Skip directly to content

Feed aggregator

SA-CONTRIB-2013-062 - RESTful Web Services (RESTWS) - Access Bypass

Drupal Contrib Security Announcements - Wed, 08/07/2013 - 15:24
  • Advisory ID: DRUPAL-SA-CONTRIB-2013-062
  • Project: RESTful Web Services (third-party module)
  • Version: 7.x
  • Date: 2013-August-07
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

This module enables you to expose Drupal entities as RESTful web services. It provides a machine-readable interface to exchange resources in JSON, XML and RDF.

The module doesn't sufficiently check for field level access when preforming entity write operations on POST and PUT requests. It also does not check the allowed filter formats for a user for formatted text fields, thereby allowing an attacker to exploit XSS with a format that displays full HTML or even PHP code execution with a PHP code format.

This vulnerability is mitigated by the fact that an attacker must have a role with a RESTWS permission such as "access resource node" and a permission to write entities such as "create page content". PHP code execution is only possible if the PHP module is enabled.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • RESTWS 7.x-1.x versions prior to 7.x-1.4.
  • RESTWS 7.x-2.x versions prior to 7.x-2.1.

Drupal core is not affected. If you do not use the contributed module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the RESTWS 1.x module for Drupal 7.x, upgrade to RESTWS 7.x-1.4
  • If you use the RESTWS 2.x module for Drupal 7.x, upgrade to RESTWS 7.x-2.1

Also see the RESTful Web Services project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: Security posts

SA-CONTRIB-2013-061 - Flippy - Access Bypass

Drupal Contrib Security Announcements - Wed, 07/31/2013 - 15:02
  • Advisory ID: DRUPAL-SA-CONTRIB-2013-061
  • Project: Flippy (third-party module)
  • Version: 7.x
  • Date: 2013-July-31
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

This module enables you to generate previous/next links for content types.

The module doesn't sufficiently enforce node access when generating previous/next links. A user may be presented with a link (including alias if one is set) but will not be able to view the node content.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to access content.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Flippy 7.x-1.x versions prior to 7.x-1.1

Drupal core is not affected. If you do not use the contributed Flippy module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Flippy module for Drupal 7.x, upgrade to Flippy 7.x-1.2

Also see the Flippy project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: Security posts

SA-CONTRIB-2013-060 - Scald - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 07/24/2013 - 15:25
  • Advisory ID: DRUPAL-SA-CONTRIB-2013-060
  • Project: Scald (third-party module)
  • Version: 6.x, 7.x
  • Date: 2013-July-24
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

This module enables you to handle media assets (atoms) in Drupal with a Views-based library, drag and drop interface and manage content attribution/licensing/distribution.

The module doesn't sufficiently filter atom properties such as the atom title when outputting atoms, thereby exposing a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create atoms and the Scald Flash module or the resource management feature (in the MEE submodule) must be enabled.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Scald 6.x-1.x versions prior to 6.x-1.0-beta3.
  • Scald 7.x-1.x versions prior to 7.x-1.1.

Drupal core is not affected. If you do not use the contributed Scald module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Scald project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: Security posts

SA-CONTRIB-2013-059 - Hostmaster (Aegir) - Access Bypass

Drupal Contrib Security Announcements - Wed, 07/17/2013 - 18:56
  • Advisory ID: DRUPAL-SA-CONTRIB-2013-059
  • Project: Hostmaster (Aegir) (third-party module)
  • Version: 6.x
  • Date: 2013-July-17
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

This install profile and accompanying suite of modules enables you to install, upgrade, deploy, and backup Drupal sites (among other things.)
The module doesn't sufficiently control access to running tasks on sites, under the scenario where a user successfully guesses a sites' path in the Aegir front-end.
This vulnerability is mitigated by the fact that an attacker must be authenticated and have a role with one or more permissions that allow the creation of tasks.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Hostmaster 6.x-1.x versions prior to 6.x-1.10.

Drupal core is not affected. If you do not use the contributed Hostmaster (Aegir) module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Hostmaster (Aegir) project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: Security posts

SA-CONTRIB-2013-058 - MRBS - Abandoned - Mutliple vulnerabilities

Drupal Contrib Security Announcements - Wed, 07/17/2013 - 15:57
  • Advisory ID: DRUPAL-SA-CONTRIB-2013-058
  • Project: MRBS (third-party module)
  • Version: 6.x, 7.x
  • Date: 2013-July-17
  • Security risk: Highly critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Request Forgery, SQL Injection
Description

MRBS is a free, GPL, web application using PHP and MySQL/pgsql for booking meeting rooms or other resources.

The module doesn't sufficiently filter user supplied data when creating queries which leads to a SQL injection vulnerability.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • MRBS module all versions.

