[Full-disclosure] [Security-news] SA-CONTRIB-2014-030 - SexyBookmarks - Information Disclosure
View online: https://drupal.org/node/2216269 * Advisory ID: DRUPAL-SA-CONTRIB-2014-030 * Project: SexyBookmarks [1] (third-party module) * Version: 6.x * Date: 2014-March-12 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Information Disclosure DESCRIPTION - The SexyBookmarks module is a port of the WordPress SexyBookmarks plug-in. The module adds social bookmarking using the Shareaholic service. The module discloses the private files location when Drupal 6 is configured to use private files. This vulnerability is mitigated by the fact that only sites using private files are affected. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * All SexyBookmarks 6.x-2.x versions. Drupal core is not affected. If you do not use the contributed SexyBookmarks [4] module, there is nothing you need to do. SOLUTION * If you use the SexyBookmarks module for Drupal 6.x you should disable it. * Users can also consider using the Shareaholic [5] module which provides similar features. However, the Shareaholic module is currently only available for Drupal 7 so affected users would have to upgrade to Drupal 7 first. Also see the SexyBookmarks [6] project page. REPORTED BY - * Don Morris [7] FIXED BY Not applicable. COORDINATED BY -- * Greg Knaddison [8] of the Drupal Security Team * Cash Williams [9] provisional member of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [14] [1] http://drupal.org/project/sexybookmarks [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/sexybookmarks [5] http://drupal.org/project/shareaholic [6] http://drupal.org/project/sexybookmarks [7] http://drupal.org/user/79398 [8] http://drupal.org/user/36762 [9] http://drupal.org/user/421070 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration [14] https://twitter.com/drupalsecurity ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2014-031 - Webform Template - Access Bypass
View online: https://drupal.org/node/2216607 * Advisory ID: DRUPAL-SA-CONTRIB-2014-031 * Project: Webform Template [1] (third-party module) * Version: 7.x * Date: 2014-March-12 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Access Bypass DESCRIPTION - This module enables you to copy webform config from one node to another. The module doesn't respect node access when providing possible nodes to copy from. As a result, a user may be disclosed the titles of nodes he does not have view access to and as such he may be able to copy the webform configuration from otherwise hidden nodes. This vulnerability is mitigated by the fact that the system must be using a node access control module and an attacker must have a role that has access to edit nodes of the webform template destination type. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * All Webform Template 6.x-1.x versions. * Webform Template 7.x-1.x versions prior to 7.x-1.3. Drupal core is not affected. If you do not use the contributed Webform Template [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Webform Template module for Drupal 7.x, upgrade to a newer version. The issue is fixed as from 7.x-1.3 [5]. * If using an older version, be aware of the risks consequences. *Note: *For some people, the previous behavior was actually exactly how they used this module. To restore the original functionality, go to the settings ( admin/config/content/webform_template ) and check the Defeat node access checkbox. Also see the Webform Template [6] project page. REPORTED BY - * theunraveler [7] FIXED BY * rv0 [8] the module maintainer COORDINATED BY -- * Rick Manelius [9] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [14] [1] http://drupal.org/project/webform_template [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/webform_template [5] https://drupal.org//drupal.org/node/2216447 [6] http://drupal.org/project/webform_template [7] https://drupal.org/user/71548 [8] https://drupal.org/user/655596 [9] https://drupal.org/user/680072 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration [14] https://twitter.com/drupalsecurity ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2014-029 - Mime Mail - Access Bypass
View online: https://drupal.org/node/2211419 * Advisory ID: DRUPAL-SA-CONTRIB-2014-029 * Project: Mime Mail [1] (third-party module) * Version: 6.x, 7.x * Date: 2014-March-05 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - The MIME Mail module allows to send MIME-encoded e-mail messages with embedded images and attachments. By default the module only allows files to be embedded or attached that are located in the public files directory. The module doesn't sufficiently check the file location, considering similar paths in different roots as being located in the public files directory, possibly allowing to send arbitrary files as attachments without permission. This vulnerability is mitigated by the fact that an attacker must be able to compose and send e-mail messages to an arbitrary address and the attached file's location must partly match with the system path of the public files directory. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Mime Mail 6.x-1.x versions prior to 6.x-1.4. * Mime Mail 7.x-1.x versions prior to 7.x-1.0-beta3. Drupal core is not affected. If you do not use the contributed Mime Mail [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Mime Mail module for Drupal 6.x, upgrade to Mime Mail 6.x-1.4 [5] * If you use the Mime Mail module for Drupal 7.x, upgrade to Mime Mail 7.x-1.0-beta3 [6] Also see the Mime Mail [7] project page. REPORTED BY - * Heine Deelstra [8] of the Drupal Security Team FIXED BY * Gabor Seljan [9] the module maintainer * Rick Manelius [10] of the Drupal Security Team COORDINATED BY -- * Rick Manelius [11] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [16] [1] http://drupal.org/project/mimemail [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/mimemail [5] https://drupal.org/node/221 [6] https://drupal.org/node/2211109 [7] http://drupal.org/project/mimemail [8] http://drupal.org/user/17943 [9] http://drupal.org/user/232117 [10] http://drupal.org/user/680072 [11] http://drupal.org/user/680072 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration [16] https://twitter.com/drupalsecurity ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2014-028 - Masquerade - Access bypass
View online: https://drupal.org/node/2211401 * Advisory ID: DRUPAL-SA-CONTRIB-2014-028 * Project: Masquerade [1] (third-party module) * Version: 6.x, 7.x * Date: 2014-March-05 * Security risk: Highly critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - This module allows a user with the right permissions to switch users. When a user has been limited to only masquerading as certain users via the Enter the users this user is able to masquerade as user profile field, they can still masquerade as any user on the site by using the Enter the username to masquerade as. autocomplete field in the masquerade block. This vulnerability is mitigated by the fact that an attacker must have access to masquerade as another user. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Masquerade 6.x-2.x versions prior to 6.x-1.8. * Masquerade 7.x-2.x versions prior to 7.x-1.0-rc6. Drupal core is not affected. If you do not use the contributed Masquerade [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Masquerade module for Drupal 6.x, upgrade to Masquerade 6.x-1.8 [5] * If you use the Masquerade module for Drupal 7.x, upgrade to Masquerade 7.x-1.0-rc6 [6] Also see the Masquerade [7] project page. REPORTED BY - * Jeff H [8] FIXED BY * Laurence Liss [9], provisional member of the Drupal Security Team * Mark Shropshire [10], one of the Masquerade module maintainers COORDINATED BY -- * Laurence Liss [11], provisional member of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [16] [1] http://drupal.org/project/masquerade [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/masquerade [5] https://drupal.org/node/2210877 [6] https://drupal.org/node/2210879 [7] http://drupal.org/project/masquerade [8] http://drupal.org/user/37837 [9] http://drupal.org/user/724750 [10] http://drupal.org/user/14767 [11] http://drupal.org/user/724750 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration [16] https://twitter.com/drupalsecurity ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2014-027 - NewsFlash Theme - XSS
View online: https://drupal.org/node/2211381 * Advisory ID: DRUPAL-SA-CONTRIB-2014-027 * Project: NewsFlash [1] (third-party theme) * Version: 6.x, 7.x * Date: 2014-March-05 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - Newsflash is a theme that features 7 color styles, 12 collapsible regions, suckerfish menus, fluid or fixed widths, built-in IE transparent PNG fix, and lots more. The theme does not sanitize the user provided theme setting for the font family CSS property, thereby exposing a cross-site scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission administer themes. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * NewsFlash 6.x-1.x versions prior to 6.x-1.7. * NewsFlash 7.x-1.x versions prior to 7.x-2.5. Drupal core is not affected. If you do not use the contributed NewsFlash [4] theme, there is nothing you need to do. SOLUTION Install the latest version: * If you use the theme NewsFlash for Drupal 7.x, upgrade to NewsFlash 7.x-2.5 [5] * If you use the theme NewsFlash for Drupal 6.x, upgrade to NewsFlash 6.x-1.7 [6] Also see the NewsFlash [7] project page. REPORTED BY - * Dennis Walgaard [8] FIXED BY * Alyx Vance [9] the theme maintainer COORDINATED BY -- * Klaus Purer [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [15] [1] http://drupal.org/project/newsflash [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/newsflash [5] https://drupal.org/node/2210621 [6] https://drupal.org/node/2210619 [7] http://drupal.org/project/newsflash [8] https://drupal.org/user/883702 [9] https://drupal.org/user/1284976 [10] https://drupal.org/user/262198 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration [15] https://twitter.com/drupalsecurity ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2014-023 - Project Issue File Review - XSS
View online: https://drupal.org/node/2205767 * Advisory ID: DRUPAL-SA-CONTRIB-2014-023 * Project: Project Issue File Review [1] (third-party module) * Version: 6.x * Date: 2014-February-26 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - The Project Issue File Review (PIFR) module provides an abstracted client-server model and plugin API for performing distributed operations such as code review and testing, with a focus on supporting Drupal development. Two scenarios were identified where the module does not sufficiently sanitize user provided input, exposing the 'server' component of the module to cross-site scripting vulnerabilities. The first scenario is mitigated by the fact that an attacker must have a role with the 'manage PIFR environments' administrative permission. The second scenario is mitigated by the fact that an attacker must be able to initiate testing of a patch specially crafted to exploit the vulnerability on the PIFR testing environment, have the testing execute successfully on a PIFR client, and have the client provide the testing results back to the PIFR server component. As one common purpose of this module is to provide validation and testing of user-supplied patches, users of the PIFR module should always consider the 'PIFR client' component of this module as insecure and untrusted, by design. The 'PIFR client' component should always be maintained in a separate network environment, isolated from the 'PIFR server' component or other critical infrastructure. There have been no known exploits of this vulnerability observed or reported on any servers running the PIFR module, including those within Drupal.org's automated testing environment. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Project_Issue_File_Review 6.x-2.x versions prior to 6.x-2.17. Drupal core is not affected. If you do not use the contributed Project Issue File Review [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the PIFR module for Drupal 6.x, upgrade to Project Issue File Review 6.x-2.17 [5]. Be sure to review and consider the associated release notes for all intermediary releases when upgrading. Also see the Project Issue File Review [6] project page. REPORTED BY - * Wim Leers [7] * Jeremy Thorson [8] the module maintainer FIXED BY * Neil Drumm [9] of the Drupal Security Team * Michael Hess [10] of the Drupal Security Team * Jeremy Thorson [11] the module maintainer COORDINATED BY -- * Michael Hess [12] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [17] [1] http://drupal.org/project/project_issue_file_review [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/project_issue_file_review [5] https://drupal.org/node/2205755 [6] http://drupal.org/project/project_issue_file_review [7] http://drupal.org/user/99777 [8] http://drupal.org/user/148199 [9] http://drupal.org/user/3064 [10] http://drupal.org/user/102818 [11] http://drupal.org/user/148199 [12] http://drupal.org/user/102818 [13] http://drupal.org/contact [14] http://drupal.org/security-team [15] http://drupal.org/writing-secure-code [16] http://drupal.org/security/secure-configuration [17] https://twitter.com/drupalsecurity ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2014-025 - Open Omega - Access Bypass
View online: https://drupal.org/node/2205877 * Advisory ID: DRUPAL-SA-CONTRIB-2014-025 * Project: Open Omega [1] (third-party theme) * Version: 7.x * Date: 2014-February-26 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - This theme is a sub theme of omega used as as a sample theme for the open Public Distribution. The theme doesn't sufficiently check the users menu access when building the header and footer menus, so that it can expose the title and path of restricted items in the menu. This vulnerability is mitigated by the fact that that it is only present when this menu has items with restricted access that differ by role. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * openomega 7.x-1.x versions prior to 7.x-1.1. Drupal core is not affected. If you do not use the contributed Open Omega [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use this theme for Drupal 7.x, upgrade to Open Omega 7.x-1.1 [5] Also see the Open Omega [6] project page. REPORTED BY - * Peter Taylor [7] FIXED BY * Erik Summerfield [8], the theme maintainer COORDINATED BY -- * Hunter Fox [9] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [14] [1] http://drupal.org/project/openomega [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/openomega [5] https://drupal.org/node/2205859 [6] http://drupal.org/project/openomega [7] http://drupal.org/user/2674141 [8] http://drupal.org/user/189123 [9] http://drupal.org/user/426416 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration [14] https://twitter.com/drupalsecurity ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2014-024 - Content Lock - CSRF
View online: https://drupal.org/node/2205807 * Advisory ID: DRUPAL-SA-CONTRIB-2014-024 * Project: Content locking (anti-concurrent editing) [1] (third-party module) * Version: 6.x, 7.x * Date: 2014-February-26 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Request Forgery DESCRIPTION - This module prevents people from editing the same content at the same time. It adds a locking layer to nodes. It does not protect from CSRF. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * All 6.x Versions * All 7.x Versions Drupal core is not affected. If you do not use the contributed Content locking (anti-concurrent editing) [4] module, there is nothing you need to do. SOLUTION Uninstall the module, it is no longer maintained . Also see the Content locking (anti-concurrent editing) [5] project page. REPORTED BY - * Eugen Mayer [6] FIXED BY There is no fix for this issue. CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [7]. Learn more about the Drupal Security team and their policies [8], writing secure code for Drupal [9], and securing your site [10]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [11] [1] http://drupal.org/project/content_lock [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/content_lock [5] http://drupal.org/project/content_lock [6] https://drupal.org/user/108406 [7] http://drupal.org/contact [8] http://drupal.org/security-team [9] http://drupal.org/writing-secure-code [10] http://drupal.org/security/secure-configuration [11] https://twitter.com/drupalsecurity ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2014-026 - Mime Mail - Access bypass
View online: https://drupal.org/node/2205991 * Advisory ID: DRUPAL-SA-CONTRIB-2014-026 * Project: Mime Mail [1] (third-party module) * Version: 6.x, 7.x * Date: 2014-February-26 * Security risk: Not critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - The MIME Mail module allows processing of incoming MIME-encoded e-mail messages with embedded images and attachments. The default key for the authentication of incoming messages is generated from a random number. On some platforms (such as Windows) the maximum value of this number is only 32767 which makes the generated key particularly vulnerable to a brute force attack. This vulnerability is mitigated by the fact that the processing of incoming messages needs to be enabled on the site and the default key can be arbitrary changed by the site administrator. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Mime Mail 6.x-1.x versions prior to 6.x-1.3. * Mime Mail 7.x-1.x versions prior to 7.x-1.0-beta2. Drupal core is not affected. If you do not use the contributed Mime Mail [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Mime Mail module for Drupal 6.x, upgrade to Mime Mail 6.x-1.3 [5] * If you use the Mime Mail module for Drupal 7.x, upgrade to Mime Mail 7.x-1.0-beta2 [6] These releases include a stronger authentication process for incoming messages which is backward incompatible. If you are using this feature, make sure to use the HMAC method with the new key generated during the update process to authenticate your messages. Also see the Mime Mail [7] project page. REPORTED BY - * Heine Deelstra [8] of the Drupal Security Team FIXED BY * Gabor Seljan [9] the module maintainer * Rick Manelius [10]provisional Drupal Security Team member COORDINATED BY -- * Hunter Fox [11] of the Drupal Security Team * Rick Manelius [12] provisional Drupal Security Team member. CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [17] [1] http://drupal.org/project/mimemail [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/mimemail [5] https://drupal.org/node/2205939 [6] https://drupal.org/node/2205949 [7] http://drupal.org/project/mimemail [8] http://drupal.org/user/17943 [9] http://drupal.org/user/232117 [10] http://drupal.org/user/680072 [11] http://drupal.org/user/426416 [12] https://drupal.org/user/680072 [13] http://drupal.org/contact [14] http://drupal.org/security-team [15] http://drupal.org/writing-secure-code [16] http://drupal.org/security/secure-configuration [17] https://twitter.com/drupalsecurity ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2014-021 - Maestro - Cross Site Scripting (XSS)
View online: https://drupal.org/node/2200453 * Advisory ID: DRUPAL-SA-CONTRIB-2014-021 * Project: Maestro [1] (third-party module) * Version: 7.x * Date: 2014-February-19 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - The Maestro module enables you to create complex workflows, automating business processes. The module doesn't sufficiently filter Role or Organic Group names when displaying them in the workflow details. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create Drupal Roles or Organic Groups. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Maestro 7.x-1.x versions prior to 7.x-1.4. Drupal core is not affected. If you do not use the contributed Maestro [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Maestro module for Drupal 7.x, upgrade to Maestro 7.x-1.4 [5] Also see the Maestro [6] project page. REPORTED BY - * Aron Novak [7] FIXED BY * Aron Novak [8], the reporter * Randy Kolenko [9] the module maintainer COORDINATED BY -- * Greg Knaddison [10] of the Drupal Security Team * Michael Hess [11] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [16] [1] http://drupal.org/project/maestro [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/maestro [5] https://drupal.org/node/2013653 [6] http://drupal.org/project/maestro [7] http://drupal.org/user/61864 [8] http://drupal.org/user/61864 [9] http://drupal.org/user/704970 [10] https://drupal.org/user/36762 [11] https://drupal.org/user/102818/ [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration [16] https://twitter.com/drupalsecurity ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2014-022 - Slickgrid - Access bypass
View online: https://drupal.org/node/2200491 * Advisory ID: DRUPAL-SA-CONTRIB-2014-22 * Project: Slickgrid [1] (third-party module) * Version: 7.x * Date: 2014-February -22 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - The Slickgrid module is an implementation of the jQuery slickgrid plugin, a lightening fast JavaScript grid/spreadsheet. It defines a slickgrid view style, so all data can be output as an editable grid. The module doesn't check access sufficiently, allowing users to edit and change field values of nodes they should not have access to change. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Slickgrid 7.x-1.x versions Drupal core is not affected. If you do not use the contributed Slickgrid [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Slickgrid module for Drupal 7.x, upgrade to Slickgrid 7.x-2.0 [5] Also see the Slickgrid [6] project page. REPORTED BY - * Tim Wood [7] FIXED BY * Ben Scott [8] * Simon Rycroft [9] the module maintainer COORDINATED BY -- * Greg Knaddison [10] of the Drupal Security Team * Michael Hess [11] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [16] [1] http://drupal.org/project/slickgrid [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/slickgrid [5] https://drupal.org/node/2200475 [6] http://drupal.org/project/slickgrid [7] http://drupal.org/user/23373 [8] http://drupal.org/user/149339 [9] http://drupal.org/user/151544 [10] https://drupal.org/user/36762 [11] https://drupal.org/user/102818/ [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration [16] https://twitter.com/drupalsecurity ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2014-014 - Webform Validation - Cross Site Scripting (XSS)
