Skip directly to content

Feed aggregator

SA-CONTRIB-2014-062 -Passsword Policy - Multiple vulnerabilities

Drupal Contrib Security Announcements - Wed, 06/18/2014 - 12:58
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-062
  • Project: Password policy (third-party module)
  • Version: 6.x, 7.x
  • Date: 2014-June-18
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities
Description

The Password Policy module enables you to define and enforce password policies with various constraints on allowable user passwords.

Access bypass and information disclosure (7.x only)

The module has a history constraint, which when enabled, disallows a user's password from being changed to match a specified number of their previous passwords. For this to work, the module stores a history of all previous user password hashes from the time the module is enabled (regardless of whether the history constraint is enabled).

Upon upgrading from 6.x to 7.x, the module does not convert these hashes from the Drupal 6 format to the Drupal 7 format. This has two consequences:
1. Users can change their passwords to old passwords used in Drupal 6 in violation of the history constraint.
2. Previous user passwords from Drupal 6 are kept indefinitely in Drupal 7 as weak MD5 hashes. If a site is compromised, past user passwords are at high risk of exposure.

This vulnerability is mitigated by the fact that only sites using 7.x that have previously used 6.x are affected.

Access bypass (6.x)

The module has a feature that lets an administrator force a password change for one or more users at their next login. These users are unable to access the website beyond their account page until changing their password.

A bug exists in 6.x where a password change will not be enforced when a user_save() is performed between the time when the administrator forces the password change and the time the affected user logs in. This can lead to users retaining insecure passwords.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Password Policy 6.x-1.x versions prior to 6.x-1.7.
  • Password Policy 7.x-1.x versions prior to 7.x-1.7.
  • Password Policy 7.x-2.x versions prior to 7.x-2.0-alpha2.

Drupal core is not affected. If you do not use the contributed Password policy module, there is nothing you need to do.

Solution

Warning: If you are using 7.x, and have used 6.x in the past on the same site, you are advised to back up your database prior to upgrading to the latest version to reduce the risk of an unforeseen upgrade problem causing permanent loss of password history.

Install the latest version:

  • If you use the Password Policy module for Drupal 6.x, upgrade to 6.x-1.7
  • If you use the Password Policy 1.x module for Drupal 7.x, upgrade to 7.x-1.7
  • If you use the Password Policy 2.x module for Drupal 7.x, upgrade to 7.x-2.0-alpha2

Also see the Password policy project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2014-061 - VideoWhisper Webcam Plugins - Cross Site Scripting (XSS) - Unsupported

Drupal Contrib Security Announcements - Wed, 06/18/2014 - 12:54
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-061
  • Project: VideoWhisper Webcam Plugins (third-party module)
  • Version: 7.x
  • Date: 2014-June-18
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

Includes multiple modules for video communications including room listing, pay per view access control.

The module doesn't sufficiently filter user supplied text from the url (reflected cross site scripting). No special permissions are required to exploit this issue.

There are no mitigating factors for this vulnerability.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions of VideoWhisper Webcam Plugins.

Drupal core is not affected. If you do not use the contributed module, there is nothing you need to do.

Solution

If you use the VideoWhisper Webcam Plugins module you should uninstall it.

Also see the VideoWhisper Webcam Plugins project page.

Reported by

This issue was publicly disclosed as CVE-2014-2715 outside of the process to report security issues in Drupal. Issues reported via the Drupal Security Team process normally include the original reporter.

Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-061 - VideoWhisper Webcam Plugins - Cross Site Scripting (XSS) - Unsupported

Drupal Contrib Security Announcements - Wed, 06/18/2014 - 12:54
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-061
  • Project: VideoWhisper Webcam Plugins (third-party module)
  • Version: 7.x
  • Date: 2014-June-18
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

Includes multiple modules for video communications including room listing, pay per view access control.

The module doesn't sufficiently filter user supplied text from the url (reflected cross site scripting). No special permissions are required to exploit this issue.

There are no mitigating factors for this vulnerability.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions of VideoWhisper Webcam Plugins.

Drupal core is not affected. If you do not use the contributed module, there is nothing you need to do.

Solution

If you use the VideoWhisper Webcam Plugins module you should uninstall it.

Also see the VideoWhisper Webcam Plugins project page.

Reported by

This issue was publicly disclosed as CVE-2014-2715 outside of the process to report security issues in Drupal. Issues reported via the Drupal Security Team process normally include the original reporter.

Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-060- Petitions - Cross Site Request Forgery (CSRF)

Drupal Contrib Security Announcements - Wed, 06/11/2014 - 18:41
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-060
  • Project: - Petitions - (third-party distribution)
  • Version: 7.x
  • Date: 2014-June-11
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Request Forgery
Description

This distribution enables you to build an application that lets users create and sign petitions.
The contained wh_petitions module doesn't sufficiently verify the intent of the user when signing a petition. A malicious user could trick another user into signing a petition they did not intend to sign by getting them to visit a specially-crafted URL while logged in.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • petitions 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed - Petitions - distribution, there is nothing you need to do.

