, contributed modules or individual sites which leverage the Drupal Form API under the aforementioned conditions might be vulnerable.

Note: This security release introduces small API changes which may require code updates on sites that expose Ajax or multi-step forms to anonymous users, and where the forms are displayed on pages that are cached (either by Drupal or by an external system). See the Drupal 6.31 release notes and Drupal 7.27 release notes for more information.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Drupal core 6.x versions prior to 6.31.
  • Drupal core 7.x versions prior to 7.27.
Solution

Install the latest version:

Also see the Drupal core project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2014-041 - Block Search - SQL Injection

Drupal Contrib Security Announcements - Wed, 04/16/2014 - 15:28
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-041
  • Project: Block Search (third-party module)
  • Version: 6.x
  • Date: 2014-April-16
  • Security risk: Highly critical
  • Exploitable from: Remote
  • Vulnerability: SQL Injection
Description

Block Search module provides an alternative way of managing blocks.

The module doesn't properly use Drupal's database API resulting in user-provided strings being passed directly to the database allowing SQL Injection.

This vulnerability is mitigated by the fact that an attacker must either use a CSRF attack against a user with sufficient permissions or have a role with the permission "admin blocks" or "set region".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Block Search All versions.

Drupal core is not affected. If you do not use the contributed Block Search module, there is nothing you need to do.

Solution

No patch nor updated version is available.

Site administrators should disable the module.

Also see the Block Search project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.


Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x
Categories: Security posts

SA-CONTRIB-2014-040 - Skeleton theme - Cross Site Scripting

Drupal Contrib Security Announcements - Wed, 04/09/2014 - 14:35
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-040
  • Project: Skeleton (third-party theme)
  • Version: 7.x
  • Date: 2014-April-09
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

The Skeleton theme is a responsive Drupal theme, built upon the Skeleton Boilerplate.

The Skeleton theme does not properly sanitize theme settings before they are used in the output of a page.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer themes".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • skeletontheme-7.x-1.2
  • skeletontheme-7.x-1.3

Drupal core is not affected. If you do not use the contributed Skeleton theme, there is nothing you need to do.

Solution

Install the latest version:

Also see the Skeleton project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-038 - SimpleCorp theme - Cross Site Scripting

Drupal Contrib Security Announcements - Wed, 04/09/2014 - 14:27
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-038
  • Project: SimpleCorp (third-party theme)
  • Version: 7.x
  • Date: 2014-April-09
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

SimpleCorp theme is a free responsive Drupal theme.

The SimpleCorp theme does not properly sanitize theme settings before they are used in the output of a page.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer themes".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Simplecorp-7.x-1.0

Drupal core is not affected. If you do not use the contributed SimpleCorp theme, there is nothing you need to do.

Solution

Install the latest version:

Also see the SimpleCorp project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-039 - Revisioning - Access Bypass

Drupal Contrib Security Announcements - Wed, 04/09/2014 - 14:25
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-039
  • Project: Revisioning (third-party module)
  • Version: 7.x
  • Date: 2014-April-09
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

This module enables you to manage publication workflows whereby new, not publicly visible revisions of existing published content may be created by an author for review, while the current revision remains live to the public. The new revision does not go live until it is approved by a moderator with the necessary privileges to publish the new revision, replacing the old.

The module didn't properly invoke access grants introduced by other contributed modules. Instead it gives "view" access to published content and does not enforce view access restrictions imposed by other modules.

This vulnerability is mitigated by the fact that this is only an issue when your site uses modules that introduce additional access grants over and above core's access permissions, such as Taxonomy Access or Content Access.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Revisioning version 7.x-1.7 only

Drupal core is not affected. If you do not use the contributed Revisioning module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Revisioning module 7.x-1.7, upgrade to 7.x-1.8.
    Revisioning 7.x-1.6 does not have the bug, but reverting to 7.x-1.6 naturally also means you miss out on any bug-fixes and features of version 7.x-1.7

Also see the Revisioning project page.

Reported by Fixed by Coordinated by
  • Mark Ferree provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-037 - BlueMasters - Cross Site Scripting

Drupal Contrib Security Announcements - Wed, 04/09/2014 - 14:16
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-037
  • Project: BlueMasters (third-party module)
  • Version: 7.x
  • Date: 2014-April-09
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

Bluemasters is a responsive layout theme for Drupal 7.

The Bluemasters theme does not properly sanitize theme settings before they are used in the output of a page.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer themes".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Bluemasters 7.x-2.x versions prior to 7.x-2.1.

Drupal core is not affected. If you do not use the contributed BlueMasters theme, there is nothing you need to do.

Solution

Install the latest version:

Also see the BlueMasters project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-036 - Print - Cross Site Scripting

Drupal Contrib Security Announcements - Wed, 04/02/2014 - 17:10
Description

This module provides printer-friendly versions of content, including send by e-mail and PDF versions.
The module does not sufficiently sanitize user provided input when generating the printed version of a node.
This is mitigated by the fact that an attacker must have permission to create a node which offers the print functionality.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Printer, email and PDF versions 6.x-1.x versions prior to 6.x-1.19.
  • Printer, email and PDF versions 7.x-1.x versions prior to 7.x-1.3.
  • Printer, email and PDF versions 7.x-2.x versions prior to 7.x-2.0.