Drupal core is not affected. If you do not use the contributed MRBS module, there is nothing you need to do.

Solution

Remove the module and all code from your site.

  • There is no upgraded version available. The module should be disabled and all related code removed from the server.

Also see the MRBS project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: Security posts

SA-CONTRIB-2013-057 - TinyBox - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 07/10/2013 - 14:24
  • Advisory ID: DRUPAL-SA-CONTRIB-2013-057
  • Project: TinyBox (Simple Splash) (third-party module)
  • Version: 7.x
  • Date: 2013-July-10
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

TinyBox module uses TinyBox, a lightweight and standalone modal window script. The main purpose of this module is to provide Splash Screen/Window as simple as possible.

The module doesn't filter user-supplied text prior to display. The vulnerability is mitigated by the fact that an attacker must have the permission "administer tinybox."

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • TinyBox 7.x-2.x versions prior to 7.x-2.1.

Drupal core is not affected. If you do not use the contributed TinyBox (Simple Splash) module, there is nothing you need to do.

Solution

Install the latest version:

Also see the TinyBox (Simple Splash) project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: Security posts

SA-CONTRIB-2013-056 - Stage File Proxy - Denial of Service

Drupal Contrib Security Announcements - Wed, 07/10/2013 - 14:16
  • Advisory ID: DRUPAL-SA-CONTRIB-2013-056
  • Project: Stage File Proxy (third-party module)
  • Version: 7.x
  • Date: 2013-July-10th
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities
Description

This module saves time and disk space by sending requests to your development environment's files directory to the production environment and making a copy of the production file in your development site.

An attacker could make repeated requests to the server, even over a long period, which would degrade the performance of all file handling and potentially prevent certain file operations.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Stage File Proxy 7.x-1.x versions prior to 7.x-1.4.

Drupal core is not affected. If you do not use the contributed Stage File Proxy module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Stage File Proxy project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: Security posts

SA-CONTRIB-2013-055 - Hatch - Cross Site Scripting

Drupal Contrib Security Announcements - Tue, 07/09/2013 - 21:21
  • Advisory ID: DRUPAL-SA-CONTRIB-2013-055
  • Project: Hatch (third-party theme)
  • Version: 7.x
  • Date: 2013-July-10
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

Hatch theme is a simple and minimal portfolio theme for photographers, illustrators, designers, or photobloggers.
The theme didn't sufficiently escape user supplied text prior to printing them.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer content", "Create new article", or "Edit any article type content" .

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Hatch theme 7.x-1.x versions prior to 7.x-1.4.

Drupal core is not affected. If you do not use the contributed Hatch module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Hatch theme for Drupal 7.x, upgrade to Hatch 7.x-1.4

Also see the Hatch project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: Security posts

SA-CONTRIB-2013-054 - Fast Permissions Administration - Access Bypass

Drupal Contrib Security Announcements - Wed, 06/26/2013 - 15:41
Description

The Fast Permissions Administration module enables you to use inline filters on the permissions page, as well as loading the permissions form through a modal dialog.

The module doesn't sufficiently check user access for the modal content callback, allowing unauthorized access to the permissions edit form.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Fast Permissions Administration 6.x-2.x versions prior to 6.x-2.5.
  • Fast Permissions Administration 7.x-2.x versions prior to 7.x-2.3.

Drupal core is not affected. If you do not use the contributed Fast Permissions Administration module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Fast Permissions Administration project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: Security posts

SA-CONTRIB-2013-053 - Login Security - Multiple Vulnerabilities

Drupal Contrib Security Announcements - Wed, 06/19/2013 - 17:54
  • Advisory ID: DRUPAL-SA-CONTRIB-2013-053
  • Project: Login Security (third-party module)
  • Version: 6.x, 7.x
  • Date: 2013-June-19
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities
Description

Login Security module adds additional access controls to the login form of Drupal.

When Login Security is configured to use the delay feature, frequent or concurrent failed attempts to login can consume all the web serving processes, causing a denial of service.

It is possible to bypass Login Security features when soft blocking is disabled. This is due to the incorrect use of string filtering in the module which can cause the module to skip all checks.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Login Security 6.x-1.x versions prior to 6.x-1.2.
  • Login Security 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Login Security module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Login Security project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: Security posts

SA-CONTRIB-2013-052 - Display Suite - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 06/12/2013 - 15:34
  • Advisory ID: DRUPAL-SA-CONTRIB-2013-052
  • Project: Display Suite (third-party module)
  • Version: 7.x
  • Date: 2013-June-12
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

Display Suite allows you to take full control over how your content is displayed using a drag and drop interface.

