Skip directly to content

Feed aggregator

SA-CONTRIB-2014-052 - AddressField Tokens - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 05/14/2014 - 15:34
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-052
  • Project: Addressfield Tokens (third-party module)
  • Version: 7.x
  • Date: 2014-May-14
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

The AddressField Tokens module extends the addressfield module by adding token support. It also adds some convenient addressfield formatters and provides Webform addressfield integration.

The module does not properly filter address field values, resulting in a Cross Site Scripting (XSS) vulnerability which can be leveraged by any user that can edit an addressfield on a site displaying that field using the "address components" field formatter.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create or edit an AddressField field (e.g. create or edit a node).

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • AddressField Tokens 7.x-1.x versions prior to 7.x-1.4.

Drupal core is not affected. If you do not use the contributed Addressfield Tokens module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Addressfield Tokens project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-51 - Realname Registration - Information Disclosure

Drupal Contrib Security Announcements - Wed, 05/14/2014 - 15:28
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-051
  • Project: Realname registration (third-party module)
  • Version: 6.x, 7.x
  • Date: 2014-05-14
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Information Disclosure
Description

This module enables you to generate usernames based on fields filled out by the user during registration. The module doesn't sufficiently restrict access to the settings for determining which user fields are incorporated into usernames, and doesn't properly validate generated user names.

Any user with the "access administration pages" permission can change which fields are used to generate this name. This may publicly expose user profile fields intended to be kept private. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access administration pages".

In addition, generated user names are not passed through the core function user_validate_name(). This vulnerability is mitigated by the fact that it only impacts custom modules or themes which do not properly filter usernames through check_plain() before displaying them.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Realname Registration 6.x-2.x versions 6.x-2.0-rc5 and prior.
  • Realname Registration 7.x-1.x and 7.x-2.x versions 7.x-2.0-rc2 and prior.

Drupal core is not affected. If you do not use the contributed Realname registration module, there is nothing you need to do.

Solution

Also see the Realname registration project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2014-050 - Commerce Postfinance ePayment - Access Bypass

Drupal Contrib Security Announcements - Wed, 05/14/2014 - 13:47
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-050
  • Project: Commerce Postfinance ePayment (third-party module)
  • Version: 7.x
  • Date: 2014-May-14
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

The Commerce Postfinance ePayment module provides commerce payment methods for the Postfinance e-Payment service provider.

The module doesn't sufficiently validate incoming payment notification (IPN) messages. Sending a specifically crafted IPN message to an affected site allows an attacker to create transactions and manipulate the status of an order. This has the potential to allow an attacker to complete the purchase of items without actually paying for them.

This vulnerability is partially mitigated by the fact that an attack is identifiable by comparing the transaction log from the payment service provider with commerce orders on an affected site.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Commerce Postfinance ePayment 7.x-1.x versions prior to 7.x-1.5.

Drupal core is not affected. If you do not use the contributed Commerce Postfinance ePayment module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Commerce Postfinance ePayment project page.

Reported by Fixed by
  • Rémy the module maintainer
Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-049 - Organic Groups (OG) - Access Bypass

Drupal Contrib Security Announcements - Wed, 05/07/2014 - 18:26
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-049
  • Project: Organic groups (third-party module)
  • Version: 7.x
  • Date: 2014-May-07
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

Organic groups (OG) enables users to create and manage their own 'groups'. Each group can have subscribers, and maintains a group home page where subscribers communicate amongst themselves.

OG doesn't sufficiently check the permissions when a group member is pending or blocked status within the group and tries to access information in a site.

This vulnerability only affects sites using the "Organic groups access control" sub-module available within the Organic Groups package. It's further mitigated by the fact that an attacker must be a group member with pending or blocked status within the group.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Organic Groups 7.x-2.x versions prior to 7.x-2.7.

Drupal core is not affected. If you do not use the contributed Organic groups module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Organic groups project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-048 - Field API Pane Editor (FAPE) - Access bypass

Drupal Contrib Security Announcements - Wed, 04/30/2014 - 15:24
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-048
  • Project: Field API Pane Editor (FAPE) (third-party module)
  • Version: 7.x
  • Date: 2014-April-30
  • Security risk: Highly critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

This module adds a contextual menu to fields which are added to an entity display in Panels, allowing individual fields to be directly edited via a separate page or, if it is enabled, the Overlay module.

The module doesn't sufficiently verify the user has access to modify the entity the field is attached to. Unless another module was installed which restricted access to edit the fields, any user can edit any field on any entity on the site.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Field API Pane Editor (FAPE) 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Field API Pane Editor (FAPE) module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Field API Pane Editor (FAPE) project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-047 - Zen - Cross Site Scripting

Drupal Contrib Security Announcements - Wed, 04/30/2014 - 15:14
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-047
  • Project: Zen (third-party theme)
  • Version: 7.x
  • Date: 2014-April-30
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

The Zen theme is a powerful, yet simple, HTML5 starting theme with a responsive, mobile-first grid design.