View online: https://drupal.org/node/2194621 * Advisory ID: DRUPAL-SA-CONTRIB-2014-014 * Project: Webform Validation [1] (third-party module) * Version: 6.x, 7.x * Date: 2014-February-12 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - The Webform Validation module enables you to add additional form validation rules to Webforms created by the Webform module. The module doesn't sufficiently filter component name text before display, opening up the possibility of cross site scripting. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to edit Webform content. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Webform Validation 6.x-1.x versions prior to 6.x-1.6. * Webform Validation 7.x-1.x versions prior to 7.x-1.4. Drupal core is not affected. If you do not use the contributed Webform Validation [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Webform Validation module for Drupal 6.x, upgrade to Webform Validation 6.x-1.6 [5]. * If you use the Webform Validation module for Drupal 7.x, upgrade to Webform Validation 7.x-1.4 [6]. The only changes in these new versions are the fixes for this issue. Also see the Webform Validation [7] project page. REPORTED BY - * Maurits Lawende [8] FIXED BY * Maurits Lawende [9] * Liam Morland [10] the module maintainer COORDINATED BY -- * Stella Power [11] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [16] [1] http://drupal.org/project/webform_validation [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/webform_validation [5] https://drupal.org/node/2194011 [6] https://drupal.org/node/2194013 [7] http://drupal.org/project/webform_validation [8] https://drupal.org/user/243897 [9] https://drupal.org/user/243897 [10] https://drupal.org/user/493050 [11] https://drupal.org/user/66894 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration [16] https://twitter.com/drupalsecurity ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2014-013- Chaos tool suite (ctools) - Access Bypass
View online: https://drupal.org/node/2194589 * Advisory ID: DRUPAL-SA-CONTRIB-2014-013 * Project: Chaos tool suite (ctools) [1] (third-party module) * Version: 6.x, 7.x * Date: 2014-02-12 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - This module provides content editors with an autocomplete callback for entity titles, as well as an ability to embed content within the Chaos tool suite (ctools) framework. Prior to this version, ctools did not sufficiently check access grants for various types of content other than nodes. It also didn't sufficiently check access before displaying content with the relationship plugin. These vulnerabilities are mitigated by the fact that you must be using entities other than node or users for the autocomplete callback, or you must be using the relationship plugin and displaying the content (e.g. in panels). CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Chaos tool suite (ctools) 6.x-1.x versions prior to 6.x-1.11. * Chaos tool suite (ctools) 7.x-1.x versions prior to 7.x-1.4. Drupal core is not affected. If you do not use the contributed Chaos tool suite (ctools) [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Chaos tool suite module for Drupal 6.x, upgrade to ctools 6.x-1.11 [5] * If you use the Chaos tool suite module for Drupal 7.x, upgrade to ctools 7.x-1.4 [6] Also see the Chaos tool suite (ctools) [7] project page. REPORTED BY - * Tim Wood [8] * Heine Deelstra [9] of the Drupal Security Team FIXED BY * Jakob Perry [10] the module maintainer * David Snopek [11] COORDINATED BY -- * Peter Wolanin [12] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [17] [1] http://drupal.org/project/ctools [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/ctools [5] https://drupal.org/node/2194547 [6] https://drupal.org/node/2194551 [7] http://drupal.org/project/ctools [8] https://drupal.org/user/457434 [9] https://drupal.org/user/17943 [10] https://drupal.org/user/45640 [11] https://drupal.org/user/266527 [12] http://drupal.org/user/49851 [13] http://drupal.org/contact [14] http://drupal.org/security-team [15] http://drupal.org/writing-secure-code [16] http://drupal.org/security/secure-configuration [17] https://twitter.com/drupalsecurity ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2014-015 - FileField - Access Bypass
View online: https://drupal.org/node/2194639 * Advisory ID: DRUPAL-SA-CONTRIB-2014-015 * Project: FileField [1] (third-party module) * Version: 6.x * Date: 2014-02-12 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - FileField module allows users to upload files with in conjunction with the Content Construction Kit (CCK) module in Drupal 6. The module doesn't sufficiently check permissions on revisions when determining if a user should have access to a particular file attached to that revision. A user could gain access to private files attached to revisions when they don't have access to the corresponding revision. This vulnerability is mitigated by the fact that an attacker must have access to upload files through FileField module while creating content, and the site must be using a non-core workflow module that allows users to create unpublished revisions of content. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * FileField 6.x-3.x versions prior to 6.x-3.12. Drupal core is not affected. If you do not use the contributed FileField [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the FileField module for Drupal 6.x, upgrade to FileField 6.x-3.12 [5] Also see the FileField [6] project page. REPORTED BY - * Stella Power [7] of the Drupal Security Team FIXED BY * Nate Haug [8] the module maintainer * Stella Power [9] of the Drupal Security Team COORDINATED BY -- * Lee Rowlands [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [15] [1] http://drupal.org/project/filefield [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/filefield [5] https://drupal.org/node/2194103 [6] http://drupal.org/project/filefield [7] https://drupal.org/user/66894 [8] https://drupal.org/user/35821 [9] https://drupal.org/user/66894 [10] https://drupal.org/user/395439 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration [15] https://twitter.com/drupalsecurity ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2014-016 - Mayo Theme - XSS Vulnerability
View online: https://drupal.org/node/2194135 * Advisory ID: DRUPAL-SA-CONTRIB-2014-016 * Project: MAYO [1] (third-party theme) * Version: 7.x * Date: 2014-02-12 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - The theme settings allow you to link to a header background file. A URL could be entered that was not properly sanitized leading to XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission administer themes. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * MAYO Theme 7.x-1.x versions prior to 7.x-1.3. Drupal core is not affected. If you do not use the contributed MAYO [4] theme, there is nothing you need to do. SOLUTION Install the latest version: * If you use the theme MAYO for Drupal 7.x, upgrade to MAYO 7.x-1.3 [5] Also see the MAYO [6] project page. REPORTED BY - * Dennis Walgaard [7] FIXED BY * Dennis Walgaard [8] * John Powell [9] the theme maintainer COORDINATED BY -- * Rick Manelius [10] provisional member of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [15] [1] http://drupal.org/project/mayo [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/mayo [5] https://drupal.org/node/2193987 [6] http://drupal.org/project/mayo [7] http://drupal.org/user/883702 [8] http://drupal.org/user/883702 [9] http://drupal.org/user/797068 [10] http://drupal.org/user/680072 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration [15] https://twitter.com/drupalsecurity ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2014-017- Image Resize Filter - Denial of Service (DOS)
View online: https://drupal.org/node/2194655 * Advisory ID: DRUPAL-SA-CONTRIB-2014-017 * Project: Image Resize Filter [1] (third-party module) * Version: 6.x, 7.x * Date: 2014-February-12 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Denial of Service (DOS) DESCRIPTION - This module enables you to resize images based on the HTML contents of a post. Images with specified height and width properties that differ from the original image result in a resized image being created. The module doesn't limit the number of resized images per post or user, which could allow a user to post a large number of images that need to be resized within a single piece of content. This could cause the server to become overwhelmed by requests to resize images. This vulnerability is mitigated by the fact that an attacker must have a role that allows them to post content that utilizes the image resize filter. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Image Resize Filter 6.x-1.x versions prior to 6.x-1.14. * Image Resize Filter 7.x-1.x versions prior to 7.x-1.14. Drupal core is not affected. If you do not use the contributed Image Resize Filter [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Image Resize Filter module for Drupal 6.x, upgrade to Image Resize Filter 6.x-1.14 [5] * If you use the Image Resize Filter module for Drupal 7.x, upgrade to Image Resize Filter 7.x-1.14 [6] Also see the Image Resize Filter [7] project page. REPORTED BY - * Dave Hansen-Lange [8] FIXED BY * Dave Hansen-Lange [9] * Nate Haug [10] the module maintainer COORDINATED BY -- * Greg Knaddison [11] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [16] [1] http://drupal.org/project/image_resize_filter [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/image_resize_filter [5] https://drupal.org/node/2194063 [6] https://drupal.org/node/2194065 [7] http://drupal.org/project/image_resize_filter [8] https://drupal.org/user/18981 [9] https://drupal.org/user/18981 [10] https://drupal.org/user/35821 [11] http://drupal.org/user/36762 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration [16] https://twitter.com/drupalsecurity ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2014-020 - Drupal Commons - Cross Site Scripting (XSS)
View online: https://drupal.org/node/2194877 * Advisory ID: DRUPAL-SA-CONTRIB-2014-020 * Project: Drupal Commons [1] (third-party distribution) * Version: 7.x * Date: 2014-02-12 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - Drupal Commons is a ready-to-use solution for building either internal or external communities. It provides a complete social business software solution for organizations. Drupal Commons displays an activity stream containing messages about actions users take on the site. In some cases, messages about content creation are not properly sanitized, leading to cross site scripting in those messages. The vulnerability is mitigated in that only certain kinds of activity stream messages are affected, and not all arbitrary script can be executed. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Drupal Commons 7.x-3.x versions prior to 7.x-3.9. Drupal core is not affected. If you do not use the contributed Drupal Commons [4] distribution, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Drupal 7 Commons distribution, upgrade to Commons 7.x-3.9 [5] Also see the Drupal Commons [6] project page. REPORTED BY - * Grant Gaudet [7] * Jakob Perry [8] FIXED BY * Jakob Perry [9] the project maintainer * Ezra Gildesgame [10] COORDINATED BY -- * Peter Wolanin [11] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [16] [1] http://drupal.org/project/commons [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/commons [5] https://drupal.org/node/2194777 [6] http://drupal.org/project/commons [7] http://drupal.org/user/360002 [8] http://drupal.org/user/45640 [9] http://drupal.org/user/45640 [10] http://drupal.org/user/69959 [11] https://drupal.org/user/49851 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration [16] https://twitter.com/drupalsecurity ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2014-018 - Webform - Cross Site Scripting (XSS)
View online: https://drupal.org/node/2194671 * Advisory ID: DRUPAL-SA-CONTRIB-2014-018 * Project: Webform [1] (third-party module) * Version: 6.x, 7.x * Date: 2014-February-12 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - The Webform module enables you to create forms which can be used for surveys, contact forms or other data collection throughout your site. The module doesn't sufficiently sanitize field label titles when two fields have the same form_key, which can only be managed by carefully crafting the webform structure via a specific set of circumstances. This vulnerability is mitigated by the fact that an attacker must have a role with the permission create webform content. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Webform 6.x-3.x versions prior to 6.x-3.19. * Webform 7.x-3.x versions prior to 7.x-3.19. * Webform 7.x-4.x versions prior to 7.x-4.0-beta2. Drupal core is not affected. If you do not use the contributed Webform [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the webform module for Drupal 6.x, upgrade to webform 6.x-3.20 [5] * If you use the webform module for Drupal 7.x-3.x, upgrade to webform 7.x-3.20 [6] * If you use the webform module for Drupal 7.x-4.x, upgrade to webform 7.x-4.0-beta2 [7] Also see the Webform [8] project page. REPORTED BY - * Maurits Lawende [9] FIXED BY * Nate Haug [10] the module maintainer COORDINATED BY -- * Dan Smith [11] and Lee Rowlands [12] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [17] [1] http://drupal.org/project/webform [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/webform [5] http://drupal.org/node/2194181 [6] http://drupal.org/node/2194183 [7] http://drupal.org/node/2194175 [8] http://drupal.org/project/webform [9] http://drupal.org/user/243897 [10] http://drupal.org/user/35821 [11] http://drupal.org/user/241220 [12] https://drupal.org/user/395439 [13] http://drupal.org/contact [14] http://drupal.org/security-team [15] http://drupal.org/writing-secure-code [16] http://drupal.org/security/secure-configuration [17] https://twitter.com/drupalsecurity ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2014-019 - Easy Social - Cross Site Scripting (XSS)
View online: https://drupal.org/node/2194809 * Advisory ID: DRUPAL-SA-CONTRIB-2014-019 * Project: Easy Social [1] (third-party module) * Version: 7.x * Date: 2014-February-12 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - This module enables you to add social sharing widgets to your content and pages. The module doesn't sufficiently validate block titles when a user creates a custom block from within the module's admin interface. This vulnerability is mitigated by the fact that an attacker must have a role with the permission administer easy social. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Easy Social 7.x-2.x versions prior to 7.x-2.11. Drupal core is not affected. If you do not use the contributed Easy Social [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Easy Social module for Drupal 7.x, upgrade to Easy Social 7.x-2.11 [5] Also see the Easy Social [6] project page. REPORTED BY - * James Davis [7] FIXED BY * Alex Weber [8] the module maintainer COORDINATED BY -- * Lee Rowlands [9] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [14] [1] http://drupal.org/project/easy_social [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/easy_social [5] https://drupal.org/node/2194401 [6] http://drupal.org/project/easy_social [7] http://drupal.org/user/2766355 [8] http://drupal.org/user/850856 [9] http://drupal.org/user/395439 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration [14] https://twitter.com/drupalsecurity ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2014-009 - Tagadelic - Information Disclosure
View online: https://drupal.org/node/2187453 * Advisory ID: DRUPAL-SA-CONTRIB-2014-009 * Project: Tagadelic [1] (third-party module) * Version: 6.x * Date: 2014-February-05 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Information Disclosure DESCRIPTION - This module provides an API and a few simple turnkey modules, which allows you to easily create tagclouds, weighted lists, search-clouds and such. The 6.x-1.x version does not account for node access modules, thus leading to information being disclosed. This vulnerability is mitigated by the fact that a site must be using a node access module. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Tagadelic 6.x-1.x versions. Drupal core is not affected. If you do not use the contributed Tagadelic [4] module, there is nothing you need to do. SOLUTION If you use the Tagadelic module for Drupal 6.x, upgrade to Tagadelic 6.x-1.5 [5] and then disable node access modules, such as taxonomy_access and content_access. Also see the Tagadelic [6] project page. REPORTED BY - * Michael Hess [7] of the Drupal Security Team FIXED BY * Rick Manelius [8] * Sean T. Walsh [9] COORDINATED BY -- * Rick Manelius [10] provisional member of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [15] [1] http://drupal.org/project/tagadelic [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/tagadelic [5] https://drupal.org/node/217 [6] http://drupal.org/project/tagadelic [7] http://drupal.org/user/102818 [8] https://drupal.org/user/680072 [9] http://drupal.org/user/995722 [10] http://drupal.org/user/680072 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration [15] https://twitter.com/drupalsecurity ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2014-010 Services - Access Bypass and Privilege Escalation
View online: https://drupal.org/node/2189509 * Advisory ID: DRUPAL-SA-CONTRIB-2014-010 * Project: Services [1] (third-party module) * Version: 7.x * Date: 2014-February-05 * Security risk: Highly critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - The Services module enables you to expose an API to third party systems using REST, XML-RPC or other protocols. User update access bypass vulnerability An authenticated user is able to assign additional roles to themselves, which means they can escalate their privileges by assigning an administrative role. This vulnerability is mitigated by the fact that the user must be able to log in on the site, the update operation on the user resource configuration must be enabled, and a site must have an role with more permissions than the authenticated user. Comment access bypass vulnerability As an authenticated user an attacker with the permission to post comments is able to update other users' comments. This vulnerability is mitigated by the fact that the update operation on the comment resource configuration must be enabled. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Services 7.x-3.x versions prior to 7.x-3.6. Drupal core is not affected. If you do not use the contributed Services [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Services module for Drupal 7.x, upgrade to Services 7.x-3.7 [5] Also see the Services [6] project page. REPORTED BY - * The User update access bypass vulnerability was reported by Fredrik Lassen [7]. * The Comment access bypass vulnerability was reported by wedge [8]. FIXED BY * The User update access bypass vulnerability was fixed by Fredrik Lassen [9]. * The Comment access bypass vulnerability was fixed by Kyle Browning [10], the module maintainer. COORDINATED BY -- * Klaus Purer [11] of the Drupal Security Team * Balazs Dianiska [12] a provisional member of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [17] [1] http://drupal.org/project/services [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/services [5] https://drupal.org/node/2186581 [6] http://drupal.org/project/services [7] https://drupal.org/user/243377 [8] https://drupal.org/user/11442 [9] https://drupal.org/user/243377 [10] https://drupal.org/user/211387 [11] http://drupal.org/user/262198 [12] http://drupal.org/user/58645 [13] http://drupal.org/contact [14] http://drupal.org/security-team [15] http://drupal.org/writing-secure-code [16] http://drupal.org/security/secure-configuration [17] https://twitter.com/drupalsecurity ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2014-011 - Push Notifications - Information Disclosure
View online: https://drupal.org/node/2189643 * Advisory ID: DRUPAL-SA-CONTRIB-2014-011 * Project: Push Notifications [1] (third-party module) * Version: 7.x * Date: 2014-February-05 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Information Disclosure DESCRIPTION - This module enables the delivery of push notifications to iOS and Android devices. The module doesn't sufficiently randomize the certificate filenames required for Apple's Push Notification service or protect the files from being publicly accessible, which could allow an attacker to acquire the certificates and broadcast push notifications to the target's user base. This vulnerability primarily affects sites that did not follow the general security best practice of placing certificates into a directory outside of the webroot and did not use password-protected certificate files. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * push_notifications 7.x-1.x versions prior to 7.x-1.1 Drupal core is not affected. If you do not use the contributed Push Notifications [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the push_notifications module for Drupal 7.x and your APNS certificate files are stored in the default directory, upgrade to push_notifications 7.x-1.1 [5] * Navigate to the configuration page for the push_notifications module (admin/config/services/push_notifications/configure) and click the Generate new certificate string button to generate a random filename. Then, rename your APNS certificates according to the instructions on the push notification configuration page. Also see the Push Notifications [6] project page. REPORTED BY - * Graham Bates [7] of the Drupal Security Team FIXED BY * Daniel Hanold [8] the module maintainer COORDINATED BY -- * Laurence Liss [9] provisional member of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [14] [1] http://drupal.org/project/push_notifications [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/push_notifications [5] http://drupal.org/node/2188983 [6] http://drupal.org/project/push_notifications [7] http://drupal.org/user/16029 [8] http://drupal.org/user/339733 [9] http://drupal.org/user/724750 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration [14] https://twitter.com/drupalsecurity ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2014-012- Modal Frame API - Cross Site Scripting (XSS)