Solution

Install the latest version:

Note that petitions 7.x-1.2 is the last release for the first version of petitions. petitions 7.x-1.x is no longer maintained, and you are strongly encouraged to upgrade to the latest version petitions 7.x-2.0-beta19. Also see the - Petitions - project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-060- Petitions - Cross Site Request Forgery (CSRF)

Drupal Contrib Security Announcements - Wed, 06/11/2014 - 18:41
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-060
  • Project: - Petitions - (third-party distribution)
  • Version: 7.x
  • Date: 2014-June-11
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Request Forgery
Description

This distribution enables you to build an application that lets users create and sign petitions.
The contained wh_petitions module doesn't sufficiently verify the intent of the user when signing a petition. A malicious user could trick another user into signing a petition they did not intend to sign by getting them to visit a specially-crafted URL while logged in.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • petitions 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed - Petitions - distribution, there is nothing you need to do.

Solution

Install the latest version:

Note that petitions 7.x-1.2 is the last release for the first version of petitions. petitions 7.x-1.x is no longer maintained, and you are strongly encouraged to upgrade to the latest version petitions 7.x-2.0-beta19. Also see the - Petitions - project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-059 - Touch Theme - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 06/11/2014 - 15:31
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-059
  • Project: Touch (third-party module)
  • Version: 7.x
  • Date: 2014-June-11
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

Touch Theme is a light weight theme with modern look and feel.

The theme does not sufficiently sanitize theme settings input for Twitter and Facebook username.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer themes".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Touch 7.x-1.x versions prior to 7.x-1.9.

Drupal core is not affected. If you do not use the contributed Touch module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Touch theme for Drupal 7.x, upgrade to Touch 7.x-1.9

Also see the Touch project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-059 - Touch Theme - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 06/11/2014 - 15:31
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-059
  • Project: Touch (third-party module)
  • Version: 7.x
  • Date: 2014-June-11
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

Touch Theme is a light weight theme with modern look and feel.

The theme does not sufficiently sanitize theme settings input for Twitter and Facebook username.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer themes".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Touch 7.x-1.x versions prior to 7.x-1.9.

Drupal core is not affected. If you do not use the contributed Touch module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Touch theme for Drupal 7.x, upgrade to Touch 7.x-1.9

Also see the Touch project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-058 - Webserver Auth - Access Bypass

Drupal Contrib Security Announcements - Wed, 05/28/2014 - 14:26
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-058
  • Project: Webserver authentication (third-party module)
  • Version: 7.x
  • Date: 2014-May-28
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

This module allows you to delegate user authentication to the web server. The module can be configured to automatically create users that have been authenticated by the web server.
There was an issue where a configuration variable did not have consistent default values in the code meaning that in a new install users would be created by default even though the config screen would suggest otherwise.
This vulnerability is mitigated by the fact that the issue is only present if the site owner has not saved the configuration page and it is very common to configure a module after installing it.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Webserver authentication before version 7.x-1.4

Drupal core is not affected. If you do not use the contributed Webserver authentication module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Webserver authentication project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.


Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Categories: Security posts

SA-CONTRIB-2014-058 - Webserver Auth - Access Bypass

Drupal Contrib Security Announcements - Wed, 05/28/2014 - 14:26
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-058
  • Project: Webserver authentication (third-party module)
  • Version: 7.x
  • Date: 2014-May-28
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

This module allows you to delegate user authentication to the web server. The module can be configured to automatically create users that have been authenticated by the web server.
There was an issue where a configuration variable did not have consistent default values in the code meaning that in a new install users would be created by default even though the config screen would suggest otherwise.
This vulnerability is mitigated by the fact that the issue is only present if the site owner has not saved the configuration page and it is very common to configure a module after installing it.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Webserver authentication before version 7.x-1.4

Drupal core is not affected. If you do not use the contributed Webserver authentication module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Webserver authentication project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.


Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Categories: Security posts

SA-CONTRIB-2014-057 - Password policy - General logic error

Drupal Contrib Security Announcements - Wed, 05/21/2014 - 15:15
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-057
  • Project: Password policy (third-party module)
  • Version: 7.x
  • Date: 2014-May-21
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: General logic error
Description

This module enables you to define password policies with various constraints on allowable user passwords. The history constraint, when enabled, disallows a user's password from being changed to match a specified number of their previous passwords.

Beginning with Password Policy 7.x-1.4, the history constraint had no effect when enabled, and user passwords could be changed to match any previous passwords beyond the most recent. Therefore, passwords of users that were changed since Password Policy 7.x-1.4 or later was installed may match previous passwords in violation of the history constraint.