In certain situations, Display Suite does not properly sanitize entity bundle labels, allowing a malicious user to embed scripts within a page, resulting in a Cross-site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker has to be able to create entity bundle labels of some sort, which usually needs a higher level permission such as administer taxonomy.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Display Suite 7.x-1.x versions prior to 7.x-1.7.
  • Display Suite 7.x-2.x versions prior to 7.x-2.3.

Drupal core is not affected. If you do not use the contributed Display Suite module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Display Suite project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: Security posts

SA-CONTRIB-2013-051 - Services - Cross site request forgery (CSRF)

Drupal Contrib Security Announcements - Wed, 06/05/2013 - 18:54
  • Advisory ID: DRUPAL-SA-CONTRIB-2013-051
  • Project: Services (third-party module)
  • Version: 6.x, 7.x
  • Date: 2013-June-05
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Request Forgery
Description

This module enables you to expose an API to third party systems using REST, XML-RPC or other protocols.

The module doesn't sufficiently verify writing requests (POST, PUT, DELETE) with session cookie authentication, thereby exposing a Cross Site Request Forgery vulnerability.

This vulnerability is mitigated by the fact that session based authentication must be enabled for an endpoint.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Services 6.x-3.x versions.
  • Services 7.x-3.x versions prior to 7.x-3.4.

Drupal core is not affected. If you do not use the contributed Services module, there is nothing you need to do.

Solution

Install the latest version or uninstall the module.

  • If you use the Services module for Drupal 7.x, upgrade to Services 7.x-3.4
  • If you use the Services module for Drupal 6.x, uninstall the module.

Note that Services clients using session authentication now should supply a special X-CSRF-Token header with a token that can be retrieved from http://example.com/services/session/token. This is needed for writing HTTP methods calls (POST, PUT, DELETE).

Also see the Services project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: Security posts

SA-CONTRIB-2013-050 - Webform - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 05/29/2013 - 22:36
  • Advisory ID: DRUPAL-SA-CONTRIB-2013-050
  • Project: Webform (third-party module)
  • Version: 6.x
  • Date: 2013-May-29
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

The Webform module allows the creation of custom webforms and surveys.
Webform module does not sanitize the labels of created components (fields) when displaying a list of components to be used in e-mails or downloaded CSV files.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "edit own webform content" or "edit all webform content".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Webform 6.x-3.x versions prior to 6.x-3.19.

Drupal core is not affected. If you do not use the contributed Webform module, there is nothing you need to do.

Solution

If you use the Webform module for Drupal 6, install the latest version, Webform 6.x-3.19. Drupal 7 versions of this module are not affected.

Also see the Webform project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: Security posts

SA-CONTRIB-2013-049 - Node access user reference - Access Bypass

Drupal Contrib Security Announcements - Wed, 05/29/2013 - 15:22
Description

This module allows different access permissions to be given to authors, referenced users and non-referenced users.

When an author has created content containing a user reference field (with author update/delete grants enabled) and the author's user account is later deleted, content created by them can be edited by anonymous users.

CVE identifier(s) issued
  • CVE-2013-2123
Versions affected
  • nodeaccess_userreference 6.x-3.x versions prior to 6.x-3.5.
  • nodeaccess_userreference 7.x-3.x versions prior to 7.x-3.10.

Drupal core is not affected. If you do not use the contributed Node access user reference module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Node access user reference project page.

Reported by Fixed by Coordinated by
  • Dan Smith provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: Security posts

SA-CONTRIB-2013-049 - Node access user reference - Access Bypass

Drupal Contrib Security Announcements - Wed, 05/29/2013 - 15:22
Description

This module allows different access permissions to be given to authors, referenced users and non-referenced users.

When an author has created content containing a user reference field (with author update/delete grants enabled) and the author's user account is later deleted, content created by them can be edited by anonymous users.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • nodeaccess_userreference 6.x-3.x versions prior to 6.x-3.5.
  • nodeaccess_userreference 7.x-3.x versions prior to 7.x-3.10.

Drupal core is not affected. If you do not use the contributed Node access user reference module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Node access user reference project page.

Reported by Fixed by Coordinated by
  • Dan Smith provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: Security posts

SA-CONTRIB-2013-048 - Edit Limit - Access Bypass

Drupal Contrib Security Announcements - Wed, 05/29/2013 - 14:26
  • Advisory ID: DRUPAL-SA-CONTRIB-2013-048
  • Project: Edit Limit (third-party module)
  • Version: 7.x
  • Date: 2013-May-29
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

Edit Limit enables you to set time and count-based limits on how and when a user can edit nodes or comments.