View online: https://drupal.org/node/2189751 * Advisory ID: DRUPAL-SA-CONTRIB-2014-012 * Project: Modal Frame API [1] (third-party module) * Version: 6.x * Date: 2014-February-05 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - This module enables provides an API to render an iframe within a modal dialog based on the jQuery UI Dialog plugin. You should not install this module unless another module requires you to, or you wish to use it for your own custom modules. The module doesn't sufficiently filter user supplied text. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * modalframe 6.x-1.8 and prior versions Drupal core is not affected. If you do not use the contributed Modal Frame API [4] module, there is nothing you need to do. SOLUTION Uninstall the module. It is no longer maintained. Also see the Modal Frame API [5] project page. REPORTED BY - * Erich Beyrent FIXED BY Not applicable. CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [6]. Learn more about the Drupal Security team and their policies [7], writing secure code for Drupal [8], and securing your site [9]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [10] [1] http://drupal.org/project/modalframe [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/modalframe [5] http://drupal.org/project/modalframe [6] http://drupal.org/contact [7] http://drupal.org/security-team [8] http://drupal.org/writing-secure-code [9] http://drupal.org/security/secure-configuration [10] https://twitter.com/drupalsecurity ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2014-007 - Services - Multiple access bypass vulnerabilities
View online: https://drupal.org/node/2184843 * Advisory ID: DRUPAL-SA-CONTRIB-2014-007 * Project: Services [1] (third-party module) * Version: 7.x * Date: 2014-January-29 * Security risk: Highly critical [2] * Exploitable from: Remote * Vulnerability: Multiple access bypass vulnerabilities DESCRIPTION - This module enables you to expose an API to third party systems using REST, XML-RPC or other protocols. The form API provides a method for developers to submit forms programmatically using the function drupal_form_submit(). During programmatic form submissions, all access checks are deliberately bypassed, and any form element may be submitted regardless of the current user's access level. To facilitate this, a new, optional $form_state['programmed_bypass_access_check'] element has been added to the Drupal 7 form API. If this is provided and set to FALSE, drupal_form_submit() will perform the normal form access checks against the current user while submitting the form, rather than bypassing them. Services relies heavily on programmatic form submission and therefore needs to use this new $form_state['programmed_bypass_access_check'] so that access control parameters and hooks are performed for untrusted users. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Services 7.x-3.x versions prior to 7.x-3.5. Drupal core is not affected. If you do not use the contributed Services [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Services module for Drupal 7.x, upgrade to Services 7.x-3.6 [5] Also see the Services [6] project page. REPORTED BY - * wedge [7] * prjcarr [8] FIXED BY * David Rothstein [9] of the Drupal Security Team * Hunter Fox [10] of the Drupal Security Team * Kyle Browning [11], the module maintainer. COORDINATED BY -- * Hunter Fox [12] of the Drupal Security Team * Klaus Purer [13] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [14]. Learn more about the Drupal Security team and their policies [15], writing secure code for Drupal [16], and securing your site [17]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [18] [1] http://drupal.org/project/services [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/services [5] https://drupal.org/node/2180373 [6] http://drupal.org/project/services [7] https://drupal.org/user/11442 [8] https://drupal.org/user/1223090 [9] https://drupal.org/user/124982 [10] https://drupal.org/user/426416 [11] https://drupal.org/user/211387 [12] http://drupal.org/user/426416 [13] http://drupal.org/user/262198 [14] http://drupal.org/contact [15] http://drupal.org/security-team [16] http://drupal.org/writing-secure-code [17] http://drupal.org/security/secure-configuration [18] https://twitter.com/drupalsecurity ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2014-008 - Tribune - Cross Site Scripting (XSS)
View online: https://drupal.org/node/2184845 * Advisory ID: DRUPAL-SA-CONTRIB-2014-008 * Project: Tribune [1] (third-party module) * Version: 6.x, 7.x * Date: 2014-January-29 * Security risk: Highly critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - A tribune is a type of chatroom. The module doesn't sufficiently filter user provided text from Tribune node titles. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create a Tribune node. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Tribune 6.x-1.x versions. * Tribune 7.x-3.x versions. Drupal core is not affected. If you do not use the contributed Tribune [4] module, there is nothing you need to do. SOLUTION Remove the module or otherwise mitigate the issue. Also see the Tribune [5] project page. REPORTED BY - * Raynald Mirville [6] FIXED BY Not applicable. COORDINATED BY -- * Laurence Liss [7] provisional member of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [8]. Learn more about the Drupal Security team and their policies [9], writing secure code for Drupal [10], and securing your site [11]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [12] [1] http://drupal.org/project/tribune [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/tribune [5] http://drupal.org/project/tribune [6] http://drupal.org/user/2737379 [7] http://drupal.org/user/724750 [8] http://drupal.org/contact [9] http://drupal.org/security-team [10] http://drupal.org/writing-secure-code [11] http://drupal.org/security/secure-configuration [12] https://twitter.com/drupalsecurity ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2014-004 - Secure Cookie Data - Faulty Hashing
View online: https://drupal.org/node/2179099 * Advisory ID: DRUPAL-SA-CONTRIB-2014-004 * Project: Secure Cookie Data [1] (third-party module) * Version: 7.x * Date: 2014-January-22 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Information Disclosure, Multiple vulnerabilities DESCRIPTION - This module allows for storing data securely in a cookie through implementing the Secure Cookie Protocol [3]. Ability to alter trusted data in the cookie The module did an incorrect comparison of the HMAC [4] value, allowing a bypass of the HMAC verification which allows changing the cookie value. Known encryption key value The key for the HMAC provided a default that was hardcoded. The module relied on the extension of the base class to provide a per site specific key. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [5] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Secure Cookie Data 7.x-2.x versions prior to 7.x-2.1. Drupal core is not affected. If you do not use the contributed Secure Cookie Data [6] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Secure Cookie Data module upgrade to Secure Cookie Data 7.x-2.1 [7] Also see the Secure Cookie Data [8] project page. REPORTED BY - * Heine Deelstra [9] of the Drupal Security Team * Jonathan Kuma [10] module maintainer FIXED BY * Antonio Almeida [11] and Jonathan Kuma [12] the module maintainers. COORDINATED BY -- * Heine Deelstra [13] and Greg Knaddison [14] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [15]. Learn more about the Drupal Security team and their policies [16], writing secure code for Drupal [17], and securing your site [18]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [19] [1] http://drupal.org/project/secure_cookie_data [2] http://drupal.org/security-team/risk-levels [3] http://www.cse.msu.edu/~alexliu/publications/Cookie/cookie.pdf [4] http://en.wikipedia.org/wiki/Hash-based_message_authentication_code [5] http://cve.mitre.org/ [6] http://drupal.org/project/secure_cookie_data [7] https://drupal.org/node/2178505 [8] http://drupal.org/project/secure_cookie_data [9] https://drupal.org/user/17943 [10] https://drupal.org/user/1919440 [11] https://drupal.org/user/8859 [12] https://drupal.org/user/1919440 [13] https://drupal.org/user/17943 [14] https://drupal.org/user/36762 [15] http://drupal.org/contact [16] http://drupal.org/security-team [17] http://drupal.org/writing-secure-code [18] http://drupal.org/security/secure-configuration [19] https://twitter.com/drupalsecurity ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2014-005 - Leaflet - Access bypass
View online: https://drupal.org/node/2179103 * Advisory ID: DRUPAL-SA-CONTRIB-2014-005 * Project: Leaflet [1] (third-party module) * Version: 7.x * Date: 2014-January-22 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - The Leaflet module enables you to display an interactive map using the Leaflet library, using entities as map features. The module exposes complete data from entities used as map features to any site visitor with a Javascript inspector (like Firebug). CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Leaflet 7.x-1.x versions prior to 7.x-1.1. Drupal core is not affected. If you do not use the contributed Leaflet [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Leaflet module version for Drupal 7.x, upgrade to Leaflet 7.x-1.1 [5] Also see the Leaflet [6] project page. REPORTED BY - * Interdruper [7] * Chris Hood [8] FIXED BY * Gabriel Carleton-Barnes [9], the module maintainer COORDINATED BY -- * Greg Knaddison [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [15] [1] http://drupal.org/project/leaflet [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/leaflet [5] https://drupal.org/node/2178655 [6] http://drupal.org/project/leaflet [7] http://drupal.org/user/2437374 [8] http://drupal.org/user/279264 [9] http://drupal.org/user/1682976 [10] http://drupal.org/user/36762 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration [15] https://twitter.com/drupalsecurity ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2014-003 - Doubleclick for Publishers DFP - Cross Site Scripting (XSS)
View online: https://drupal.org/node/2179085 * Advisory ID: DRUPAL-SA-CONTRIB-2014-003 * Project: Doubleclick for Publishers (DFP) [1] (third-party module) * Version: 7.x * Date: 2014-January-22 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - This module enables you to create blocks to place advertisements from the Google Double Click for Publishers API (DFP). The module doesn't sufficiently sanitize the slot names prior to output into HTML. This vulnerability is mitigated by the fact that an attacker must have a role with the permission administer dfp. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * DFP 7.x-1.x versions prior to 7.x-1.2. Drupal core is not affected. If you do not use the contributed Doubleclick for Publishers (DFP) [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the DFP module for Drupal 7.x, upgrade to Google DFP 7.x-1.2 [5] Also see the Doubleclick for Publishers (DFP) [6] project page. REPORTED BY - * Matt Vance [7] FIXED BY * Matt Vance [8] * Beth Binkovitz [9], provisional member of the Drupal Security Team COORDINATED BY -- * Beth Binkovitz [10], provisional member of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [15] [1] http://drupal.org/project/dfp [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/dfp [5] https://drupal.org/node/2172167 [6] http://drupal.org/project/dfp [7] https://drupal.org/user/88338 [8] http://drupal.org/user/88338 [9] https://drupal.org/user/161263 [10] https://drupal.org/user/161263 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration [15] https://twitter.com/drupalsecurity ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2014-006 - Language Switcher Dropdown - Open Redirect
View online: https://drupal.org/node/2179123 * Advisory ID: DRUPAL-SA-CONTRIB-2014-006 * Project: Language Switcher Dropdown [1] (third-party module) * Version: 7.x * Date: 2014-January-22 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Open Redirect DESCRIPTION - The Language Switcher Dropdown module enables you to place a block with a convenient drop-down language switcher. After choosing a value the user is redirected to the url of the relevant language. The module doesn't check that the url provided is a valid internal path prior to redirecting. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Language Switcher Dropdown 7.x-1.x versions prior to 7.x-1.4. Drupal core is not affected. If you do not use the contributed Language Switcher Dropdown [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Language switcher dropdown module for Drupal 7.x, upgrade to Language Switcher Dropdown 7.x-1.4 [5] Also see the Language Switcher Dropdown [6] project page. REPORTED BY - * Eric Peterson [7] FIXED BY * Mohammed J. Razem [8] the module maintainer COORDINATED BY -- * Lee Rowlands [9] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [14] [1] http://drupal.org/project/lang_dropdown [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/lang_dropdown [5] https://drupal.org/node/1614372 [6] http://drupal.org/project/lang_dropdown [7] http://drupal.org/user/1467594 [8] https://drupal.org/user/255384 [9] http://drupal.org/user/395439 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration [14] https://twitter.com/drupalsecurity ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CORE-2014-001 - Drupal core - Multiple vulnerabilities
-7.26-release-notes [6] http://drupal.org/project/drupal [7] https://drupal.org/user/1096424 [8] https://drupal.org/user/88338 [9] https://drupal.org/user/22211 [10] https://drupal.org/user/124982 [11] https://drupal.org/user/22211 [12] https://drupal.org/user/17943 [13] https://drupal.org/user/49851 [14] https://drupal.org/user/124982 [15] https://drupal.org/user/1198144 [16] https://drupal.org/user/395439 [17] https://drupal.org/user/22211 [18] https://drupal.org/user/124982 [19] https://drupal.org/user/77320 [20] https://drupal.org/user/211387 [21] http://drupal.org/security-team [22] http://drupal.org/contact [23] http://drupal.org/security-team [24] http://drupal.org/writing-secure-code [25] http://drupal.org/security/secure-configuration [26] https://twitter.com/drupalsecurity ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2014-002 - Anonymous Posting - Cross Site Scripting (XSS)
View online: https://drupal.org/node/2173321 * Advisory ID: DRUPAL-SA-CONTRIB-2014-002 * Project: Anonymous Posting [1] (third-party module) * Version: 7.x * Date: 2014-01-15 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - This module allows anonymous users to fill in their contact information (name, email and homepage) when posting any content type including Forum Topics. This allows the submitted name to be shown instead of the usual anonymous string provided by Drupal core. The module doesn't properly sanitize the name submitted by the anonymous user before it is output. This vulnerability is mitigated only by the fact that use of anonymous posting data must be enabled on a per content type basis by a user with permission to do so since it is not enabled by default. However when configured for it's intended purpose, the vulnerability is not mitigated. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Anonymous Posting 7.x-1.x versions 7.x-1.2 and 7.x-1.3 Drupal core is not affected. If you do not use the contributed Anonymous Posting [4] module, there is nothing you need to do. SOLUTION * Install the latest version: 7.x-1.4 [5] Also see the Anonymous Posting [6] project page. REPORTED BY - * drikc [7] the module maintainer FIXED BY * drikc [8] the module maintainer COORDINATED BY -- * Rick Manelius [9] provisional member of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [14] [1] http://drupal.org/project/anonymous_posting [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/anonymous_posting [5] https://drupal.org/node/2173437 [6] http://drupal.org/project/anonymous_posting [7] http://drupal.org/user/13299 [8] http://drupal.org/user/13299 [9] http://drupal.org/user/680072 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration [14] https://twitter.com/drupalsecurity ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2014-001 - Entity API - Access Bypass
://drupal.org/security/secure-configuration [22] https://twitter.com/drupalsecurity ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] PSA-2014-001 - Media - Access Bypass
View online: https://drupal.org/node/2169767 * Advisory ID: PSA-2014-001 * Project: Media [1] (third-party module) * Version: 7.x * Date: 2014-01-08 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access Bypass DESCRIPTION - This is a public service announcement regarding the import media permission, labeled as Import media files from the local file system, provided by the Media module. The Media module provides a method for Drupal administrators to import existing files from an arbitrary location on the server. Users with the 'import media' permission can import any file from the server as local Drupal files, even those outside the Drupal install directory, which could lead to information disclosure. As such, this permission should be granted to trusted site administrators. In the 7.x-2.x version of the module, you may disable the sub-module named Media Bulk Upload to disable this functionality. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Media module for Drupal 7.x Drupal core is not affected. If you do not use the contributed Media [4] module, there is nothing you need to do. SOLUTION Only grant trusted site administrators the import media permission. This permission is not marked as a restricted permission in the following versions: * Media module 7.x-1.x versions prior to 7.x-1.4 [5] * Media module 7.x-2.x versions prior to 7.x-2.0-alpha3+37-dev Upgrading to the latest release is recommended, but not required. Also see the Media [6] project page. REPORTED BY - * robearls [7] * Dave Reid [8] of the Drupal Security Team FIXED BY * Dave Reid [9] the module maintainer and of the Drupal Security Team COORDINATED BY -- * Dave Reid [10] the module maintainer and of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [15] [1] http://drupal.org/project/media [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/media [5] https://drupal.org/node/2169795 [6] http://drupal.org/project/media [7] https://drupal.org/user/2460638 [8] https://drupal.org/user/53892 [9] https://drupal.org/user/53892 [10] http://drupal.org/user/53892 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration [15] https://twitter.com/drupalsecurity ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-098 - Ubercart - Session Fixation Vulnerability
View online: https://drupal.org/node/2158651 * Advisory ID: DRUPAL-SA-CONTRIB-2013-098 * Project: Ubercart [1] (third-party module) * Version: 6.x, 7.x * Date: 2013-12-18 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Session Fixation DESCRIPTION - The Ubercart module for Drupal provides a shopping cart and e-commerce features for Drupal. The module doesn't sufficiently protect against session fixation attacks when a user is automatically logged in to a newly created account during checkout. This vulnerability is mitigated by the fact that an attacker must have access to the original session ID of the victim, and that the Log in new customers after checkout option must be enabled. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Ubercart 6.x-2.x versions prior to 6.x-2.13. * Ubercart 7.x-3.x versions prior to 7.x-3.6. Drupal core is not affected. If you do not use the contributed Ubercart [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Ubercart module for Drupal 6.x, upgrade to Ubercart 6.x-2.13 [5] * If you use the Ubercart module for Drupal 7.x, upgrade to Ubercart 7.x-3.6 [6] Also see the Ubercart [7] project page. REPORTED BY - * mettasoul [8] FIXED BY * Dave Long [9] the module maintainer * Rick Manelius [10] provisional member of the Drupal Security Team COORDINATED BY -- * Rick Manelius [11] provisional member of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [16] [1] http://drupal.org/project/ubercart [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/ubercart [5] https://drupal.org/node/2158565 [6] https://drupal.org/node/2158567 [7] http://drupal.org/project/ubercart [8] http://drupal.org/user/1227990 [9] http://drupal.org/user/246492 [10] http://drupal.org/user/680072 [11] http://drupal.org/user/680072 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration [16] https://twitter.com/drupalsecurity ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-097 - OG Features - Access bypass