The theme does not properly sanitize theme settings before they are used in the output of a page. Custom themes that have copied Zen's template files (e.g. subthemes) may suffer from this same issue. If your theme creates variables in a preprocess using text from a custom theme setting, like this:

$variables['skip_link_text'] = theme_get_setting('skip_link_text');

you can prevent malicious XSS attacks by modifying the code to look like this:

$variables['skip_link_text'] = check_plain(theme_get_setting('skip_link_text'));

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer theme".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Zen 7.x-5.x versions prior to 7.x-5.5.
  • Zen 7.x-3.x versions prior to 7.x-3.3.

Drupal core is not affected. If you do not use the contributed Zen theme, there is nothing you need to do.

Solution

Install the latest version:

Also see the Zen project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-046 - Context Form Alteration - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 04/30/2014 - 13:52
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-046
  • Project: Context Form Alteration (third-party module)
  • Version: 7.x
  • Date: 2014-April-30
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

The Context Form Alteration module enables admins to alter forms via Context reactions.

The module doesn't sufficiently sanitize user input entered within the Context configuration UI.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer contexts".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Context Form Alteration 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Context Form Alteration module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Context Form Alteration project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.


Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-045 - Drupal Commons - Multiple Vulnerabilities

Drupal Contrib Security Announcements - Wed, 04/23/2014 - 18:14
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-045
  • Project: Drupal Commons (third-party module)
  • Version: 7.x
  • Date: 2014-April-23
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

This SA contains two patches against Drupal Commons

Views Bulk Operations Access Bypass

Drupal commons comes with a view to moderate reported content, which is intended for authenticated users to view which content has been reported.

Since it has hard coded VBO operations within the view, and Drupal Commons doesn't come with the VBO 'access_permissions' submodule enabled, all views bulk operations can be performed by anyone with access to the view. In its default setting, this allows users to delete content from other users and potentially ban other users from the site.

Anonymous Users can view Wiki revisions regardless of group privacy

Commons allows users of a group to edit a wiki created by anyone, regardless of edit permissions. It is supposed to refer back to the group permissions when creating this edit permission. However, the revisions permission hook allows anyone (anonymous or authenticated) to view revisions and diffs between revisions. This can potentially leak hidden data from groups a user does not otherwise have access to.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Drupal Commons 7.x-3.x versions prior to 7.x-3.10.

Drupal core is not affected. If you do not use the contributed Drupal Commons module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Drupal Commons project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-044 - Professional Theme - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 04/23/2014 - 17:19
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-044
  • Project: Professional Theme (third-party module)
  • Version: 7.x
  • Date: 2014-April-23
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

Professional Theme is a modern and professional Drupal theme.

The theme does not sufficiently sanitize theme settings input for custom copyright information

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer themes".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Professional Theme for 7.x prior to 7.x-2.04

Drupal core is not affected. If you do not use the contributed Professional Theme module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Professional Theme for Drupal 7.x, upgrade to 7.x-2.04

Also see the Professional Theme project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.


Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-043 - Custom Search - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 04/23/2014 - 15:41
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-043
  • Project: Custom Search (third-party module)
  • Version: 6.x, 7.x
  • Date: 2014-April-23
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

The Custom Search module alters the default search box to provide some options like in advanced search, but directly in the search box.

The module doesn't sanitize taxonomy vocabulary labels before display leading to a persistent cross site scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that it requires the attacker to have the permission "administer taxonomy."

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Custom Search 6.x-1.x versions prior to 6.x-1.13.
  • Custom Search 7.x-1.x versions prior to 7.x-1.15.

Drupal core is not affected. If you do not use the contributed Custom Search module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Custom Search project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.


Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2014-042 - Internationalization - Access Bypass

Drupal Contrib Security Announcements - Wed, 04/23/2014 - 15:39
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-042
  • Project: Internationalization (third-party module)
  • Version: 7.x
  • Date: 2014-April-23
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

This module enables you to build multilingual Drupal sites providing missing translation features for Drupal core.

The module doesn't sufficiently check content access permissions and under certain circumstances allows users with the "access content" permission to see path aliases from unpublished nodes.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Internationalization 7.x-1.x versions prior to 7.x-1.11.

Drupal core is not affected. If you do not use the contributed Internationalization module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Internationalization project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.


Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CORE-2014-002 - Drupal core - Information Disclosure

Drupal Core Security Announcements - Wed, 04/16/2014 - 19:50
  • Advisory ID: DRUPAL-SA-CORE-2014-002
  • Project: Drupal core
  • Version: 6.x, 7.x
  • Date: 2014-April-16
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Information Disclosure
Description

Drupal's form API has built-in support for temporary storage of form state, for example user input. This is often used on multi-step forms, and is required on Ajax-enabled forms in order to allow the Ajax calls to access and update interim user input on the server.

When pages are cached for anonymous users (either by Drupal or by an external system), form state may leak between anonymous users. As a consequence there is a chance that interim form input recorded for one anonymous user (which may include sensitive or private information, depending on the nature of the form) will be disclosed to other users interacting with the same form at the same time. This especially affects multi-step Ajax forms because the window of opportunity (i.e. the time span between user input and final form submission) is indeterminable.

This vulnerability is mitigated by the fact that Drupal core does not expose any such forms to anonymous users by default. However, contributed modules or individual sites which leverage the Drupal Form API under the aforementioned conditions might be vulnerable.

Note: This security release introduces small API changes which may require code updates on sites that expose Ajax or multi-step forms to anonymous users, and where the forms are displayed on pages that are cached (either by Drupal or by an external system). See the Drupal 6.31 release notes and Drupal 7.27 release notes for more information.

CVE identifier(s) issued
  • CVE-2014-2983
Versions affected
  • Drupal core 6.x versions prior to 6.31.
  • Drupal core 7.x versions prior to 7.27.
Solution

Install the latest version:

Also see the Drupal core project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CORE-2014-002 - Drupal core - Information Disclosure

Drupal Core Security Announcements - Wed, 04/16/2014 - 19:50
  • Advisory ID: DRUPAL-SA-CORE-2014-002
  • Project: Drupal core
  • Version: 6.x, 7.x
  • Date: 2014-April-16
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Information Disclosure
Description

Drupal's form API has built-in support for temporary storage of form state, for example user input. This is often used on multi-step forms, and is required on Ajax-enabled forms in order to allow the Ajax calls to access and update interim user input on the server.

When pages are cached for anonymous users (either by Drupal or by an external system), form state may leak between anonymous users. As a consequence there is a chance that interim form input recorded for one anonymous user (which may include sensitive or private information, depending on the nature of the form) will be disclosed to other users interacting with the same form at the same time. This especially affects multi-step Ajax forms because the window of opportunity (i.e. the time span between user input and final form submission) is indeterminable.

This vulnerability is mitigated by the fact that Drupal core does not expose any such forms to anonymous users by default. However, contributed modules or individual sites which leverage the Drupal Form API under the aforementioned conditions might be vulnerable.

Note: This security release introduces small API changes which may require code updates on sites that expose Ajax or multi-step forms to anonymous users, and where the forms are displayed on pages that are cached (either by Drupal or by an external system). See the Drupal 6.31 release notes and Drupal 7.27 release notes for more information.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Drupal core 6.x versions prior to 6.31.
  • Drupal core 7.x versions prior to 7.27.
Solution

Install the latest version:

Also see the Drupal core project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2014-041 - Block Search - SQL Injection

Drupal Contrib Security Announcements - Wed, 04/16/2014 - 15:28
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-041
  • Project: Block Search (third-party module)
  • Version: 6.x
  • Date: 2014-April-16
  • Security risk: Highly critical
  • Exploitable from: Remote
  • Vulnerability: SQL Injection
Description

Block Search module provides an alternative way of managing blocks.

The module doesn't properly use Drupal's database API resulting in user-provided strings being passed directly to the database allowing SQL Injection.

This vulnerability is mitigated by the fact that an attacker must either use a CSRF attack against a user with sufficient permissions or have a role with the permission "admin blocks" or "set region".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Block Search All versions.

Drupal core is not affected. If you do not use the contributed Block Search module, there is nothing you need to do.

Solution

No patch nor updated version is available.

Site administrators should disable the module.

Also see the Block Search project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.


Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x
Categories: Security posts

SA-CONTRIB-2014-040 - Skeleton theme - Cross Site Scripting

Drupal Contrib Security Announcements - Wed, 04/09/2014 - 14:35
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-040
  • Project: Skeleton (third-party theme)
  • Version: 7.x
  • Date: 2014-April-09
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

The Skeleton theme is a responsive Drupal theme, built upon the Skeleton Boilerplate.

The Skeleton theme does not properly sanitize theme settings before they are used in the output of a page.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer themes".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • skeletontheme-7.x-1.2
  • skeletontheme-7.x-1.3

Drupal core is not affected. If you do not use the contributed Skeleton theme, there is nothing you need to do.