The module doesn't sufficiently check user access when editing comments to see if the user has the necessary permissions to edit a comment outside of the limits applied by this module. This makes it possible for a user who can edit their own comments to edit the comments of any other user.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "edit comments".

CVE identifier(s) issued
  • CVE-2013-2122
Versions affected
  • Edit Limit 7.x-1.x versions prior to 7.x-1.3.

Drupal core is not affected. If you do not use the contributed Edit Limit module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Edit Limit project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: Security posts

SA-CONTRIB-2013-048 - Edit Limit - Access Bypass

Drupal Contrib Security Announcements - Wed, 05/29/2013 - 14:26
  • Advisory ID: DRUPAL-SA-CONTRIB-2013-048
  • Project: Edit Limit (third-party module)
  • Version: 7.x
  • Date: 2013-May-29
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

Edit Limit enables you to set time and count-based limits on how and when a user can edit nodes or comments.

The module doesn't sufficiently check user access when editing comments to see if the user has the necessary permissions to edit a comment outside of the limits applied by this module. This makes it possible for a user who can edit their own comments to edit the comments of any other user.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "edit comments".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Edit Limit 7.x-1.x versions prior to 7.x-1.3.

Drupal core is not affected. If you do not use the contributed Edit Limit module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Edit Limit project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: Security posts

SA-CONTRIB-2013-047 - Google Authenticator login - Access Bypass

Drupal Contrib Security Announcements - Wed, 05/15/2013 - 18:10
Description

This module will allow you to add Time-based One-time Password Algorithm (also called "Two Step Authentication" or "Multi-Factor Authentication") support to user logins. It works with Google's Authenticator app system and support most (if not all) OATH based HOTP/TOTP systems.

Accidental removal of account configuration.

In certain scenarios, Google Authenticator login incorrectly determines the user's account name. The change in account name could cause the two-factor authentication for existing accounts to be lost, allowing users to log in using just username and password.

This vulnerability is mitigated by the fact while Google Authenticator login's additional verification is by-passed, a username and password are still required to log in.

One Time Password (OTP) replay

If an attacker can intercept a login request with a username, password and OTP, an attacker could use this same data again to login to the website.

This vulnerability is mitigated by the fact that an attacker who can intercept a login request with this level of detail can usually also intercept the ongoing session identifying token.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Google Authenticator login 6.x-1.x versions prior to 6.x-1.2.
  • Google Authenticator login 7.x-1.x versions prior to 7.x-1.4.

Drupal core is not affected. If you do not use the contributed Google Authenticator login module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Google Authenticator login project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: Security posts

SA-CONTRIB-2013-047 - Google Authenticator login - Access Bypass

Drupal Contrib Security Announcements - Wed, 05/15/2013 - 18:10
Description

This module will allow you to add Time-based One-time Password Algorithm (also called "Two Step Authentication" or "Multi-Factor Authentication") support to user logins. It works with Google's Authenticator app system and support most (if not all) OATH based HOTP/TOTP systems.

Accidental removal of account configuration.

In certain scenarios, Google Authenticator login incorrectly determines the user's account name. The change in account name could cause the two-factor authentication for existing accounts to be lost, allowing users to log in using just username and password.

This vulnerability is mitigated by the fact while Google Authenticator login's additional verification is by-passed, a username and password are still required to log in.

One Time Password (OTP) replay

If an attacker can intercept a login request with a username, password and OTP, an attacker could use this same data again to login to the website.

This vulnerability is mitigated by the fact that an attacker who can intercept a login request with this level of detail can usually also intercept the ongoing session identifying token.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Google Authenticator login 6.x-1.x versions prior to 6.x-1.2.
  • Google Authenticator login 7.x-1.x versions prior to 7.x-1.4.

Drupal core is not affected. If you do not use the contributed Google Authenticator login module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Google Authenticator login project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: Security posts

SA-CONTRIB-2013-046 - Filebrowser - Reflected Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 05/01/2013 - 15:09
  • Advisory ID: DRUPAL-SA-CONTRIB-2013-046
  • Project: Filebrowser (third-party module)
  • Version: 6.x
  • Date: 2013-May-1
  • Security risk: Highly critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

Filebrowser module allows site administrators to expose a particular file system folder and all of its subfolders with an FTP-like interface to site visitors.

The module doesn't sufficiently sanitize user input when presenting lists of files.

Because the vulnerability is Reflected Cross Site Scripting, the only mitigating factor is that an authenticated user must be tricked into visiting a specially crafted malicious url.

CVE identifier(s) issued
  • CVE-2013-2036
Versions affected
  • Filebrowser 6.x-2.x versions prior to 6.x-2.2.

Drupal core is not affected. If you do not use the contributed Filebrowser module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Filebrowser project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: Security posts

Pages