View online: https://drupal.org/node/2149791 * Advisory ID: DRUPAL-SA-CONTRIB-2013-097 * Project: OG Features [1] (third-party module) * Version: 6.x * Date: 2013-December-04 * Security risk: Not Critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - This module enables you to enable and disable bundles of functionality for individual Organic groups [3]. In order to provide this functionality, this module must override all menu callbacks available in the system, in order to delegate access based on the current Organic group you are contextually in, and the settings of the features for that group. The module doesn't sufficiently override pages that have an access callback explicitly set to FALSE, which indicates that no user (even admins) are able to access the page. Since this module does not handle that condition correctly, users will have access to those pages. This vulnerability is mitigated by the fact that it's extremely rare that a page in Drupal has it's access callback explicitly set to FALSE because that would mean that no single user, including admins, would be able to access the page. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [4] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * OG Features 6.x-1.x versions prior to 6.x-1.3. Drupal core is not affected. If you do not use the contributed OG Features [5] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the OG Features module for Drupal 6.x, upgrade to OG Features 6.x-1.4 [6] Also see the OG Features [7] project page. REPORTED BY - * Andrey Tretyakov [8] FIXED BY * Mike Stefanello [9] the module maintainer * Jess Straatmann [10] COORDINATED BY -- * Greg Knaddison [11] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/og_features [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/og [4] http://cve.mitre.org/ [5] http://drupal.org/project/og_features [6] https://drupal.org/node/2149743 [7] http://drupal.org/project/og_features [8] https://drupal.org/user/169459 [9] https://drupal.org/user/107190 [10] https://drupal.org/user/105111 [11] https://drupal.org/user/36762 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-093 - Invitation - Access Bypass
View online: https://drupal.org/node/2140097 * Advisory ID: DRUPAL-SA-CONTRIB-2013-093 * Project: Invitation [1] (third-party module) * Version: 7.x * Date: 2013-November-20 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - The Invitation module restricts registration to users who have an invite code (for running a private beta). The module provides default views that don't check access to views prior to displaying private information like usernames and email addresses. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Invitation 7.x-2.x versions prior to 7.x-2.2. Drupal core is not affected. If you do not use the contributed Invitation [4] module, there is nothing you need to do. SOLUTION If you use the Invitation module for Drupal 7.x, you should disable the module. There is no release with a fix. Also see the Invitation [5] project page. REPORTED BY - * j1ndustry [6] FIXED BY Not applicable. COORDINATED BY -- * Greg Knaddison [7] and Lee Rowlands [8] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/invitation [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/invitation [5] http://drupal.org/project/invitation [6] http://drupal.org/user/2688277 [7] http://drupal.org/user/36762 [8] https://drupal.org/user/395439 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-094 - EU Cookie Compliance - Cross Site Scripting (XSS)
View online: https://drupal.org/node/2140123 * Advisory ID: DRUPAL-SA-CONTRIB-2013-094 * Project: EU Cookie Compliance [1] (third-party module) * Version: 7.x * Date: 2013-November-20 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Request Forgery DESCRIPTION - This module enables you to display notifications so that visitors can give their consent to setting cookies by your website. The module doesn't sufficiently fiter and validate configuration values entered by administrators. This vulnerability is mitigated by the fact that an attacker must have a role with the permission Administer EU Cookie Compliance popup. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * EU Cookie Compliance 7.x-1.x versions prior to 7.x-1.12. Drupal core is not affected. If you do not use the contributed EU Cookie Compliance [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the EU Cookie Compliance module for Drupal 7.x, upgrade to 7.x-1.12 [5] Also see the EU Cookie Compliance [6] project page. REPORTED BY - * Lode Vanstechelman [7] FIXED BY * Marcin Pajdzik [8] - the module maintainer COORDINATED BY -- * Hunter Fox [9] and Klaus Purer [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/eu-cookie-compliance [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/eu-cookie-compliance [5] https://drupal.org/node/2139875 [6] http://drupal.org/project/eu-cookie-compliance [7] http://drupal.org/user/657472 [8] http://drupal.org/user/160555 [9] http://drupal.org/user/426416 [10] https://drupal.org/user/262198 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-096 - Entity reference - Access bypass
View online: https://drupal.org/node/2140237 * Advisory ID: DRUPAL-SA-CONTRIB-2013-096 * Project: Entity reference [1] (third-party module) * Version: 7.x * Date: 2013-November-20 * Security risk: Not critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - By default, with an autoselect or a select widget, a user cannot autocomplete an entity title, nor can they select an entity that they have no access to. This will correctly throw a 'invalid id' error and does not show the title of the entity. However, if a user (A) that has access to the referenced entity (Node 1), makes that reference on a node (Node 2), and gives edit access to another user (B), user B will be able to see the node title for the referenced node (Node 2). This vulnerability is mitigated by the fact that an attacker must get a user with access to a private node to reference it via another node that attacker has edit access to. No other node information is leaked other than the title. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Entityreference 7.x-1.x versions prior to 7.x-1.1-rc1 Drupal core is not affected. If you do not use the contributed Entity reference [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Entityreference module for Drupal 7.x, upgrade to Entityreference 7.x-1.1 [5] Also see the Entity reference [6] project page. REPORTED BY - * Jakob Perry [7] FIXED BY * Damien Tournoud [8] the module maintainer * Jakob Perry [9] * Amitai Burstein [10] COORDINATED BY -- * David Stoline [11] and Greg Knaddison [12] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. [1] http://drupal.org/project/entityreference [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/entityreference [5] https://drupal.org/node/2140229 [6] http://drupal.org/project/entityreference [7] https://drupal.org/user/45640 [8] http://drupal.org/user/22211 [9] http://drupal.org/user/45640 [10] http://drupal.org/user/57511 [11] https://drupal.org/user/329570 [12] https://drupal.org/user/36762 [13] http://drupal.org/contact [14] http://drupal.org/security-team [15] http://drupal.org/writing-secure-code [16] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-095 - Organic Groups - Access bypass
View online: https://drupal.org/node/2140217 * Advisory ID: DRUPAL-SA-CONTRIB-2013-095 * Project: Organic groups [1] (third-party module) * Version: 7.x * Date: 2013-November-20 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - Two issues exist within entity references and permissions relating to OG, allowing users potential access bypass. Posting content into groups where a user is not a member Organic Groups does not sufficiently check the group audience fields (e.g. og_group_ref) field from being populated with invalid data. The autocomplete reference field only needs a node id to validate. An attacker could modify a group audience field in order to post within a group they had no access. Any user with the ability to create content can use this vulnerability. Inconsistent access checking in posting content Organic Groups manages its own group based permissions. This allows users to have escalated privileges sets in specific groups, but not site-wide. Organic Groups makes the assumption that the group field is populated and when this not populated, a user may have permission to create or edit content outside of a group even though they shouldn't be allowed to do that. This vulnerability is mitigated because the following must be true in order for it to work: 1) The node in question must have all of its groups be set as optional input 2) The user must not have site-wide access to post content of a certain type, but also a member of a group that does permit create/edit privileges to the same type. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * OG 7.x-2.x versions prior to 7.x-2.3 Drupal core is not affected. If you do not use the contributed Organic groups [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Organic Groups module for Drupal 7.x, upgrade to og 7.x-2.4 [5] Also see the Organic groups [6] project page. REPORTED BY - * Jakob Perry [7] * Richard Goodrow [8] * Bruce Hoppe [9] FIXED BY * Amitai Burstein [10] the module maintainer * Roy Segall [11] * Jakob Perry [12] COORDINATED BY -- * David Stoline [13] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [14]. Learn more about the Drupal Security team and their policies [15], writing secure code for Drupal [16], and securing your site [17]. [1] http://drupal.org/project/og [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/og [5] http://drupal.org/node/2140209 [6] http://drupal.org/project/og [7] http://drupal.org/user/45640 [8] http://drupal.org/user/802140 [9] http://drupal.org/user/2470954 [10] https://drupal.org/user/57511 [11] https://drupal.org/user/1812910 [12] http://drupal.org/user/45640 [13] https://drupal.org/user/329570 [14] http://drupal.org/contact [15] http://drupal.org/security-team [16] http://drupal.org/writing-secure-code [17] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CORE-2013-003 - Drupal core - Multiple vulnerabilities
Gervais [29], and Herman van Rink [30]. * The token access bypass issue was fixed by Heine Deelstra [31], Klaus Purer [32], and David Rothstein [33], all of the Drupal Security Team. * The Image module cross-site scripting issue was fixed by Francisco José Cruz Romanos [34], and Peter Wolanin [35] of the Drupal Security Team. * The Color module cross-site scripting issue was fixed by David Rothstein [36] of the Drupal Security Team. * The open redirect in the Overlay module was fixed by Heine Deelstra [37] of the Drupal Security Team. COORDINATED BY -- The Drupal Security Team [38] CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [39]. Learn more about the Drupal Security team and their policies [40], writing secure code for Drupal [41], and securing your site [42]. [1] http://drupal.org/project/drupal [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/drupal-6.29-release-notes [5] http://drupal.org/drupal-7.24-release-notes [6] http://drupal.org/project/drupal [7] https://drupal.org/user/17943 [8] https://drupal.org/user/329570 [9] https://drupal.org/user/395439 [10] https://drupal.org/user/153206 [11] https://drupal.org/user/1206300 [12] https://drupal.org/user/72475 [13] https://drupal.org/user/17943 [14] https://drupal.org/user/848238 [15] https://drupal.org/user/1862060 [16] https://drupal.org/user/52142 [17] https://drupal.org/user/395439 [18] https://drupal.org/user/262198 [19] https://drupal.org/user/19668 [20] https://drupal.org/user/329570 [21] https://drupal.org/user/17943 [22] https://drupal.org/user/22211 [23] https://drupal.org/user/49851 [24] https://drupal.org/user/124982 [25] https://drupal.org/user/9034 [26] https://drupal.org/user/45 [27] https://drupal.org/user/1274 [28] https://drupal.org/user/153206 [29] https://drupal.org/user/368613 [30] https://drupal.org/user/449000 [31] https://drupal.org/user/17943 [32] https://drupal.org/user/262198 [33] https://drupal.org/user/124982 [34] https://drupal.org/user/848238 [35] https://drupal.org/user/49851 [36] https://drupal.org/user/124982 [37] https://drupal.org/user/17943 [38] https://drupal.org/security-team [39] http://drupal.org/contact [40] http://drupal.org/security-team [41] http://drupal.org/writing-secure-code [42] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-091 - Groups, Communities and Co (GCC) - Access Bypass
View online: https://drupal.org/node/2135267 * Advisory ID: DRUPAL-SA-CONTRIB-2013-091 * Project: Groups, Communities and Co (GCC) [1] (third-party module) * Version: 7.x * Date: 2013-November-13 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - This module enables you to manage groups and assign content and users to groups. The module doesn't sufficiently check permissions to some of the configuration pages allowing unprivileged users to access the roles and permissions pages of the GCC module. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * GCC 7.x-1.x versions prior to 7.x-1.1. Drupal core is not affected. If you do not use the contributed Groups, Communities and Co (GCC) [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the GCC module for Drupal 7.x, upgrade to GCC 7.x-1.1. [5] Also see the Groups, Communities and Co (GCC) [6] project page. REPORTED BY - * Jean Jacques Ancel [7] FIXED BY * Edouard Fajnzilberg [8] the module maintainer COORDINATED BY -- * Greg Knaddison [9] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/gcc [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/gcc [5] https://drupal.org/node/2132747 [6] http://drupal.org/project/gcc [7] https://drupal.org/user/361997 [8] https://drupal.org/user/815280 [9] http://drupal.org/user/36762 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-090 - Revisioning - Access Bypass
View online: https://drupal.org/node/2135257 * Advisory ID: DRUPAL-SA-CONTRIB-2013-090 * Project: Revisioning [1] (third-party module) * Version: 7.x * Date: 2013-November-13 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - This module enables you to create content publication workflows whereby one version of the content is live (publicly visible), while another is being edited and moderated privately until found fit for publication. The module doesn't sufficiently apply node access permissions when used in combination with BOTH the Scheduler module AND a module that modifies the node access permissions table. As a result it is possible that content that was Scheduled to be unpublished can still be viewed by authenticated users who, based on the node access table, should no longer have permission to view this content. This vulnerability is mitigated by the fact that this only occurs for Authenticated users for Scheduled content on Drupal sites with the combination of all three modules: Revisioning, Scheduler and a module that modifies the node access table conditional on the publication status of the content. In this report this was the Organic Groups Moderation module. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Revisioning 7.x-1.x versions prior to 7.x-1.6 Drupal core is not affected. If you do not use the contributed Revisioning [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Revisioning module, version 7.x-1.5 or older, upgrade to Revisioning 7.x-1.6 [5] Also see the Revisioning [6] project page. REPORTED BY - * Pete Gillis [7] FIXED BY * Rik de Boer [8], the module maintainer, with assistance from Pete Gillis [9] COORDINATED BY -- * Greg Knaddison [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/revisioning [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/revisioning [5] https://drupal.org/node/2133555 [6] http://drupal.org/project/revisioning [7] http://drupal.org/user/373976 [8] http://drupal.org/user/404007 [9] http://drupal.org/user/373976 [10] http://drupal.org/user/36762 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-092 - Misery - Denial of Service (DOS) vulnerability.
View online: https://drupal.org/node/2135273 * Advisory ID: DRUPAL-SA-CONTRIB-2013-092 * Project: Misery [1] (third-party module) * Version: 6.x, 7.x * Date: 2013-November-13 * Security risk: Not critical [2] * Exploitable from: Remote * Vulnerability: Multiple vulnerabilities DESCRIPTION - This module enables you to make life difficult for certain users, such as trolls, as an alternative to banning or deleting them from a community. The module provides means by which to punish members of your website. The aim of misery is to be not traceable by users on the misery list, so misery actions should be sufficiently subtle so as to avoid suspicion. The module doesn't sufficiently warn about issues that can arise if high values are set on the delay misery configuration, which is active by default. Users who are made to suffer delay missery can make multiple requests to the site and consume all the web serving processes, causing a denial of service. This vulnerability is mitigated by the fact that an administrator can change these configuration values on a per user basis within the interface. The option can also be turned off. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Misery 6.x-2.x versions prior to 6.x-2.5. * Misery 7.x-2.x versions prior to 7.x-2.2. Drupal core is not affected. If you do not use the contributed Misery [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Misery module for Drupal 6.x, upgrade to Misery 6.x-2.5 [5] * If you use the Misery module for Drupal 7.x, upgrade to Misery 7.x-2.2 [6] And check your misery delay configuration. Also see the Misery [7] project page. REPORTED BY - * David Norman [8] FIXED BY * Jorge Tutor [9] the module maintainer COORDINATED BY -- * Greg Knaddison [10] of the Drupal Security Team * Laurence Liss [11] provisional member of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/misery [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/misery [5] https://drupal.org/node/2134409 [6] https://drupal.org/node/2134413 [7] http://drupal.org/project/misery [8] http://drupal.org/user/972 [9] http://drupal.org/user/600158 [10] http://drupal.org/user/36762 [11] http://drupal.org/user/724750 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-087 - Payment for Webform - Access Bypass
View online: https://drupal.org/node/2129373 * Advisory ID: DRUPAL-SA-CONTRIB-2013-087 * Project: Payment for Webform [1] (third-party module) * Version: 7.x * Date: 2013-November-06 * Security risk: Not critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - This module enables you to ask for or require payments before users can submit webforms. It previously allowed anonymous users to sometimes use other anonymous users' payments when submitting a form. Payment for Webform never supported anonymous users, but there was also nothing that prevented them from using the Webform component. This vulnerability is mitigated by the fact that an attacker must be anonymous and that other anonymous users must have made payments that have not been used for submitting a webform yet. It does not compromise sites' security, nor does it allow anonymous users to do anything they would not have been able to do, if they had made a payment themselves. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Payment for Webform 7.x-1.x versions prior to 7.x-1.5. Drupal core is not affected. If you do not use the contributed Payment for Webform [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Payment for Webform module for Drupal 7.x, upgrade to 7.x-1.5 [5] Additionally, if you have any forms that use the component and are accessible to anonymous users, you may need to update those to prevent form validation errors. Also see the Payment for Webform [6] project page. REPORTED BY - * Herman van Rink [7] (helmo) * Clemens Tolboom [8] (clemens.tolboom) * Greg Knaddison [9] (greggles) of the security team FIXED BY * Bart Feenstra [10] (Xano), the module maintainer COORDINATED BY -- * Greg Knaddison [11] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/payment_webform [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/payment_webform [5] https://drupal.org/node/2128345 [6] http://drupal.org/project/payment_webform [7] https://drupal.org/user/449000 [8] https://drupal.org/user/125814 [9] https://drupal.org/user/36762 [10] https://drupal.org/user/62965 [11] http://drupal.org/user/36762 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-089 - Node Access Keys - Access Bypass
View online: https://drupal.org/node/2129379 * Advisory ID: DRUPAL-SA-CONTRIB-2013-089 * Project: Node Access Keys [1] (third-party module) * Version: 7.x * Date: 2013-November-06 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - Node Access Keys helps to grant users temporary view permissions to selected content types on a per user role basis. However, it only implements hook_node_access() and not hook_query_alter(), which means any listing of nodes does not respect the node view access. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Node Access Keys 7.x-1.0. Drupal core is not affected. If you do not use the contributed Node Access Keys [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Node Access Keys module for Drupal 7.x, upgrade to Node Access Keys 7.x-1.1 [5] Also see the Node Access Keys [6] project page. REPORTED BY - * Daniel Korte [7] the module maintainer FIXED BY * Daniel Korte [8] the module maintainer COORDINATED BY -- * Greg Knaddison [9] of the Drupal Security Team * Ben Jeavons [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/nodeaccesskeys [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/nodeaccesskeys [5] https://drupal.org/node/2125239 [6] http://drupal.org/project/nodeaccesskeys [7] http://drupal.org/user/453668 [8] http://drupal.org/user/453668 [9] http://drupal.org/user/36762 [10] http://drupal.org/user/91990 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-088 - Secure Pages - Missing Encryption of Sensitive Data
View online: https://drupal.org/node/2129381 * Advisory ID: DRUPAL-SA-CONTRIB-2013-088 * Project: Secure Pages [1] (third-party module) * Version: 6.x * Date: 2013-November-06 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Missing Encryption of Sensitive Data DESCRIPTION - The Secure Pages module manages redirects between HTTP and HTTPS pages. A flaw in the URL path matching could lead some pages and forms to be transmitted via plain HTTP, even if the administrator intended those pages to use HTTPS. This flaw may surface either due to a malicious user enticing a user to land on a specially constructed page or through normal interactions with the site. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Secure Pages 6.x-2.x versions prior to 6.x-2.0. Drupal core is not affected. If you do not use the contributed Secure Pages [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Secure Pages module for Drupal 6.x, upgrade to Secure Pages 6.x-2.0 [5] Also see the Secure Pages [6] project page. REPORTED BY - * Balazs Nagykekesi [7] FIXED BY * Balazs Nagykekesi [8] * Dylan Tack [9] of the Drupal Security Team, module maintainer COORDINATED BY -- * Klaus Purer [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/securepages [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/securepages [5] https://drupal.org/node/2128739 [6] http://drupal.org/project/securepages [7] http://drupal.org/user/21231 [8] http://drupal.org/user/21231 [9] http://drupal.org/user/96647 [10] http://drupal.org/user/262198 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-084 - FileField Sources - Access Bypass