This vulnerability is mitigated by the fact that it only affects users covered by a password policy with the history constraint enabled.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Password policy 7.x-1.x versions prior to 7.x-1.6.

Drupal core is not affected. If you do not use the contributed Password policy module, there is nothing you need to do.

Solution
  1. Install the latest version:
  2. Force a password change for all users covered by a password policy with the history constraint enabled.

Also see the Password policy project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.


Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-057 - Password policy - General logic error

Drupal Contrib Security Announcements - Wed, 05/21/2014 - 15:15
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-057
  • Project: Password policy (third-party module)
  • Version: 7.x
  • Date: 2014-May-21
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: General logic error
Description

This module enables you to define password policies with various constraints on allowable user passwords. The history constraint, when enabled, disallows a user's password from being changed to match a specified number of their previous passwords.

Beginning with Password Policy 7.x-1.4, the history constraint had no effect when enabled, and user passwords could be changed to match any previous passwords beyond the most recent. Therefore, passwords of users that were changed since Password Policy 7.x-1.4 or later was installed may match previous passwords in violation of the history constraint.

This vulnerability is mitigated by the fact that it only affects users covered by a password policy with the history constraint enabled.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Password policy 7.x-1.x versions prior to 7.x-1.6.

Drupal core is not affected. If you do not use the contributed Password policy module, there is nothing you need to do.

Solution
  1. Install the latest version:
  2. Force a password change for all users covered by a password policy with the history constraint enabled.

Also see the Password policy project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.


Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-056 - Commerce Moneris - Information Disclosure

Drupal Contrib Security Announcements - Wed, 05/21/2014 - 15:07
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-056
  • Project: Commerce Moneris (third-party module)
  • Version: 7.x
  • Date: 2014-May-21
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Information Disclosure
Description

Commerce Moneris is a payment module that integrates the Moneris payment system with Drupal Commerce.

The module stores credit card data in a commerce order object unnecessarily for the purpose of passing the credit card information to the payment gateway. The credit card information is never removed from the order object and is later saved in the clear as serialized data in the database.

This vulnerability is mitigated by the fact that an attacker must have access to the database or the ability to execute PHP to output the raw or unserialized data from the commerce order.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Commerce Moneris 7.x-1.x versions prior to 7.x-1.4.

Drupal core is not affected. If you do not use the contributed Commerce Moneris module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Commerce Moneris project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Categories: Security posts

SA-CONTRIB-2014-055 - Require Login - Access bypass

Drupal Contrib Security Announcements - Wed, 05/21/2014 - 15:07
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-055
  • Project: Require Login (third-party module)
  • Version: 7.x
  • Date: 2014-May-21
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

This module enables you to restrict access to a site for all non-authenticated users.

The module does not protect the front page, thereby exposing any sensitive information on the front page to anonymous users.

This vulnerability is mitigated by the fact that private/sensitive information must be on the site's front page.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Login Redirect 7.x-1.x versions prior to 7.x-1.1.

Drupal core is not affected. If you do not use the contributed Require Login module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Require Login project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-056 - Commerce Moneris - Information Disclosure

Drupal Contrib Security Announcements - Wed, 05/21/2014 - 14:54
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-056
  • Project: Commerce Moneris (third-party module)
  • Version: 7.x
  • Date: 2014-May-21
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Information Disclosure
Description

Commerce Moneris is a payment module that integrates the Moneris payment system with Drupal Commerce.

The module stores credit card data in a commerce order object unnecessarily for the purpose of passing the credit card information to the payment gateway. The credit card information is never removed from the order object and is later saved in the clear as serialized data in the database.

This vulnerability is mitigated by the fact that an attacker must have access to the database or the ability to execute PHP to output the raw or unserialized data from the commerce order.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Commerce Moneris 7.x-1.x versions prior to 7.x-1.4.

Drupal core is not affected. If you do not use the contributed Commerce Moneris module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Commerce Moneris project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Categories: Security posts

SA-CONTRIB-2014-054 - Views - Access Bypass

Drupal Contrib Security Announcements - Wed, 05/21/2014 - 14:38
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-054
  • Project: Views (third-party module)
  • Version: 7.x
  • Date: 2014-May-21
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

The Views module provides a flexible method for Drupal site designers to control how lists and tables of content, users, taxonomy terms and other data are presented.

The module doesn't sufficiently check handler access when returning the list of handlers from view_plugin_display::get_handlers(). The most critical code (access plugins and field output) is unaffected - only area handlers, the get_field_labels() method, token replacement, and some relationship handling are susceptible.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Views 7.x-3.x versions prior to 7.x-3.8.