Solution

Install the latest version:

Also see the Skeleton project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-038 - SimpleCorp theme - Cross Site Scripting

Drupal Contrib Security Announcements - Wed, 04/09/2014 - 14:27
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-038
  • Project: SimpleCorp (third-party theme)
  • Version: 7.x
  • Date: 2014-April-09
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

SimpleCorp theme is a free responsive Drupal theme.

The SimpleCorp theme does not properly sanitize theme settings before they are used in the output of a page.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer themes".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Simplecorp-7.x-1.0

Drupal core is not affected. If you do not use the contributed SimpleCorp theme, there is nothing you need to do.

Solution

Install the latest version:

Also see the SimpleCorp project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-039 - Revisioning - Access Bypass

Drupal Contrib Security Announcements - Wed, 04/09/2014 - 14:25
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-039
  • Project: Revisioning (third-party module)
  • Version: 7.x
  • Date: 2014-April-09
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

This module enables you to manage publication workflows whereby new, not publicly visible revisions of existing published content may be created by an author for review, while the current revision remains live to the public. The new revision does not go live until it is approved by a moderator with the necessary privileges to publish the new revision, replacing the old.

The module didn't properly invoke access grants introduced by other contributed modules. Instead it gives "view" access to published content and does not enforce view access restrictions imposed by other modules.

This vulnerability is mitigated by the fact that this is only an issue when your site uses modules that introduce additional access grants over and above core's access permissions, such as Taxonomy Access or Content Access.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Revisioning version 7.x-1.7 only

Drupal core is not affected. If you do not use the contributed Revisioning module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Revisioning module 7.x-1.7, upgrade to 7.x-1.8.
    Revisioning 7.x-1.6 does not have the bug, but reverting to 7.x-1.6 naturally also means you miss out on any bug-fixes and features of version 7.x-1.7

Also see the Revisioning project page.

Reported by Fixed by Coordinated by
  • Mark Ferree provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-037 - BlueMasters - Cross Site Scripting

Drupal Contrib Security Announcements - Wed, 04/09/2014 - 14:16
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-037
  • Project: BlueMasters (third-party module)
  • Version: 7.x
  • Date: 2014-April-09
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

Bluemasters is a responsive layout theme for Drupal 7.

The Bluemasters theme does not properly sanitize theme settings before they are used in the output of a page.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer themes".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Bluemasters 7.x-2.x versions prior to 7.x-2.1.

Drupal core is not affected. If you do not use the contributed BlueMasters theme, there is nothing you need to do.

Solution

Install the latest version:

Also see the BlueMasters project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-036 - Print - Cross Site Scripting

Drupal Contrib Security Announcements - Wed, 04/02/2014 - 17:10
Description

This module provides printer-friendly versions of content, including send by e-mail and PDF versions.
The module does not sufficiently sanitize user provided input when generating the printed version of a node.
This is mitigated by the fact that an attacker must have permission to create a node which offers the print functionality.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Printer, email and PDF versions 6.x-1.x versions prior to 6.x-1.19.
  • Printer, email and PDF versions 7.x-1.x versions prior to 7.x-1.3.
  • Printer, email and PDF versions 7.x-2.x versions prior to 7.x-2.0.

Drupal core is not affected. If you do not use the contributed Printer, email and PDF versions module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Printer, email and PDF versions module for Drupal 6.x, upgrade to print 6.x-1.19
  • If you use the Printer, email and PDF versions module for Drupal 7.x, upgrade to print 7.x-1.3 or print 7.x-2.0

Also see the Printer, email and PDF versions project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Categories: Security posts

SA-CONTRIB-2014-035 - CAS Server - Access Bypass

Drupal Contrib Security Announcements - Wed, 04/02/2014 - 17:08
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-035
  • Project: CAS (third-party module)
  • Version: 6.x, 7.x
  • Date: 2014-April-02
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

The cas_server module of the CAS project implements the CAS 1.0 and 2.0 specifications for providing a single sign-on to relying party web application (the "service" in CAS specs). The CAS server creates single-use tickets when serving a user's login request, which is subsequently deleted when the relying party validates the ticket.

However, this successful validation will be cached if the Drupal page cache is enabled, and subsequent identical validations can be processed even though the single-use ticket has been deleted.

A user's session on a relying party can be therefore be re-initialized via a session replay attack involving the cas_server module, even when the user deletes cookies and server-side sessions for both sites.

This would require an attacker to sniff the service URL containing the ticket ID, such as with a non-SSL relying party, by protocol downgrade, or by accessing an earlier user's web activity on a public computer.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • CAS Server 6.x-2.x versions prior to 6.x-3.3.
  • CAS Server 7.x-2.x versions prior to 7.x-1.3.

Drupal core is not affected. If you do not use the contributed CAS module, there is nothing you need to do.

Solution

Install the latest version:

Also see the CAS project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

Pages