View online: https://drupal.org/node/2124241 * Advisory ID: DRUPAL-SA-CONTRIB-2013-084 * Project: FileField Sources [1] (third-party module) * Version: 6.x, 7.x * Date: 2013-Oct-30 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - This module expands on the FileField module by allowing you to select new or existing files through additional means, such as re-using files with an auto-complete textfield, attaching server-side files uploaded via FTP, transferring file files from a remote server, pasting a file directly from the clipboard, and selecting existing files through the IMCE file browser. The module doesn't sufficiently check file access permissions when attaching an existing file. Any existing file could be re-used and the user would then be granted access to that file. This vulnerability is mitigated by the fact that an attacker must have a permission granting the ability to create content which has a file field using the module. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Filefield Sources 6.x-1.x versions prior to 6.x-1.9. * Filefield Sources 7.x-1.x versions prior to 7.x-1.9. Drupal core is not affected. If you do not use the contributed FileField Sources [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the FileField Sources module for Drupal 6.x, upgrade to FileField Sources 6.x-1.9 [5] * If you use the FileField Sources module for Drupal 7.x, upgrade to FileField Sources 7.x-1.9 [6] Also see the FileField Sources [7] project page. REPORTED BY - * Joseph Lee [8] FIXED BY * Nathan Haug [9] the module maintainer * Cash Williams [10] provisional member of the Drupal Security Team COORDINATED BY -- * Cash Williams [11] provisional member of the Drupal Security Team * David Stoline [12] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. [1] http://drupal.org/project/filefield_sources [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/filefield_sources [5] https://drupal.org/node/2124217 [6] https://drupal.org/node/2124219 [7] http://drupal.org/project/filefield_sources [8] http://drupal.org/user/32743 [9] http://drupal.org/user/6399 [10] http://drupal.org/user/29938 [11] http://drupal.org/user/29938 [12] http://drupal.org/user/329570 [13] http://drupal.org/contact [14] http://drupal.org/security-team [15] http://drupal.org/writing-secure-code [16] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-083 - Quiz - Access Bypass
View online: https://drupal.org/node/2123995 * Advisory ID: DRUPAL-SA-CONTRIB-2013-083 * Project: Quiz [1] (third-party module) * Version: 6.x * Date: 2013-October-30 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass, Information Disclosure, Multiple vulnerabilities DESCRIPTION - Access bypass on deleting quiz results The Quiz module provides tools for authoring and administering quizzes through Drupal. A quiz is given as a series of questions, with only one question appearing per page. Scores are then stored in the database. The module doesn't sufficiently check the delete quiz results permission. All users who have the permission to view Quiz results can access the delete option in the results page irrespective of delete any quiz results and delete results for own quiz permissions. This vulnerability is mitigated by the fact that an attacker must have a role with the permission view any quiz results or view results for own quiz. Access bypass in viewing quiz views The Quiz module has Views integration including default Views. These default views provided by the module do not have proper access control. If the Views are enabled and the access controls are left unchanged then information about users quiz results may be disclosed. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Quiz 6.x-4.x versions prior to 6.x-4.5. Drupal core is not affected. If you do not use the contributed Quiz [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Quiz module for Drupal 6.x, upgrade to Quiz 6.x-4.5 [5] * For both versions: Review the Quiz results view and delete permissions and ensure it is working as expected for intended users Also see the Quiz [6] project page. REPORTED BY - * nirvanajyothi [7] * Cat Hirst [8] FIXED BY * Wouter Admiraal [9] * Sivaji Ganesh [10] the module co-maintainer * Falcon [11] the module maintainer COORDINATED BY -- * Dan Smith [12], Jakub Suchy [13], Ned McClain [14], Greg Knaddison [15] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [16]. Learn more about the Drupal Security team and their policies [17], writing secure code for Drupal [18], and securing your site [19]. [1] http://drupal.org/project/quiz [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/quiz [5] https://drupal.org/node/2123727 [6] http://drupal.org/project/quiz [7] https://drupal.org/user/252387 [8] https://drupal.org/user/162748 [9] https://drupal.org/user/440510 [10] https://drupal.org/user/328724 [11] https://drupal.org/user/530912 [12] https://drupal.org/user/241220 [13] https://drupal.org/user/31977 [14] https://drupal.org/user/798324 [15] https://drupal.org/user/36762 [16] http://drupal.org/contact [17] http://drupal.org/security-team [18] http://drupal.org/writing-secure-code [19] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-085 - Feed Element Mapper - Cross Site Scripting
View online: https://drupal.org/node/2124279 * Advisory ID: DRUPAL-SA-CONTRIB-2013-085 * Project: Feed Element Mapper [1] (third-party module) * Version: 6.x * Date: 2013-October-30 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - Feed Element Mapper is an add-on module for FeedAPI that maps elements on a feed item such as tags or the author name to taxonomy or CCK fields. The module doesn't sufficiently filter text when displaying options to users. This vulnerability is mitigated by the fact that an attacker must have a role with the permission administer taxonomy. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- All versions of the module. Drupal core is not affected. If you do not use the contributed Feed Element Mapper [4] module, there is nothing you need to do. SOLUTION Users of the module are encouraged to evaluate the risks and mitigating factors and remove the module. There is no release with a fix available. The module is generally unsupported and users are encouraged to switch to FeedAPI suite of modules. Also see the Feed Element Mapper [5] project page. REPORTED BY - * Justin Klein-Keane [6] FIXED BY Not applicable. COORDINATED BY -- * Greg Knaddison [7] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [8]. Learn more about the Drupal Security team and their policies [9], writing secure code for Drupal [10], and securing your site [11]. [1] http://drupal.org/project/feedapi_mapper [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/feedapi_mapper [5] http://drupal.org/project/feedapi_mapper [6] http://drupal.org/user/302225 [7] http://drupal.org/user/36762 [8] http://drupal.org/contact [9] http://drupal.org/security-team [10] http://drupal.org/writing-secure-code [11] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-086 - Monster Menus - Access bypass
View online: https://drupal.org/node/2124289 * Advisory ID: DRUPAL-SA-CONTRIB-2013-086 * Project: Monster Menus [1] (third-party module) * Version: 7.x * Date: 2013-October-30 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - Monster Menus includes the ability to protect the visibility of comments for each node based on hierarchical permissions. However, a carefully-crafted URL could be used to bypass these permissions, allowing an anonymous user to view the comments associated with certain nodes. In order for this flaw to be relevant and exploited, the node itself must be readable by the attacker. Furthermore, the Who can read comments setting for the node must be something other than Everyone. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * monster_menus 7.x-1.x versions prior to 7.x-1.15. Drupal core is not affected. If you do not use the contributed Monster Menus [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the monster_menus module for Drupal 7.x, upgrade to monster_menus 7.x-1.15 [5] Also see the Monster Menus [6] project page. REPORTED BY - * Dan Wilga [7] FIXED BY * Dan Wilga [8] the module maintainer COORDINATED BY -- * Greg Knaddison [9] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/monster_menus [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/monster_menus [5] https://drupal.org/node/2123287 [6] http://drupal.org/project/monster_menus [7] https://drupal.org/user/56892 [8] https://drupal.org/user/56892 [9] http://drupal.org/user/36762 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] PSA-2013-002: Direct download links available even during Drupal.org upgrade window
View online: https://drupal.org/node/2124407 This is a short addition to the security announcements released on October 30th. Due to Drupal.org's scheduled downtime on October 31, not all links in those mails may be available when you need them. If you encounter this situation, please use the following direct URLs to the archives containing the updates. QUIZ: [1] --- * http://ftp.drupal.org/files/projects/quiz-6.x-4.5.tar.gz * http://ftp.drupal.org/files/projects/quiz-6.x-4.5.zip FILEFIELD SOURCES: [2] -- * http://ftp.drupal.org/files/projects/filefield_sources-6.x-1.9.tar.gz * http://ftp.drupal.org/files/projects/filefield_sources-6.x-1.9.zip * http://ftp.drupal.org/files/projects/filefield_sources-7.x-1.9.tar.gz * http://ftp.drupal.org/files/projects/filefield_sources-7.x-1.9.zip MONSTER MENUS: [3] -- * http://ftp.drupal.org/files/projects/monster_menus-7.x-1.15.tar.gz * http://ftp.drupal.org/files/projects/monster_menus-7.x-1.15.zip [1] https://drupal.org/node/2123995 [2] https://drupal.org/node/2124241 [3] https://drupal.org/node/2124289 ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-074 - MediaFront - Cross Site Scripting (XSS)
View online: https://drupal.org/node/2087051 * Advisory ID: DRUPAL-SA-CONTRIB-2013-074 * Project: MediaFront [1] (third-party module) * Version: 6.x, 7.x * Date: 2013-September-11 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - The MediaFront module provides a front-end media presentation layer for Drupal The module doesn't sufficiently filter user input from MediaFront preset settings. This vulnerability is mitigated by the fact that an attacker must have a role with the permission administer mediafront to exploit this bug. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * MediaFront 6.x-1.x versions prior to 6.x-1.6. * MediaFront 7.x-1.x versions prior to 7.x-1.6. * MediaFront 7.x-2.x versions prior to 7.x-2.1. Drupal core is not affected. If you do not use the contributed MediaFront [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the MediaFront module for Drupal 6.x, upgrade to MediaFront 6.x-1.6 [5] * If you use the MediaFront module version 1.x for Drupal 7.x, upgrade to MediaFront 7.x-1.6 [6] * If you use the MediaFront module version 2.x for Drupal 7.x, upgrade to MediaFront 7.x-2.1 [7] Also see the MediaFront [8] project page. REPORTED BY - * Justin KleinKeane [9] FIXED BY * Justin KleinKeane [10] * Travis Tidwell [11] the module maintainer COORDINATED BY -- * Greg Knaddison [12] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. [1] http://drupal.org/project/mediafront [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/mediafront [5] https://drupal.org/node/2086187 [6] https://drupal.org/node/2086189 [7] https://drupal.org/node/2086191 [8] http://drupal.org/project/mediafront [9] https://drupal.org/user/302225 [10] https://drupal.org/user/302225 [11] http://drupal.org/user/98581 [12] http://drupal.org/user/36762 [13] http://drupal.org/contact [14] http://drupal.org/security-team [15] http://drupal.org/writing-secure-code [16] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-076 - jQuery Countdown - Cross Site Scripting (XSS)
View online: https://drupal.org/node/2087095 * Advisory ID: DRUPAL-SA-CONTRIB-2013-076 * Project: jQuery Countdown [1] (third-party module) * Version: 7.x * Date: 2013-September-11 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - This jQuery Countdown Module enables you to display a countdown block based upon date settings. The jQuery Countdown Module does not properly sanitize the settings, allowing a malicious user to embed scripts within a page, resulting in a Cross-site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have the access administration pages permission. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * jquery_countdown 7.x-1.x versions prior to 7.x-1.0. Drupal core is not affected. If you do not use the contributed jQuery Countdown [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the jQuery Countdown module, upgrade to jQuery Countdown 7.x-1.1 [5] Also see the jQuery Countdown [6] project page. REPORTED BY - * Joachim Noreiko [7] FIXED BY * Dennis Brücke [8] the module maintainer COORDINATED BY -- * Greg Knaddison [9] and Lee Rowlands [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/jquery_countdown [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/jquery_countdown [5] https://drupal.org/node/2087089 [6] http://drupal.org/project/jquery_countdown [7] https://drupal.org/user/107701 [8] https://drupal.org/user/413429 [9] http://drupal.org/user/36762 [10] https://drupal.org/user/395439 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-075 - Click2Sell - Multiple Vulnerabilities (XSS and CSRF)
View online: https://drupal.org/node/2087055 * Advisory ID: DRUPAL-SA-CONTRIB-2013-075 * Project: Click2Sell Suite [1] (third-party module) * Version: 6.x * Date: 2013-September-11 * Security risk: Highly critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting, Cross Site Request Forgery DESCRIPTION - Click2Sell is an Affiliate Marketing Network which lets you sell your products through their marketplace or on your website with buy it now buttons, and which also allows you to access hundreds of affiliates who want to sell your product for you and earn commission. Reflected Cross Site Scripting (XSS) The module doesn't sufficiently filter user supplied data when presenting a confirmation form. Cross Site Request Forgery (CSRF) The module doesn't properly use Drupal's Form API which allows a malicious user to trick an admin into accidentally deleting information from Click2Sell's database. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * All Click2Sell Suite 6.x-1.x versions. Drupal core is not affected. If you do not use the contributed Click2Sell Suite [4] module, there is nothing you need to do. SOLUTION * If you use the Click2Sell Suite module for Drupal 6.x you should disable it. Also see the Click2Sell Suite [5] project page. REPORTED BY - * Greg Knaddison [6] of the Drupal Security Team FIXED BY Not applicable. CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [7]. Learn more about the Drupal Security team and their policies [8], writing secure code for Drupal [9], and securing your site [10]. [1] http://drupal.org/project/click2sell [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/click2sell [5] http://drupal.org/project/click2sell [6] http://drupal.org/user/36762 [7] http://drupal.org/contact [8] http://drupal.org/security-team [9] http://drupal.org/writing-secure-code [10] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-073 - Make Meeting Scheduler - Access Bypass
View online: https://drupal.org/node/2081637 * Advisory ID: DRUPAL-SA-CONTRIB-2013-073 * Project: Make Meeting Scheduler [1] (third-party module) * Version: 6.x * Date: 2013-September-04 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - This module enables you to create polls accessible by an url with hash (e.g. example.com/makemeeting/sn9028xh3398) so that anonymous users can view and vote on the poll. The module didn't sufficiently check access when a poll is accessed directly via its node url (e.g. node/123). Note: a user with the hashed url can still access and vote on the poll as that is the intention of the module. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Make Meeting Scheduler 6.x-1.x versions prior to 6.x-1.3. Drupal core is not affected. If you do not use the contributed Make Meeting Scheduler [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Make Meeting Scheduler module for Drupal 6.x, upgrade to Make Meeting Scheduler module 6.x-1.3 [5] Also see the Make Meeting Scheduler [6] project page. REPORTED BY - * rhatto [7] FIXED BY * rhatto [8] * SebCorbin [9] the module maintainer COORDINATED BY -- * Greg Knaddison [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/makemeeting [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/makemeeting [5] https://drupal.org/node/2081647 [6] http://drupal.org/project/makemeeting [7] http://drupal.org/user/108738 [8] http://drupal.org/user/108738 [9] http://drupal.org/user/412171 [10] http://drupal.org/user/36762 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] PSA-2013-001: Drupal core - Users can insert hidden text and links
View online: https://drupal.org/node/2081887 * Advisory ID: PSA-2013-001 * Project: Drupal core [1] * Version: 6.x, 7.x * Date: 2013-September-04 * Security risk: Not critical [2] * Exploitable from: Remote * Vulnerability: Information Disclosure DESCRIPTION - This is a public service announcement regarding possible insertion of hidden links in comments using core CSS selectors within filtered HTML Text formats (Input formats in Drupal 6). Drupal core provides several CSS selectors that, by design, hide elements on the page. Using these selectors it is possible to create links to third-party websites that are hidden within a comment. This technique has been observed on live production websites. Drupal core provides mechanisms that sanitize user submitted links by adding a rel=nofollow attribute. This feature can be enabled for Drupal 7 sites at admin/config/content/formats/filtered_html and for Drupal 6 sites at admin/settings/filters/1/configure. Note that these paths are for the default formats provided with core. Your site may define custom formats which should be reviewed and updated as well. Careful moderation of user submitted comments is always advised. Additionally, automated comment moderation tools may help to mitigate and flag these malicious comment submissions. SOLUTION Review user-submitted content on your site to see if untrusted users have posted content that includes classes. Review those classes to see if they will hide unwanted content. REPORTED BY - * Aaron Weiss [3] COORDINATED BY -- * David Stoline [4] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [5]. Learn more about the Drupal Security team and their policies [6], writing secure code for Drupal [7], and securing your site [8]. [1] http://drupal.org/project/drupal [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/user/745366 [4] http://drupal.org/user/329570 [5] http://drupal.org/contact [6] http://drupal.org/security-team [7] http://drupal.org/writing-secure-code [8] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-072 - Node View Permissions - Access Bypass
View online: https://drupal.org/node/2076315 * Advisory ID: DRUPAL-SA-CONTRIB-2013-072 * Project: Node View Permissions [1] (third-party module) * Version: 7.x * Date: 2013-August-28 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - The Node View Permissions module adds permissions View own content and View any content for each content type on the permissions page. However, it only implements hook_node_access() and not hook_query_alter(), which means any listing of nodes does not respect the node view permission. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Node View Permissions 7.x-1.0. Drupal core is not affected. If you do not use the contributed Node View Permissions [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Node View Permissions module for Drupal 7.x, upgrade to Node View Permissions 7.x-1.2 [5] Also see the Node View Permissions [6] project page. REPORTED BY - * Mark Theunissen [7] FIXED BY * hoter [8] the module maintainer COORDINATED BY -- * Michael Hess [9] of the Drupal Security Team * Mark Ferree [10] provisional member of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/node_view_permissions [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/node_view_permissions [5] https://drupal.org/node/2031621 [6] http://drupal.org/project/node_view_permissions [7] https://drupal.org/user/108606 [8] http://drupal.org/user/1677790 [9] https://drupal.org/user/102818 [10] http://drupal.org/user/76245 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-071 - Flag - Cross Site Scripting
View online: https://drupal.org/node/2076221 * Advisory ID: DRUPAL-SA-CONTRIB-2013-071 * Project: Flag [1] (third-party module) * Version: 7.x * Date: 2013-August-28 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - The Flag module allows creation of customizable flags on entities. Flag does not properly sanitize the name of a flag on the main flag administration page, allowing a malicious user to embed scripts within a page, resulting in a Cross-site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have the 'Administer flags' permission. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Flag 7.x-3.x versions prior to 7.x-3.0. Drupal core is not affected. If you do not use the contributed Flag [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Flag module for Drupal 7.x, upgrade to Flag 7.x-3.1 [5] Also see the Flag [6] project page. REPORTED BY - * Justin_KleinKeane [7] FIXED BY * Justin_KleinKeane [8] * Joachim Noreiko [9] the module co-maintainer COORDINATED BY -- * Greg Knaddison [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/flag [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/flag [5] https://drupal.org/node/2075287 [6] http://drupal.org/project/flag [7] http://drupal.org/user/302225 [8] http://drupal.org/user/302225 [9] http://drupal.org/user/107701 [10] http://drupal.org/user/36762 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-070 - Zen - Cross Site Scripting