Drupal core is not affected. If you do not use the contributed Views module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Views module for Drupal 7.x, upgrade to Views 7.x-3.8

Also see the Views project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-053 - Field API Tab Editor (FATE) - Access bypass

Drupal Contrib Security Announcements - Wed, 05/14/2014 - 16:44
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-053
  • Project: Field API Tab Editor (third-party module)
  • Version: 7.x
  • Date: 2014-May-14
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

This module allows each entity field to be individually edited via its own custom page, accessible via a tab on the entity's page.

The module returns an incorrect value to hook_menu if the current user does not have access to edit the entity. This allows users who would not normally have access to edit the entity to edit any fields that are enabled via this module.

The problem is mitigated by the fact that a site builder must enable the custom edit page for the fields. That configuration is not the default nor automatic.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Field API Tab Editor (FATE) 7.x-1.x versions prior to 7.x-1.1.

Drupal core is not affected. If you do not use the contributed Field API Tab Editor module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Field API Tab Editor project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.


Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-052 - AddressField Tokens - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 05/14/2014 - 15:34
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-052
  • Project: Addressfield Tokens (third-party module)
  • Version: 7.x
  • Date: 2014-May-14
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

The AddressField Tokens module extends the addressfield module by adding token support. It also adds some convenient addressfield formatters and provides Webform addressfield integration.

The module does not properly filter address field values, resulting in a Cross Site Scripting (XSS) vulnerability which can be leveraged by any user that can edit an addressfield on a site displaying that field using the "address components" field formatter.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create or edit an AddressField field (e.g. create or edit a node).

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • AddressField Tokens 7.x-1.x versions prior to 7.x-1.4.

Drupal core is not affected. If you do not use the contributed Addressfield Tokens module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Addressfield Tokens project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-51 - Realname Registration - Information Disclosure

Drupal Contrib Security Announcements - Wed, 05/14/2014 - 15:28
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-051
  • Project: Realname registration (third-party module)
  • Version: 6.x, 7.x
  • Date: 2014-05-14
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Information Disclosure
Description

This module enables you to generate usernames based on fields filled out by the user during registration. The module doesn't sufficiently restrict access to the settings for determining which user fields are incorporated into usernames, and doesn't properly validate generated user names.

Any user with the "access administration pages" permission can change which fields are used to generate this name. This may publicly expose user profile fields intended to be kept private. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access administration pages".

In addition, generated user names are not passed through the core function user_validate_name(). This vulnerability is mitigated by the fact that it only impacts custom modules or themes which do not properly filter usernames through check_plain() before displaying them.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Realname Registration 6.x-2.x versions 6.x-2.0-rc5 and prior.
  • Realname Registration 7.x-1.x and 7.x-2.x versions 7.x-2.0-rc2 and prior.

Drupal core is not affected. If you do not use the contributed Realname registration module, there is nothing you need to do.

Solution

Also see the Realname registration project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2014-050 - Commerce Postfinance ePayment - Access Bypass

Drupal Contrib Security Announcements - Wed, 05/14/2014 - 13:47
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-050
  • Project: Commerce Postfinance ePayment (third-party module)
  • Version: 7.x
  • Date: 2014-May-14
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

The Commerce Postfinance ePayment module provides commerce payment methods for the Postfinance e-Payment service provider.

The module doesn't sufficiently validate incoming payment notification (IPN) messages. Sending a specifically crafted IPN message to an affected site allows an attacker to create transactions and manipulate the status of an order. This has the potential to allow an attacker to complete the purchase of items without actually paying for them.

This vulnerability is partially mitigated by the fact that an attack is identifiable by comparing the transaction log from the payment service provider with commerce orders on an affected site.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Commerce Postfinance ePayment 7.x-1.x versions prior to 7.x-1.5.

Drupal core is not affected. If you do not use the contributed Commerce Postfinance ePayment module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Commerce Postfinance ePayment project page.

Reported by Fixed by
  • Rémy the module maintainer
Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-049 - Organic Groups (OG) - Access Bypass

Drupal Contrib Security Announcements - Wed, 05/07/2014 - 18:26
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-049
  • Project: Organic groups (third-party module)
  • Version: 7.x
  • Date: 2014-May-07
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

Organic groups (OG) enables users to create and manage their own 'groups'. Each group can have subscribers, and maintains a group home page where subscribers communicate amongst themselves.

OG doesn't sufficiently check the permissions when a group member is pending or blocked status within the group and tries to access information in a site.

This vulnerability only affects sites using the "Organic groups access control" sub-module available within the Organic Groups package. It's further mitigated by the fact that an attacker must be a group member with pending or blocked status within the group.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Organic Groups 7.x-2.x versions prior to 7.x-2.7.

Drupal core is not affected. If you do not use the contributed Organic groups module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Organic groups project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Pages