Drupal core is not affected. If you do not use the contributed Printer, email and PDF versions module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Printer, email and PDF versions module for Drupal 6.x, upgrade to print 6.x-1.19
  • If you use the Printer, email and PDF versions module for Drupal 7.x, upgrade to print 7.x-1.3 or print 7.x-2.0

Also see the Printer, email and PDF versions project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Categories: Security posts

SA-CONTRIB-2014-035 - CAS Server - Access Bypass

Drupal Contrib Security Announcements - Wed, 04/02/2014 - 17:08
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-035
  • Project: CAS (third-party module)
  • Version: 6.x, 7.x
  • Date: 2014-April-02
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

The cas_server module of the CAS project implements the CAS 1.0 and 2.0 specifications for providing a single sign-on to relying party web application (the "service" in CAS specs). The CAS server creates single-use tickets when serving a user's login request, which is subsequently deleted when the relying party validates the ticket.

However, this successful validation will be cached if the Drupal page cache is enabled, and subsequent identical validations can be processed even though the single-use ticket has been deleted.

A user's session on a relying party can be therefore be re-initialized via a session replay attack involving the cas_server module, even when the user deletes cookies and server-side sessions for both sites.

This would require an attacker to sniff the service URL containing the ticket ID, such as with a non-SSL relying party, by protocol downgrade, or by accessing an earlier user's web activity on a public computer.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • CAS Server 6.x-2.x versions prior to 6.x-3.3.
  • CAS Server 7.x-2.x versions prior to 7.x-1.3.

Drupal core is not affected. If you do not use the contributed CAS module, there is nothing you need to do.

Solution

Install the latest version:

Also see the CAS project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2014-034 - Custom Search - Cross Site Scripting

Drupal Contrib Security Announcements - Wed, 04/02/2014 - 17:05
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-034
  • Project: Custom Search (third-party module)
  • Version: 6.x, 7.x
  • Date: 2014-April-02
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

The Custom Search module alters the default search box to provide additional search filtering options and control.

Custom Search contains a persistent cross-site scripting (XSS) vulnerability due to the fact that it fails to sanitize filter labels before display.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer custom search."

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Custom Search 6.x-1.x versions prior to 6.x-1.12.
  • Custom Search 7.x-1.x versions prior to 7.x-1.14.

Drupal core is not affected. If you do not use the contributed Custom Search module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Custom Search project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2014-033 - Nivo Slider - Cross Site Scripting

Drupal Contrib Security Announcements - Wed, 03/19/2014 - 17:21
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-033
  • Project: Nivo Slider (third-party module)
  • Version: 7.x
  • Date: 2014-March-19
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

Nivo Slider provides a way to showcase featured content. Nivo Slider gives administrators a simple method of adding slides to the slideshow, an administration interface to configure slideshow settings, and simple slider positioning using the Drupal block system.

The module doesn't sufficiently sanitize the title of images in the slider.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer nivo slider".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Nivo Slider 7.x-2.x versions prior to 7.x-1.11.

Drupal core is not affected. If you do not use the contributed Nivo Slider module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Nivo Slider project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-032 - Xapian integration - Access Bypass

Drupal Contrib Security Announcements - Wed, 03/19/2014 - 16:08
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-032
  • Project: Xapian integration (third-party module)
  • Version: 6.x, 7.x
  • Date: 2014-March-19
  • Security risk: Not critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

This module enables you to use Xapian system to do searches of a Xapian index from within drupal.

The module doesn't verify node access rights when a node is loaded for display after the search happened in Xapian.

This vulnerability is mitigated by the fact that the system must be using a node access control module.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Xapian integration 6.x-2.x versions prior to 6.x-2.2.
  • Xapian integration 7.x-2.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Xapian integration module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Xapian integration project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Categories: Security posts

SA-CONTRIB-2014-031 - Webform Template - Access Bypass

Drupal Contrib Security Announcements - Wed, 03/12/2014 - 20:30
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-031
  • Project: Webform Template (third-party module)
  • Version: 7.x
  • Date: 2014-March-12
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Access Bypass
Description

This module enables you to copy webform config from one node to another.
The module doesn't respect node access when providing possible nodes to copy from. As a result, a user may be disclosed the titles of nodes he does not have view access to and as such he may be able to copy the webform configuration from otherwise hidden nodes.
This vulnerability is mitigated by the fact that the system must be using a node access control module and an attacker must have a role that has access to edit nodes of the "webform template destination" type.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All Webform Template 6.x-1.x versions.
  • Webform Template 7.x-1.x versions prior to 7.x-1.3.

Drupal core is not affected. If you do not use the contributed Webform Template module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Webform Template module for Drupal 7.x, upgrade to a newer version. The issue is fixed as from 7.x-1.3.
  • If using an older version, be aware of the risks & consequences.

Note: For some people, the previous behavior was actually exactly how they used this module. To restore the original functionality, go to the settings ( admin/config/content/webform_template ) and check the "Defeat node access" checkbox.