View online: https://drupal.org/node/2071157 * Advisory ID: DRUPAL-SA-CONTRIB-2013-070 * Project: Zen [1] (third-party module) * Version: 7.x * Date: 2013-August-21 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - The Zen theme is a very popular base/starter theme. Zen doesn't sufficiently escape the breadcrumb separator field, allowing a possible XSS exploit. This vulnerability is mitigated by the fact that an attacker must have a role with the permission administer themes. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Zen 7.x-3.x versions prior to 7.x-3.2. * Zen 7.x-5.x versions prior to 7.x-5.4. Drupal core is not affected. If you do not use the contributed Zen [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Zen theme for Drupal 7.x, upgrade to Zen 7.x-3.2 [5] or Zen 7.x-5.4 [6]. Also see the Zen [7] project page. REPORTED BY - * Daniel Nitsche [8] FIXED BY * John Albin Wilkins [9], the theme maintainer COORDINATED BY -- * Greg Knaddison [10] of the Drupal Security Team * Klaus Purer [11] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/zen [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/zen [5] https://drupal.org/node/2071065 [6] https://drupal.org/node/2071055 [7] http://drupal.org/project/zen [8] http://drupal.org/user/1151108 [9] http://drupal.org/user/32095 [10] http://drupal.org/user/36762 [11] http://drupal.org/user/262198 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-067 - BOTCHA - Information Disclosure (potential Privilege Escalation)
View online: https://drupal.org/node/2065057 * Advisory ID: DRUPAL-SA-CONTRIB-2013-067 * Project: BOTCHA Spam Prevention [1] (third-party module) * Version: 7.x * Date: 2013-August-14 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Information Disclosure DESCRIPTION - BOTCHA is a highly configurable non-CAPTCHA spam protection framework. The module includes a debug mode which logs the content of submitted forms including passwords and other sensitive information. An attacker who gains access to the log (i.e. dblog or syslog depending on configuration) could get access to usernames and passwords or other sensitive information. The vulnerability is mitigated by the fact that the debugging level must be set to level 5 or 6 (a high level) and the attacker must gain access to the logs (i.e. access site reports permission or access to syslog). If you debug level 5 or 6 enabled on a production site, you should consider expiring passwords and instruct users to change their passwords. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * BOTCHA 7.x-1.x versions prior to 7.x-1.6. * BOTCHA 7.x-2.x versions prior to 7.x-2.1. * BOTCHA 7.x-3.x versions prior to 7.x-3.3. Drupal core is not affected. If you do not use the contributed BOTCHA module, there is nothing you need to do. Drupal core is not affected. If you do not use the contributed BOTCHA Spam Prevention [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the 1.x branch of BOTCHA module for Drupal 7.x, upgrade to BOTCHA 7.x-1.6 [5] * If you use the 2.x branch of BOTCHA module for Drupal 7.x, upgrade to BOTCHA 7.x-2.1 [6] * If you use the 3.x branch of BOTCHA module for Drupal 7.x, upgrade to BOTCHA 7.x-3.3 [7] Also see the BOTCHA Spam Prevention [8] project page. REPORTED BY - * Rob Hess [9] FIXED BY * Dmitry Danilson [10] the module maintainer COORDINATED BY -- * Greg Knaddison [11] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/botcha [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/botcha [5] https://drupal.org/node/2064781 [6] https://drupal.org/node/2064783 [7] https://drupal.org/node/2064785 [8] http://drupal.org/project/botcha [9] http://drupal.org/user/507864 [10] http://drupal.org/user/1209848 [11] http://drupal.org/user/36762 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-068 - Entity API - Access Bypass
View online: https://drupal.org/node/2065207 * Advisory ID: DRUPAL-SA-CONTRIB-2013-068 * Project: Entity API [1] (third-party module) * Version: 7.x * Date: 2013-August-14 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - The Entity API module extends the entity API of Drupal core in order to provide a unified way to deal with entities and their properties. The module doesn't sufficiently enforce node access restrictions when checking for a user's access to view a comment associated with a particular node. The vulnerability is mitigated by the fact that it only applies to a user's access to view a comment in a situation where access should be restricted with entity access. The Entity API also does not properly restrict access when displaying selected entities using the Views field or area plugins, allowing users to view entities that they do not have access to. The vulnerability is mitigated by the fact that entities are only improperly exposed when a View has been configured to display them in a field, header or footer of a View. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Entity API 7.x-1.x versions prior to 7.x-1.2 Drupal core is not affected. If you do not use the contributed Entity API [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Entity API module for Drupal 7.x, upgrade to Entity API 7.x-1.2 [5] Also see the Entity API [6] project page. REPORTED BY - The comment access bypass was reported by: * tanius [7] * Ezra Barnett Gildesgame [8] The Views header/footer access bypass was reported by: * Derek Ahmedzai [9] * Daniel Wehner [10] FIXED BY * Devin Carlson [11] * Jakob Perry [12] * Daniel Wehner [13] * Wolfgang Ziegler [14], the module maintainer COORDINATED BY -- * Klaus Purer [15] of the Drupal Security Team * Greg Knaddison [16] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [17]. Learn more about the Drupal Security team and their policies [18], writing secure code for Drupal [19], and securing your site [20]. [1] http://drupal.org/project/entity [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/entity [5] https://drupal.org/node/2065197 [6] http://drupal.org/project/entity [7] https://drupal.org/user/2478456 [8] https://drupal.org/user/69959 [9] https://drupal.org/user/167927 [10] https://drupal.org/user/99340 [11] https://drupal.org/user/290182 [12] https://drupal.org/user/45640 [13] https://drupal.org/user/99340 [14] https://drupal.org/user/16747 [15] http://drupal.org/user/262198 [16] http://drupal.org/user/36762 [17] http://drupal.org/contact [18] http://drupal.org/security-team [19] http://drupal.org/writing-secure-code [20] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-069 - Password Policy - XSS
View online: https://drupal.org/node/2065387 * Advisory ID: DRUPAL-SA-CONTRIB-2013-069 * Project: Password policy [1] (third-party module) * Version: 6.x, 7.x * Date: 2013-August-14 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - This module enables you to specify a certain level of password complexity (aka. password hardening) for user passwords in Drupal by defining a password policy. When viewing and editing a password policy, the module doesn't sufficiently filter the form text field input and display for the Password Expiration Warning field. This vulnerability is mitigated by the fact that an attacker must have a role with the permission Administer policies to create and edit password policies. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Password policy 6.x-1.x versions prior to 6.x-1.5. * Password policy 7.x-1.x versions prior to 7.x-1.4. Drupal core is not affected. If you do not use the contributed Password policy [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Password policy module for Drupal 6.x, upgrade to Password policy 6.x-1.6 [5] * If you use the Password policy 1.x module for Drupal 7.x, upgrade to Password policy 7.x-1.5 [6] Also see the Password policy [7] project page. REPORTED BY - * Justin C. Klein Keane [8] FIXED BY * Mark Shropshire [9] COORDINATED BY -- * Greg Knaddison [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/password_policy [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/password_policy [5] https://drupal.org/node/2065241 [6] https://drupal.org/node/2065247 [7] http://drupal.org/project/password_policy [8] http://drupal.org/user/302225 [9] http://drupal.org/user/14767 [10] http://drupal.org/user/36762 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-062 - RESTful Web Services (RESTWS) - Access Bypass
View online: https://drupal.org/node/2059603 * Advisory ID: DRUPAL-SA-CONTRIB-2013-062 * Project: RESTful Web Services [1] (third-party module) * Version: 7.x * Date: 2013-August-07 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - This module enables you to expose Drupal entities as RESTful web services. It provides a machine-readable interface to exchange resources in JSON, XML and RDF. The module doesn't sufficiently check for field level access when preforming entity write operations on POST and PUT requests. It also does not check the allowed filter formats for a user for formatted text fields, thereby allowing an attacker to exploit XSS with a format that displays full HTML or even PHP code execution with a PHP code format. This vulnerability is mitigated by the fact that an attacker must have a role with a RESTWS permission such as access resource node and a permission to write entities such as create page content. PHP code execution is only possible if the PHP module is enabled. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * RESTWS 7.x-1.x versions prior to 7.x-1.4. * RESTWS 7.x-2.x versions prior to 7.x-2.1. Drupal core is not affected. If you do not use the contributed module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the RESTWS 1.x module for Drupal 7.x, upgrade to RESTWS 7.x-1.4 [4] * If you use the RESTWS 2.x module for Drupal 7.x, upgrade to RESTWS 7.x-2.1 [5] Also see the RESTful Web Services [6] project page. REPORTED BY - * Chris Oden [7] FIXED BY * Klaus Purer [8] the module maintainer * Chris Oden [9] COORDINATED BY -- * Klaus Purer [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/restws [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://drupal.org/node/2059591 [5] https://drupal.org/node/2059593 [6] http://drupal.org/project/restws [7] https://drupal.org/user/896508 [8] https://drupal.org/user/262198 [9] https://drupal.org/user/896508 [10] https://drupal.org/user/262198 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-064 - Persona - Cross site request forgery (CSRF)
View online: https://drupal.org/node/2059599 * Advisory ID: DRUPAL-SA-CONTRIB-2013-064 * Project: Mozilla Persona [1] (third-party module) * Version: 7.x * Date: 2013-August-07 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Request Forgery DESCRIPTION - This module enables users to sign into a Drupal website using Mozilla Persona [3]. The module uses a security token to ensure that a sign-in request is made from a web page that is participating in the current session. It was possible for a security token that was not of type string to be accepted as correct regardless of it's value, thereby bypassing the protection against cross site request forgery. This vulnerability is mitigated by the fact that an attacker can only cause a victim to become signed in to an account that the attacker already has the ability to sign in to. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [4] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Persona 7.x-1.x versions prior to 7.x-1.11 Drupal core is not affected. If you do not use the contributed Mozilla Persona [5] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Mozilla Persona module for Drupal 7.x, upgrade to Persona 7.x-1.11 [6] Also see the Mozilla Persona [7] project page. REPORTED BY - * Heine Deelstra [8] of the Drupal Security Team FIXED BY * Jonathan Brown [9], the module maintainer COORDINATED BY -- * Heine Deelstra [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/persona [2] http://drupal.org/security-team/risk-levels [3] https://www.mozilla.org/persona/ [4] http://cve.mitre.org/ [5] http://drupal.org/project/persona [6] https://drupal.org/node/2058655 [7] http://drupal.org/project/persona [8] https://drupal.org/user/17943 [9] https://drupal.org/user/46104 [10] https://drupal.org/user/17943 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-063 - Authenticated User Page Caching (Authcache) - Information Disclosure
View online: https://drupal.org/node/2059589 * Advisory ID: DRUPAL-SA-CONTRIB-2013-063 * Project: Authenticated User Page Caching (Authcache) [1] (third-party module) * Version: 7.x * Date: 2013-August-07 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Information Disclosure DESCRIPTION - This module enables page caching for authenticated users. A separate version of each cacheable page is stored for each group of users with the same combination of roles. Users having the exact same role-combination like the superuser (uid=1) might access cached pages generated with the superuser. Therefore it might be possible that information is disclosed to those users intended only for the superuser. This vulnerability is mitigated by the fact that an attacker must have the exact same role-combination like the superuser. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * authcache 7.x-1.x versions prior to 7.x-1.5. Drupal core is not affected. If you do not use the contributed Authenticated User Page Caching (Authcache) [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the authcache module for Drupal 7.x, upgrade to authcache 7.x-1.5 [5] Also see the Authenticated User Page Caching (Authcache) [6] project page. REPORTED BY - * Lorenz Schori [7] the module maintainer FIXED BY * Lorenz Schori [8] the module maintainer COORDINATED BY -- * Ben Jeavons [9] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/authcache [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/authcache [5] http://drupal.org/node/2058165 [6] http://drupal.org/project/authcache [7] http://drupal.org/user/63999 [8] http://drupal.org/user/63999 [9] http://drupal.org/user/91990 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-065 - Organic Groups - Access Bypass
View online: https://drupal.org/node/2059765 * Advisory ID: DRUPAL-SA-CONTRIB-2013-065 * Project: Organic groups [1] (third-party module) * Version: 7.x * Date: 2013-August-07 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Access bypass, Multiple vulnerabilities DESCRIPTION - This module enables users to create and manage their own 'groups'. Each group can have subscribers, and maintains a group home page where subscribers communicate amongst themselves. The module allows any authenticated user to guess the node ID of private groups, and subscribe to them without approval, thus being able to see their content. This vulnerability is mitigated by the fact that the permissions to subscribe are set to allow without approval. Furthermore, misconfiguration of the OG access fields (a.k.a visibility fields) could have lead to nodes not being private even though a site admin would expect them to be private, due to the group default setting. This vulnerability is mitigated by requiring a non-default configuration where the Group visibility field was not attached to the group node, and only the Group content visibility was attached to the group-content node. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * OG 7.x-2.x versions prior to 7.x-2.3. Drupal core is not affected. If you do not use the contributed Organic groups [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Organic groups module for Drupal 7.x, upgrade to OG 7.x-2.3 [5] Also see the Organic groups [6] project page. REPORTED BY - * Nic Ivy [7] * Hunter Fox [8] of the Drupal Security Team FIXED BY * Amitai Burstein [9] the module maintainer * Roy Segall [10] from Gizra * Hunter Fox [11] of the Drupal Security Team COORDINATED BY -- * Hunter Fox [12] of the Drupal Security Team * David Stoline [13] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [14]. Learn more about the Drupal Security team and their policies [15], writing secure code for Drupal [16], and securing your site [17]. [1] http://drupal.org/project/og [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/og [5] https://drupal.org/node/2059755 [6] http://drupal.org/project/og [7] https://drupal.org/user/6194 [8] https://drupal.org/user/426416 [9] https://drupal.org/user/57511 [10] https://drupal.org/user/1812910 [11] https://drupal.org/user/426416 [12] https://drupal.org/user/426416 [13] https://drupal.org/user/329570 [14] http://drupal.org/contact [15] http://drupal.org/security-team [16] http://drupal.org/writing-secure-code [17] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-066 - Monster Menus - Multiple Vulnerabilities
View online: https://drupal.org/node/2059823 * Advisory ID: DRUPAL-SA-CONTRIB-2013-066 * Project: Monster Menus [1] (third-party module) * Version: 6.x, 7.x * Date: 2013-August-07 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - Monster Menus enables you to create granular page permissions, and apply them to a hierarchical page structure. The mm_webform submodule enables you to assign permissions derived from Monster Menus to webform forms. The module doesn't sufficiently filter titles entered into page settings and echoes the supplied title back to the next user editing the settings, thereby allowing a Cross Site Scripting attack (XSS). This vulnerability is mitigated by the fact that an attacker must have the ability to add pages to the Monster Menus tree, and must also entice another user to edit the settings of a maliciously-crafted page. The mm_webform submodule doesn't correctly prohibit users with only Who can read data submitted to this webform permission from deleting webform submissions leading to an Access Bypass. This vulnerability is mitigated by the fact that an attacker must have an active login which is permitted to read a webform's submissions. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Monster Menus 6.x-6.x versions prior to 6.x-6.61. * Monster Menus 7.x-1.x versions prior to 7.x-1.13. Drupal core is not affected. If you do not use the contributed Monster Menus [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Monster Menus module for Drupal 6.x, upgrade to Monster Menus 6.x-6.61 [5] * If you use the Monster Menus module for Drupal 7.x, upgrade to Monster Menus 7.x-1.13 [6] Also see the Monster Menus [7] project page. REPORTED BY - * Five Colleges, Inc. FIXED BY * Dan Wilga [8] the module maintainer COORDINATED BY -- * Greg Knaddison [9] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/monster_menus [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/monster_menus [5] https://drupal.org/node/2059807 [6] https://drupal.org/node/2059805 [7] http://drupal.org/project/monster_menus [8] http://drupal.org/user/56892 [9] http://drupal.org/user/36762 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-061 - Flippy - Access Bypass
View online: https://drupal.org/node/2054701 * Advisory ID: DRUPAL-SA-CONTRIB-2013-061 * Project: Flippy [1] (third-party module) * Version: 7.x * Date: 2013-July-31 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - This module enables you to generate previous/next links for content types. The module doesn't sufficiently enforce node access when generating previous/next links. A user may be presented with a link (including alias if one is set) but will not be able to view the node content. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to access content. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Flippy 7.x-1.x versions prior to 7.x-1.1 Drupal core is not affected. If you do not use the contributed Flippy [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Flippy module for Drupal 7.x, upgrade to Flippy 7.x-1.2 [5] Also see the Flippy [6] project page. REPORTED BY - * daviddr [7] FIXED BY * Joshua Li [8] the module maintainer COORDINATED BY -- * Greg Knaddison [9] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/flippy [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/flippy [5] http://drupal.org/node/2050827 [6] http://drupal.org/project/flippy [7] http://drupal.org/user/2471996 [8] http://drupal.org/user/633216 [9] http://drupal.org/user/36762 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-060 - Scald - Cross Site Scripting (XSS)
View online: https://drupal.org/node/2049415 * Advisory ID: DRUPAL-SA-CONTRIB-2013-060 * Project: Scald [1] (third-party module) * Version: 6.x, 7.x * Date: 2013-July-24 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - This module enables you to handle media assets (atoms) in Drupal with a Views-based library, drag and drop interface and manage content attribution/licensing/distribution. The module doesn't sufficiently filter atom properties such as the atom title when outputting atoms, thereby exposing a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create atoms and the Scald Flash module or the resource management feature (in the MEE submodule) must be enabled. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Scald 6.x-1.x versions prior to 6.x-1.0-beta3. * Scald 7.x-1.x versions prior to 7.x-1.1. Drupal core is not affected. If you do not use the contributed Scald [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Scald module for Drupal 6.x, upgrade to Scald 6.x-1.0-beta3 [5] * If you use the Scald module for Drupal 7.x, upgrade to Scald 7.x-1.1 [6] Also see the Scald [7] project page. REPORTED BY - * Klaus Purer [8] of the Drupal Security Team FIXED BY * Franck Deroche [9] the module maintainer * Hai-Nam Nguyen [10] the module maintainer COORDINATED BY -- * Klaus Purer [11] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/scald [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/scald [5] https://drupal.org/node/2049239 [6] https://drupal.org/node/2049251 [7] http://drupal.org/project/scald [8] http://drupal.org/user/262198 [9] http://drupal.org/user/59710 [10] http://drupal.org/user/210762 [11] http://drupal.org/user/262198 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-058 - MRBS - Abandoned - Mutliple vulnerabilities
View online: https://drupal.org/node/2044173 * Advisory ID: DRUPAL-SA-CONTRIB-2013-058 * Project: MRBS [1] (third-party module) * Version: 6.x, 7.x * Date: 2013-July-17 * Security risk: Highly critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Request Forgery, SQL Injection DESCRIPTION - MRBS is a free, GPL, web application using PHP and MySQL/pgsql for booking meeting rooms or other resources. The module doesn't sufficiently filter user supplied data when creating queries which leads to a SQL injection vulnerability. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * MRBS module all versions. Drupal core is not affected. If you do not use the contributed MRBS [4] module, there is nothing you need to do. SOLUTION Remove the module and all code from your site. * There is no upgraded version available. The module should be disabled and all related code removed from the server. Also see the MRBS [5] project page. REPORTED BY - * Michael Hess [6] of the Drupal Security Team FIXED BY Not applicable. COORDINATED BY -- * Greg Knaddison [7] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [8]. Learn more about the Drupal Security team and their policies [9], writing secure code for Drupal [10], and securing your site [11]. [1] http://drupal.org/project/mrbs [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/mrbs [5] http://drupal.org/project/mrbs [6] http://drupal.org/user/102818 [7] http://drupal.org/user/36762 [8] http://drupal.org/contact [9] http://drupal.org/security-team [10] http://drupal.org/writing-secure-code [11] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-059 - Hostmaster (Aegir) - Access Bypass
View online: https://drupal.org/node/2044299 * Advisory ID: DRUPAL-SA-CONTRIB-2013-059 * Project: Hostmaster (Aegir) [1] (third-party module) * Version: 6.x * Date: 2013-July-17 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - This install profile and accompanying suite of modules enables you to install, upgrade, deploy, and backup Drupal sites (among other things.) The module doesn't sufficiently control access to running tasks on sites, under the scenario where a user successfully guesses a sites' path in the Aegir front-end. This vulnerability is mitigated by the fact that an attacker must be authenticated and have a role with one or more permissions that allow the creation of tasks. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Hostmaster 6.x-1.x versions prior to 6.x-1.10. Drupal core is not affected. If you do not use the contributed Hostmaster (Aegir) [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Hostmaster install profile for Drupal 6.x, upgrade to Hostmaster 6.x-1.10 [5] Also see the Hostmaster (Aegir) [6] project page. REPORTED BY - * Tim Lovelock [7] FIXED BY * Antoine Beaupré [8], the module's lead maintainer; and * Christopher Gervais [9], another of the module's maintainers. COORDINATED BY -- * Greg Knaddison [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/hostmaster [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/hostmaster [5] http://community.aegirproject.org/1.10 [6] http://drupal.org/project/hostmaster [7] http://drupal.org/user/1013786 [8] http://drupal.org/user/1274 [9] http://drupal.org/user/368613 [10] http://drupal.org/user/36762 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-056 - Stage File Proxy - Denial of Service
View online: https://drupal.org/node/2038801 * Advisory ID: DRUPAL-SA-CONTRIB-2013-056 * Project: Stage File Proxy [1] (third-party module) * Version: 7.x * Date: 2013-July-10th * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Multiple vulnerabilities DESCRIPTION - This module saves time and disk space by sending requests to your development environment's files directory to the production environment and making a copy of the production file in your development site. An attacker could make repeated requests to the server, even over a long period, which would degrade the performance of all file handling and potentially prevent certain file operations. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Stage File Proxy 7.x-1.x versions prior to 7.x-1.4. Drupal core is not affected. If you do not use the contributed Stage File Proxy [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Stage File Proxy module for Drupal 7.x, upgrade to Stage File Proxy 7.x-1.4 [5] Also see the Stage File Proxy [6] project page. REPORTED BY - * Mike Carper [7] FIXED BY * Stefan M. Kudwien [8] * Greg Knaddison [9] the module maintainer COORDINATED BY -- * Greg Knaddison [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/stage_file_proxy [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/stage_file_proxy [5] https://drupal.org/node/2038799 [6] http://drupal.org/project/stage_file_proxy [7] http://drupal.org/user/282446 [8] http://drupal.org/user/48898 [9] http://drupal.org/user/36762 [10] http://drupal.org/user/36762 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-055 - Hatch - Cross Site Scripting
View online: https://drupal.org/node/2038363 * Advisory ID: DRUPAL-SA-CONTRIB-2013-055 * Project: Hatch [1] (third-party theme) * Version: 7.x * Date: 2013-July-10 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - Hatch theme is a simple and minimal portfolio theme for photographers, illustrators, designers, or photobloggers. The theme didn't sufficiently escape user supplied text prior to printing them. This vulnerability is mitigated by the fact that an attacker must have a role with the permission Administer content, Create new article, or Edit any article type content . CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Hatch theme 7.x-1.x versions prior to 7.x-1.4. Drupal core is not affected. If you do not use the contributed Hatch [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Hatch theme for Drupal 7.x, upgrade to Hatch 7.x-1.4 [5] Also see the Hatch [6] project page. REPORTED BY - * Daniel Nitsche [7] FIXED BY * Daniel Nitsche [8] COORDINATED BY -- * Lee Rowlands (larowlan) [9] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/hatch [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/hatch [5] https://drupal.org/node/2038189 [6] http://drupal.org/project/hatch [7] https://drupal.org/user/1151108 [8] https://drupal.org/user/1151108 [9] http://drupal.org/user/395439 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-057 - TinyBox - Cross Site Scripting (XSS)
View online: https://drupal.org/node/2038807 * Advisory ID: DRUPAL-SA-CONTRIB-2013-057 * Project: TinyBox (Simple Splash) [1] (third-party module) * Version: 7.x * Date: 2013-July-10 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - TinyBox module uses TinyBox, a lightweight and standalone modal window script. The main purpose of this module is to provide Splash Screen/Window as simple as possible. The module doesn't filter user-supplied text prior to display. The vulnerability is mitigated by the fact that an attacker must have the permission administer tinybox. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * TinyBox 7.x-2.x versions prior to 7.x-2.1. Drupal core is not affected. If you do not use the contributed TinyBox (Simple Splash) [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the TinyBox module for Drupal 7.x, upgrade to TinyBox 7.x-2.2 [5] Also see the TinyBox (Simple Splash) [6] project page. REPORTED BY - * Daniel Nitscher [7] FIXED BY * Wendy William, S.Kom [8] the module maintainer COORDINATED BY -- * Greg Knaddison [9] and Peter Wolanin [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/tinybox [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/tinybox [5] https://drupal.org/node/2031575 [6] http://drupal.org/project/tinybox [7] https://security.drupal.org/user/38183 [8] https://drupal.org/user/75798 [9] http://drupal.org/user/36762 [10] http://drupal.org/user/49851 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-136 - Apache Solr Search Autocomplete - Cross Site Scripting (XSS)
View online: https://drupal.org/node/1762734 * Advisory ID: DRUPAL-SA-CONTRIB-2012-136 * Project: Apache Solr Autocomplete [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-August-29 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - Apache Solr Search Autocomplete module enables you to add autocomplete capabilities to the search text field for the Apache Solr Search Integration module. The module doesn't sufficiently filter the autocomplete results sent back from the Drupal site, so under the scenario where someone provided a URL with a specially-crafted search string embedded in it, the attacker could have a user execute arbitrary Javascript when clicking or focusing on the autocomplete text field. This vulnerability is mitigated by the fact that the attacked user must click or otherwise give focus to the text widget to have the Javascript activate. CVE: CVE-2012-6573 VERSIONS AFFECTED --- * Apache Solr Autocomplete 6.x-1.x versions prior to 6.x-1.4. * Apache Solr Autocomplete 7.x-1.x versions prior to 7.x-1.3. Drupal core is not affected. If you do not use the contributed Apache Solr Autocomplete [3] module, there is nothing you need to do. SOLUTION Install the latest version. * If you use the Apache Solr Autocomplete module for Drupal 6.x, upgrade to Apache Solr Autocomplete 6.x-1.4 [4] * If you use the Apache Solr Autocomplete module for Drupal 7.x, upgrade to Apache Solr Autocomplete 7.x-1.3 [5] Also see the Apache Solr Autocomplete [6] project page. REPORTED BY - * drupaledmonk [7] FIXED BY * Alejandro Garza [8] the module maintainer COORDINATED BY -- * Greg Knaddison [9] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/apachesolr_autocomplete [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/apachesolr_autocomplete [4] https://drupal.org/node/1762684 [5] https://drupal.org/node/1762686 [6] http://drupal.org/project/apachesolr_autocomplete [7] http://drupal.org/user/263391 [8] http://drupal.org/user/153120 [9] http://drupal.org/user/36762 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-054 - Fast Permissions Administration - Access Bypass
View online: https://drupal.org/node/2028813 * Advisory ID: DRUPAL-SA-CONTRIB-2013-054 * Project: Fast Permissions Administration [1] (third-party module) * Version: 6.x, 7.x * Date: 2013-June-26 * Security risk: Highly critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - The Fast Permissions Administration module enables you to use inline filters on the permissions page, as well as loading the permissions form through a modal dialog. The module doesn't sufficiently check user access for the modal content callback, allowing unauthorized access to the permissions edit form. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Fast Permissions Administration 6.x-2.x versions prior to 6.x-2.5. * Fast Permissions Administration 7.x-2.x versions prior to 7.x-2.3. Drupal core is not affected. If you do not use the contributed Fast Permissions Administration [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Fast Permissions Administration module for Drupal 6.x, upgrade to Fast Permissions Administration 6.x-2.5 [5] * If you use the Fast Permissions Administration module for Drupal 7.x, upgrade to Fast Permissions Administration 7.x-2.3 [6] Also see the Fast Permissions Administration [7] project page. REPORTED BY - * Philip Boden [8] FIXED BY * Corey Aufang [9] the module maintainer COORDINATED BY -- * Klaus Purer [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/fpa [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/fpa [5] https://drupal.org/node/2028417 [6] https://drupal.org/node/2028421 [7] http://drupal.org/project/fpa [8] http://drupal.org/user/329794 [9] http://drupal.org/user/163737 [10] http://drupal.org/user/262198 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-053 - Login Security - Multiple Vulnerabilities
View online: https://drupal.org/node/2023585 * Advisory ID: DRUPAL-SA-CONTRIB-2013-053 * Project: Login Security [1] (third-party module) * Version: 6.x, 7.x * Date: 2013-June-19 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Multiple vulnerabilities DESCRIPTION - Login Security module adds additional access controls to the login form of Drupal. When Login Security is configured to use the delay feature, frequent or concurrent failed attempts to login can consume all the web serving processes, causing a denial of service. It is possible to bypass Login Security features when soft blocking is disabled. This is due to the incorrect use of string filtering in the module which can cause the module to skip all checks. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Login Security 6.x-1.x versions prior to 6.x-1.2. * Login Security 7.x-1.x versions prior to 7.x-1.2. Drupal core is not affected. If you do not use the contributed Login Security [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Login Security module for Drupal 6.x, upgrade to Login Security 6.x-1.3 [5] * If you use the Login Security module for Drupal 7.x, upgrade to Login Security 7.x-1.3 [6] Also see the Login Security [7] project page. REPORTED BY - * David Stoline [8] and Heine Deelstra [9] of the Drupal Security Team FIXED BY * David Norman [10] the module maintainer * Chris Yu [11] COORDINATED BY -- * David Stoline [12] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. [1] http://drupal.org/project/login_security [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/login_security [5] https://drupal.org/node/2023503 [6] https://drupal.org/node/2023507 [7] http://drupal.org/project/login_security [8] http://drupal.org/user/329570 [9] http://drupal.org/user/17943 [10] http://drupal.org/user/972 [11] http://drupal.org/user/202205 [12] http://drupal.org/user/329570 [13] http://drupal.org/contact [14] http://drupal.org/security-team [15] http://drupal.org/writing-secure-code [16] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-052 - Display Suite - Cross Site Scripting (XSS)
View online: https://drupal.org/node/2017933 * Advisory ID: DRUPAL-SA-CONTRIB-2013-052 * Project: Display Suite [1] (third-party module) * Version: 7.x * Date: 2013-June-12 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - Display Suite allows you to take full control over how your content is displayed using a drag and drop interface. In certain situations, Display Suite does not properly sanitize entity bundle labels, allowing a malicious user to embed scripts within a page, resulting in a Cross-site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker has to be able to create entity bundle labels of some sort, which usually needs a higher level permission such as administer taxonomy. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Display Suite 7.x-1.x versions prior to 7.x-1.7. * Display Suite 7.x-2.x versions prior to 7.x-2.3. Drupal core is not affected. If you do not use the contributed Display Suite [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the first branch of Display Suite module for Drupal 7.x, upgrade to Display Suite 7.x-1.8 [5] * If you use the second branch of Display Suite module for Drupal 7.x, upgrade to Display Suite 7.x-2.4 [6] Also see the Display Suite [7] project page. REPORTED BY - * Francisco José Cruz Romanos [8] FIXED BY * Francisco José Cruz Romanos [9] * Kristof De Jaeger [10] the module maintainer COORDINATED BY -- * Klaus Purer [11] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/ds [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/ds [5] https://drupal.org/node/2017639 [6] https://drupal.org/node/2017641 [7] http://drupal.org/project/ds [8] http://drupal.org/user/848238 [9] http://drupal.org/user/848238 [10] http://drupal.org/user/107403 [11] http://drupal.org/user/262198 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-051 - Services - Cross site request forgery (CSRF)
View online: https://drupal.org/node/2012982 * Advisory ID: DRUPAL-SA-CONTRIB-2013-051 * Project: Services [1] (third-party module) * Version: 6.x, 7.x * Date: 2013-June-05 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Request Forgery DESCRIPTION - This module enables you to expose an API to third party systems using REST, XML-RPC or other protocols. The module doesn't sufficiently verify writing requests (POST, PUT, DELETE) with session cookie authentication, thereby exposing a Cross Site Request Forgery vulnerability. This vulnerability is mitigated by the fact that session based authentication must be enabled for an endpoint. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Services 6.x-3.x versions. * Services 7.x-3.x versions prior to 7.x-3.4. Drupal core is not affected. If you do not use the contributed Services [4] module, there is nothing you need to do. SOLUTION Install the latest version or uninstall the module. * If you use the Services module for Drupal 7.x, upgrade to Services 7.x-3.4 [5] * If you use the Services module for Drupal 6.x, uninstall the module. Note that Services clients using session authentication now should supply a special X-CSRF-Token header with a token that can be retrieved from http://example.com/services/session/token [6]. This is needed for writing HTTP methods calls (POST, PUT, DELETE). Also see the Services [7] project page. REPORTED BY - * Klaus Purer [8] of the Drupal Security Team * Fredrik Lassen [9] FIXED BY * Yuriy Gerasimov [10] the module maintainer COORDINATED BY -- * Klaus Purer [11] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/services [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/services [5] https://drupal.org/node/2012366 [6] http://example.com/services/session/token [7] http://drupal.org/project/services [8] http://drupal.org/user/262198 [9] http://drupal.org/user/243377 [10] http://drupal.org/user/257311 [11] http://drupal.org/user/262198 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-048 - Edit Limit - Access Bypass
View online: http://drupal.org/node/2007048 * Advisory ID: DRUPAL-SA-CONTRIB-2013-048 * Project: Edit Limit [1] (third-party module) * Version: 7.x * Date: 2013-May-29 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - Edit Limit enables you to set time and count-based limits on how and when a user can edit nodes or comments. The module doesn't sufficiently check user access when editing comments to see if the user has the necessary permissions to edit a comment outside of the limits applied by this module. This makes it possible for a user who can edit their own comments to edit the comments of any other user. This vulnerability is mitigated by the fact that an attacker must have a role with the permission edit comments. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Edit Limit 7.x-1.x versions prior to 7.x-1.3. Drupal core is not affected. If you do not use the contributed Edit Limit [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Edit Limit module for Drupal 7.x, upgrade to Edit Limit 7.x-1.3 [5] Also see the Edit Limit [6] project page. REPORTED BY - * Morten Fangel [7] FIXED BY * Quade [8] the module maintainer * Morten Fangel [9] COORDINATED BY -- * Greg Knaddison [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/edit_limit [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/edit_limit [5] http://drupal.org/node/2006188 [6] http://drupal.org/project/edit_limit [7] http://drupal.org/user/376055 [8] http://drupal.org/user/71791 [9] http://drupal.org/user/376055 [10] http://drupal.org/user/36762 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-049 - Node access user reference - Access Bypass
View online: http://drupal.org/node/2007122 * Advisory ID: DRUPAL-SA-CONTRIB-2013-049 * Project: Node access user reference [1] (third-party module) * Version: 6.x, 7.x * Date: 2013-May-29 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - This module allows different access permissions to be given to authors, referenced users and non-referenced users. When an author has created content containing a user reference field (with author update/delete grants enabled) and the author's user account is later deleted, content created by them can be edited by anonymous users. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * nodeaccess_userreference 6.x-3.x versions prior to 6.x-3.5. * nodeaccess_userreference 7.x-3.x versions prior to 7.x-3.10. Drupal core is not affected. If you do not use the contributed Node access user reference [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the nodeaccess_userreference module for Drupal 6.x, upgrade to nodeaccess_userreference 6.x-3.5 [5] * If you use the nodeaccess_userreference module for Drupal 7.x, upgrade to nodeaccess_userreference 7.x-3.10 [6] Also see the Node access user reference [7] project page. REPORTED BY - * Jamie Wiseman [8] FIXED BY * Jamie Wiseman [9] * Dan Smith [10] provisional member of the Drupal Security Team * Chris Hales [11] and Greg Knaddison [12] of the Drupal Security Team COORDINATED BY -- * Dan Smith [13] provisional member of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [14]. Learn more about the Drupal Security team and their policies [15], writing secure code for Drupal [16], and securing your site [17]. [1] http://drupal.org/project/nodeaccess_userreference [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/nodeaccess_userreference [5] http://drupal.org/node/2007072 [6] http://drupal.org/node/2007078 [7] http://drupal.org/project/nodeaccess_userreference [8] http://drupal.org/user/16327 [9] http://drupal.org/user/16327 [10] http://drupal.org/user/241220 [11] http://drupal.org/user/347249 [12] http://drupal.org/user/36762 [13] http://drupal.org/user/241220 [14] http://drupal.org/contact [15] http://drupal.org/security-team [16] http://drupal.org/writing-secure-code [17] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-050 - Webform - Cross Site Scripting (XSS)