Also see the Webform Template project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Categories: Security posts

SA-CONTRIB-2014-030 - SexyBookmarks - Information Disclosure

Drupal Contrib Security Announcements - Wed, 03/12/2014 - 14:16
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-030
  • Project: SexyBookmarks (third-party module)
  • Version: 6.x
  • Date: 2014-March-12
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Information Disclosure
Description

The SexyBookmarks module is a port of the WordPress SexyBookmarks plug-in. The module adds social bookmarking using the Shareaholic service.

The module discloses the private files location when Drupal 6 is configured to use private files.

This vulnerability is mitigated by the fact that only sites using private files are affected.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All SexyBookmarks 6.x-2.x versions.

Drupal core is not affected. If you do not use the contributed SexyBookmarks module, there is nothing you need to do.

Solution
  • If you use the SexyBookmarks module for Drupal 6.x you should disable it.
  • Users can also consider using the Shareaholic module which provides similar features. However, the Shareaholic module is currently only available for Drupal 7 so affected users would have to upgrade to Drupal 7 first.

Also see the SexyBookmarks project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x
Categories: Security posts

SA-CONTRIB-2014-029 - Mime Mail - Access Bypass

Drupal Contrib Security Announcements - Wed, 03/05/2014 - 17:57
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-029
  • Project: Mime Mail (third-party module)
  • Version: 6.x, 7.x
  • Date: 2014-March-05
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

The MIME Mail module allows to send MIME-encoded e-mail messages with embedded images and attachments.

By default the module only allows files to be embedded or attached that are located in the public files directory.

The module doesn't sufficiently check the file location, considering similar paths in different roots as being located in the public files directory, possibly allowing to send arbitrary files as attachments without permission.

This vulnerability is mitigated by the fact that an attacker must be able to compose and send e-mail messages to an arbitrary address and the attached file's location must partly match with the system path of the public files directory.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Mime Mail 6.x-1.x versions prior to 6.x-1.4.
  • Mime Mail 7.x-1.x versions prior to 7.x-1.0-beta3.

Drupal core is not affected. If you do not use the contributed Mime Mail module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Mime Mail project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2014-028 - Masquerade - Access bypass

Drupal Contrib Security Announcements - Wed, 03/05/2014 - 17:39
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-028
  • Project: Masquerade (third-party module)
  • Version: 6.x, 7.x
  • Date: 2014-March-05
  • Security risk: Highly critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

This module allows a user with the right permissions to switch users.

When a user has been limited to only masquerading as certain users via the "Enter the users this user is able to masquerade as" user profile field, they can still masquerade as any user on the site by using the "Enter the username to masquerade as." autocomplete field in the masquerade block.

This vulnerability is mitigated by the fact that an attacker must have access to masquerade as another user.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Masquerade 6.x-2.x versions prior to 6.x-1.8.
  • Masquerade 7.x-2.x versions prior to 7.x-1.0-rc6.

Drupal core is not affected. If you do not use the contributed Masquerade module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Masquerade project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2014-027 - NewsFlash Theme - XSS

Drupal Contrib Security Announcements - Wed, 03/05/2014 - 17:11
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-027
  • Project: NewsFlash (third-party theme)
  • Version: 6.x, 7.x
  • Date: 2014-March-05
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

Newsflash is a theme that features 7 color styles, 12 collapsible regions, suckerfish menus, fluid or fixed widths, built-in IE transparent PNG fix, and lots more.

The theme does not sanitize the user provided theme setting for the font family CSS property, thereby exposing a cross-site scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer themes".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • NewsFlash 6.x-1.x versions prior to 6.x-1.7.
  • NewsFlash 7.x-1.x versions prior to 7.x-2.5.

Drupal core is not affected. If you do not use the contributed NewsFlash theme, there is nothing you need to do.

Solution

Install the latest version:

Also see the NewsFlash project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2014-026 - Mime Mail - Access bypass

Drupal Contrib Security Announcements - Wed, 02/26/2014 - 19:13
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-026
  • Project: Mime Mail (third-party module)
  • Version: 6.x, 7.x
  • Date: 2014-February-26
  • Security risk: Not critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

The MIME Mail module allows processing of incoming MIME-encoded e-mail messages with embedded images and attachments.

The default key for the authentication of incoming messages is generated from a random number. On some platforms (such as Windows) the maximum value of this number is only 32767 which makes the generated key particularly vulnerable to a brute force attack.

This vulnerability is mitigated by the fact that the processing of incoming messages needs to be enabled on the site and the default key can be arbitrary changed by the site administrator.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Mime Mail 6.x-1.x versions prior to 6.x-1.3.
  • Mime Mail 7.x-1.x versions prior to 7.x-1.0-beta2.

Drupal core is not affected. If you do not use the contributed Mime Mail module, there is nothing you need to do.

Solution

Install the latest version:

These releases include a stronger authentication process for incoming messages which is backward incompatible. If you are using this feature, make sure to use the HMAC method with the new key generated during the update process to authenticate your messages.

Also see the Mime Mail project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

Pages