View online: https://drupal.org/node/2007460 * Advisory ID: DRUPAL-SA-CONTRIB-2013-050 * Project: Webform [1] (third-party module) * Version: 6.x * Date: 2013-May-29 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - The Webform module allows the creation of custom webforms and surveys. Webform module does not sanitize the labels of created components (fields) when displaying a list of components to be used in e-mails or downloaded CSV files. This vulnerability is mitigated by the fact that an attacker must have a role with the permission edit own webform content or edit all webform content. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Webform 6.x-3.x versions prior to 6.x-3.19. Drupal core is not affected. If you do not use the contributed Webform [4] module, there is nothing you need to do. SOLUTION If you use the Webform module for Drupal 6, install the latest version, Webform 6.x-3.19 [5]. Drupal 7 versions of this module are not affected. Also see the Webform [6] project page. REPORTED BY - * Justin C. Klein Keane [7] FIXED BY * Nate Haug [8] the module maintainer * Justin C. Klein Keane [9] COORDINATED BY -- * Greg Knaddison [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/webform [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/webform [5] http://drupal.org/node/2007390 [6] http://drupal.org/project/webform [7] http://drupal.org/user/302225 [8] http://drupal.org/user/35821 [9] http://drupal.org/user/302225 [10] https://drupal.org/user/36762 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-047 - Google Authenticator login - Access Bypass
View online: http://drupal.org/node/1995706 * Advisory ID: DRUPAL-SA-CONTRIB-2013-047 * Project: Google Authenticator login [1] (third-party module) * Version: 6.x, 7.x * Date: 2013-May-15 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - This module will allow you to add Time-based One-time Password Algorithm (also called Two Step Authentication or Multi-Factor Authentication) support to user logins. It works with Google's Authenticator app system and support most (if not all) OATH based HOTP/TOTP systems. Accidental removal of account configuration. In certain scenarios, Google Authenticator login incorrectly determines the user's account name. The change in account name could cause the two-factor authentication for existing accounts to be lost, allowing users to log in using just username and password. This vulnerability is mitigated by the fact while Google Authenticator login's additional verification is by-passed, a username and password are still required to log in. One Time Password (OTP) replay If an attacker can intercept a login request with a username, password and OTP, an attacker could use this same data again to login to the website. This vulnerability is mitigated by the fact that an attacker who can intercept a login request with this level of detail can usually also intercept the ongoing session identifying token. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Google Authenticator login 6.x-1.x versions prior to 6.x-1.2. * Google Authenticator login 7.x-1.x versions prior to 7.x-1.4. Drupal core is not affected. If you do not use the contributed Google Authenticator login [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Google Authenticator login module for Drupal 6.x, upgrade to Google Authenticator login module 6.x-1.2 [5] * If you use the Google Authenticator login module for Drupal 7.x, upgrade to Google Authenticator login module 7.x-1.4 [6] Also see the Google Authenticator login [7] project page. REPORTED BY - * Ivo Van Geertruyen [8] of the Drupal Security Team * Lode Vanstechelman [9] FIXED BY * Peter Droogmans [10] the module maintainer * Jelle Sebreghts [11] the module maintainer * Ivo Van Geertruyen [12] of the Drupal Security Team COORDINATED BY -- * Ivo Van Geertruyen [13] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [14]. Learn more about the Drupal Security team and their policies [15], writing secure code for Drupal [16], and securing your site [17]. [1] http://drupal.org/project/ga_login [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/ga_login [5] http://drupal.org/node/1995634 [6] http://drupal.org/node/1995482 [7] http://drupal.org/project/ga_login [8] http://drupal.org/user/383424 [9] http://drupal.org/user/657472 [10] http://drupal.org/user/105002 [11] http://drupal.org/user/829198 [12] http://drupal.org/user/383424 [13] http://drupal.org/user/383424 [14] http://drupal.org/contact [15] http://drupal.org/security-team [16] http://drupal.org/writing-secure-code [17] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-046 - Filebrowser - Reflected Cross Site Scripting (XSS)
View online: http://drupal.org/node/1984212 * Advisory ID: DRUPAL-SA-CONTRIB-2013-046 * Project: Filebrowser [1] (third-party module) * Version: 6.x * Date: 2013-May-1 * Security risk: Highly critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - Filebrowser module allows site administrators to expose a particular file system folder and all of its subfolders with an FTP-like interface to site visitors. The module doesn't sufficiently sanitize user input when presenting lists of files. Because the vulnerability is /Reflected/ Cross Site Scripting, the only mitigating factor is that an authenticated user must be tricked into visiting a specially crafted malicious url. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Filebrowser 6.x-2.x versions prior to 6.x-2.2. Drupal core is not affected. If you do not use the contributed Filebrowser [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Filebrowser module for Drupal 6.x, upgrade to Filebrowser 6.x-2.2 [5] Also see the Filebrowser [6] project page. REPORTED BY - * Paweł Krawczyk [7] FIXED BY * Yoran Brault [8] the module maintainer COORDINATED BY -- * Lee Rowlands [9] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/filebrowser [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/filebrowser [5] http://drupal.org/node/1983356 [6] http://drupal.org/project/filebrowser [7] http://drupal.org/user/243792 [8] http://drupal.org/user/46153 [9] http://drupal.org/user/395439 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-043 - MP3 Player - Cross Site Scripting (XSS)
View online: http://drupal.org/node/1972804 * Advisory ID: DRUPAL-SA-CONTRIB-2013-043 * Project: MP3 Player [1] (third-party module) * Version: 6.x * Date: 2013-April-17 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - This module enables you to easily enable a Flash MP3 Player on a CCK FileField. The module doesn't sufficiently filter user-supplied text from mp3 filenames. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create a node with an mp3 filefield with the MP3 player set as the display widget. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * All MP3 Player versions. Drupal core is not affected. If you do not use the contributed MP3 Player [4] module, there is nothing you need to do. SOLUTION Disable the module: * If you use the MP3 Player module for Drupal 6.x you should disable the module. Also see the MP3 Player [5] project page. REPORTED BY - * Kyle Small [6] FIXED BY Not applicable. COORDINATED BY -- * Greg Knaddison [7] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [8]. Learn more about the Drupal Security team and their policies [9], writing secure code for Drupal [10], and securing your site [11]. [1] http://drupal.org/project/mp3player [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/mp3player [5] http://drupal.org/project/mp3player [6] http://drupal.org/user/832278 [7] http://drupal.org/user/36762 [8] http://drupal.org/contact [9] http://drupal.org/security-team [10] http://drupal.org/writing-secure-code [11] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-044 - elFinder file manager - Cross Site Request Forgery (CSRF)
View online: http://drupal.org/node/1972942 * Advisory ID: DRUPAL-SA-CONTRIB-2013-044 * Project: elFinder file manager [1] (third-party module) * Version: 6.x, 7.x * Date: 2013-April-17 * Security risk: Highly critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Request Forgery DESCRIPTION - The elfinder module provides an AJAX-based file manager based on the elFinder javascript library. The module doesn't sufficiently verify requests thereby exposing a Cross Site Request Forgery (CSRF) vulnerability. This would enable an attacker to create, modify, or delete files on the server. There are no mitigating factors. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * elfinder 6.x-0.x versions prior to 6.x-0.8. * elfinder 7.x-0.x versions prior to 7.x-0.8. Drupal core is not affected. If you do not use the contributed elFinder file manager [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the elfinder module 0.x for Drupal 6.x, upgrade to elfinder 6.x-0.8 [5] (requires elFinder 1.2 [6] library) * If you use the elfinder module 0.x for Drupal 7.x, upgrade to elfinder 7.x-0.8 [7] (requires elFinder 1.2 [8] library) Also see the elFinder file manager [9] project page. REPORTED BY - * Greg Knaddison [10] of the Drupal Security Team FIXED BY * Alexey Sukhotin [11] the module maintainer * Greg Knaddison [12] of the Drupal Security Team * Fox [13] of the Drupal Security Team COORDINATED BY -- * Fox [14] of the Drupal Security Team * David Stoline [15] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [16]. Learn more about the Drupal Security team and their policies [17], writing secure code for Drupal [18], and securing your site [19]. [1] http://drupal.org/project/elfinder [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/elfinder [5] http://drupal.org/node/1972082 [6] http://sourceforge.net/projects/elfinder/files/ [7] http://drupal.org/node/1972084 [8] http://sourceforge.net/projects/elfinder/files/ [9] http://drupal.org/project/elfinder [10] http://drupal.org/user/36762 [11] http://drupal.org/user/771642 [12] http://drupal.org/user/36762 [13] http://drupal.org/user/426416 [14] http://drupal.org/user/426416 [15] http://drupal.org/user/329570 [16] http://drupal.org/contact [17] http://drupal.org/security-team [18] http://drupal.org/writing-secure-code [19] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-045 - Autocomplete Widgets for Text and Number Fields (autocomplete_widgets) - Access bypass
View online: http://drupal.org/node/1972976 * Advisory ID: DRUPAL-SA-CONTRIB-2013-045 * Project: Autocomplete Widgets for Text and Number Fields [1] (third-party module) * Version: 6.x, 7.x * Date: 2013-April-17 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - Autocomplete Widgets module adds autocomplete widgets for Text and Number fields. The autocomplete callback implemented by this module does not honor node permissions to access existing fields, allowing users to see field values even though they are not authorized to access that information. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create or edit content. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Autocomplete Widgets 6.x-1.x versions prior to 6.x-1.4. * Autocomplete Widgets 7.x-1.x versions prior to 7.x-1.0-rc1. Drupal core is not affected. If you do not use the contributed Autocomplete Widgets for Text and Number Fields [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Autocomplete Widgets module for Drupal 6.x, upgrade to Autocomplete Widgets 6.x-1.4 [5] * If you use the Autocomplete Widgets module for Drupal 7.x, upgrade to Autocomplete Widgets 7.x-1.0-rc1 [6] Also see the Autocomplete Widgets for Text and Number Fields [7] project page. REPORTED BY - * James [8] * Cash Williams [9] FIXED BY * Alexander Ross [10] the module maintainer * Cash Williams [11] COORDINATED BY -- * Stéphane Corlosquet [12] of the Drupal Security Team * David Rothstein [13] of the Drupal Security Team * Owen Barton [14] of the Drupal Security Team * Greg Knaddison [15] of the Drupal Security Team * Ben Jeavons [16] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [17]. Learn more about the Drupal Security team and their policies [18], writing secure code for Drupal [19], and securing your site [20]. [1] http://drupal.org/project/autocomplete_widgets [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/autocomplete_widgets [5] http://drupal.org/node/1971848 [6] http://drupal.org/node/1971856 [7] http://drupal.org/project/autocomplete_widgets [8] http://drupal.org/user/693536 [9] http://drupal.org/user/421070 [10] http://drupal.org/user/8274 [11] http://drupal.org/user/421070 [12] http://drupal.org/user/52142 [13] http://drupal.org/user/124982 [14] http://drupal.org/user/19668 [15] http://drupal.org/user/36762 [16] http://drupal.org/user/91990 [17] http://drupal.org/contact [18] http://drupal.org/security-team [19] http://drupal.org/writing-secure-code [20] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-042 - RESTful Web Services (RESTWS) - Denial of Service
View online: http://drupal.org/node/1966780 * Advisory ID: DRUPAL-SA-CONTRIB-2013-042 * Project: RESTful Web Services [1] (third-party module) * Version: 7.x * Date: 2013-April-10 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Denial of Service DESCRIPTION - This module enables you to expose Drupal entities as RESTful web services. It provides a machine-readable interface to exchange resources in JSON, XML and RDF. The module interferes with Drupal's page cache and allows an attacker to poison the cache with non-HTML page responses, thereby exposing a denial of service vulnerability. This vulnerability is mitigated by the fact that page caching must be enabled and the anonymous user role must be assigned a RESTWS permission, for example access resource node. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * RESTWS 7.x-1.x versions prior to 7.x-1.3. * RESTWS 7.x-2.x versions prior to 7.x-2.0-alpha5. Drupal core is not affected. If you do not use the contributed RESTful Web Services [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the RESTWS 1.x module for Drupal 7.x, upgrade to RESTWS 7.x-1.3 [5] * If you use the RESTWS 2.x module for Drupal 7.x, upgrade to RESTWS 7.x-2.0-alpha5 [6] Also see the RESTful Web Services [7] project page. REPORTED BY - * Dylan Tack [8] of the Drupal Security Team FIXED BY * Klaus Purer [9] the module maintainer * Stéphane Corlosquet [10] of the Drupal Security Team COORDINATED BY -- * Klaus Purer [11] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/restws [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/restws [5] http://drupal.org/node/1966752 [6] http://drupal.org/node/1966758 [7] http://drupal.org/project/restws [8] http://drupal.org/user/96647 [9] http://drupal.org/user/262198 [10] http://drupal.org/user/52142 [11] http://drupal.org/user/262198 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-040 - Commerce Skrill (Formerly Moneybookers) - Access bypass
View online: http://drupal.org/node/1960338 * Advisory ID: DRUPAL-SA-CONTRIB-2013-040 * Project: Commerce Skrill (Formerly Moneybookers) [1] (third-party module) * Version: 7.x * Date: 2013-April-03 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - This module integrates the Skrill online payment services [3] with Drupal Commerce. When processing Instant payment notifications (IPN), the Moneybookers enterprise payment method provided by the Commerce Skrill contributed module does not perform sufficient access checking, potentially allowing forged notifications to be accepted as valid. The vulnerability is mitigated by the fact that it only affects the Moneybookers enterprise payment method. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [4] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- The Moneybookers enterprise payment method provided by the Commerce Skrill [5] contributed module in all versions prior to 7.x-1.2. Drupal core is not affected. If you do not use the contributed Commerce Skrill (Formerly Moneybookers) [6] module, there is nothing you need to do. SOLUTION Install the latest version. The Moneybookers enterprise payment method now requires the use of the hash security option. * Upgrade to Commerce Skrill 7.x-1.2 [7] * Go to the backoffice of Skrill and enable the securityHash verification following the Administration Processing Processing Settings section. * Get the security token, and paste it in the Secret key field of the payment method configuration form. Also see the Commerce Skrill (Formerly Moneybookers) [8] project page. REPORTED BY - * Julien Dubreuil [9] the module maintainer FIXED BY * Julien Dubreuil [10] the module maintainer * Jonathan Sacksick [11] the module maintainer COORDINATED BY -- * Klaus Purer [12] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. [1] http://drupal.org/project/commerce_moneybookers [2] http://drupal.org/security-team/risk-levels [3] https://www.moneybookers.com/ads/partners/?p=Drupalcommerce [4] http://cve.mitre.org/ [5] http://drupal.org/project/commerce_moneybookers [6] http://drupal.org/project/commerce_moneybookers [7] http://drupal.org/node/1959998 [8] http://drupal.org/project/commerce_moneybookers [9] http://drupal.org/user/519520 [10] http://drupal.org/user/519520 [11] http://drupal.org/user/972218 [12] http://drupal.org/user/262198 [13] http://drupal.org/contact [14] http://drupal.org/security-team [15] http://drupal.org/writing-secure-code [16] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-041 - Chaos tool suite (ctools) - Access bypass
View online: http://drupal.org/node/1960406 * Advisory ID: DRUPAL-SA-CONTRIB-2013-041 * Project: Chaos tool suite (ctools) [1] (third-party module) * Version: 7.x * Date: 2013-April-03 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - This CTools module provides a set of APIs and tools to improve the developer experience. The module doesn't sufficiently enforce node access when providing an autocomplete list of suggested node titles, allowing users with the access content permission to see the titles of nodes which they should not be able to view. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Chaos tool suite (ctools) 7.x-1.x versions prior to 7.x-1.3. Drupal core is not affected. If you do not use the contributed Chaos tool suite (ctools) [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Ctools module for Drupal 7.x, upgrade to Ctools 7.x-1.3 [5] Also see the Chaos tool suite (ctools) [6] project page. REPORTED BY - * Greg Knaddison [7] of the Drupal Security Team * Cash Williams [8] FIXED BY * Daniel Wehner [9] the module maintainer. * Cash Williams [10] * Lee Rowlands [11] of the Drupal Security Team COORDINATED BY -- * Lee Rowlands [12] of the Drupal Security Team * Greg Knaddison [13] of the Drupal Security Team * Ben Jeavons [14] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [15]. Learn more about the Drupal Security team and their policies [16], writing secure code for Drupal [17], and securing your site [18]. [1] http://drupal.org/project/ctools [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/ctools [5] http://drupal.org/node/1960424 [6] http://drupal.org/project/ctools [7] http://drupal.org/user/36762 [8] http://drupal.org/user/421070 [9] http://drupal.org/user/99340 [10] http://drupal.org/user/421070 [11] http://drupal.org/user/395439 [12] http://drupal.org/user/395439 [13] http://drupal.org/user/36762 [14] http://drupal.org/user/91990 [15] http://drupal.org/contact [16] http://drupal.org/security-team [17] http://drupal.org/writing-secure-code [18] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-036 - Zero Point - Cross Site Scripting (XSS)
View online: http://drupal.org/node/1954588 * Advisory ID: DRUPAL-SA-CONTRIB-2013-036 * Project: Zero Point [1] (third-party module) * Version: 7.x * Date: 2013-March-27 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - Zero Point is a theme which includes many options, ideal for a wide range of sites. The theme does not escape user supplied text which creates a reflected Cross site scripting (XSS) vulnerability in URLs. There are no mitigating factors. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * zeropoint 7.x-1.x versions prior to 7.x-1.9. Drupal core is not affected. If you do not use the contributed Zero Point [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Zero Point theme for Drupal 7.x, upgrade to zeropoint 7.x-1.9 [5] Also see the Zero Point [6] project page. REPORTED BY - * Dennis Walgaard [7] FIXED BY * Florian Radut [8] the module maintainer * Dennis Walgaard [9] COORDINATED BY -- * Greg Knaddison [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/zeropoint [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/zeropoint [5] http://drupal.org/node/1953840 [6] http://drupal.org/project/zeropoint [7] http://drupal.org/user/883702 [8] http://drupal.org/user/35316 [9] http://drupal.org/user/883702 [10] http://drupal.org/user/36762 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-038 - Commons Groups - Access bypass Privilege escalation
View online: http://drupal.org/node/1954764 * Advisory ID: DRUPAL-SA-CONTRIB-2013-038 * Project: Commons Groups [1] (third-party module) * Version: 7.x * Date: 2013-March-27 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass, Multiple vulnerabilities DESCRIPTION - The Drupal Commons distribution is a tool for building social, group-based collaboration communities. The Commons Groups module is used by the distribution to provide specific Organic Groups customizations. Versions 3.0 and earlier of the Commons Groups module is vulnerable to an access bypass and privilege escalation vulnerability that allows anonymous users to post content into groups. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Drupal Commons distribution and Commons Groups versions prior to 7.x-3.1. Drupal core is not affected. If you do not use the contributed Commons Groups [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use Commons Groups module upgrade to Commons Groups 7.x-3.1 [5] or install the latest version of the Drupal Commons distribution (7.x-3.1) which will include the fix for Commons Groups Also see the Commons Groups [6] project page. REPORTED BY - Commons project maintainers: * Joseph Pontani [7] * Jakob Perry [8] * Ezra Gildesgame [9] FIXED BY Commons project maintainers: * Joseph Pontani [10] * Jakob Perry [11] * Ezra Gildesgame [12] COORDINATED BY -- * Greg Knaddison [13] of the Drupal Security Team * Ben Jeavons [14] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [15]. Learn more about the Drupal Security team and their policies [16], writing secure code for Drupal [17], and securing your site [18]. [1] http://drupal.org/project/commons_groups [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/commons_groups [5] http://drupal.org/node/1954762 [6] http://drupal.org/project/commons_groups [7] http://drupal.org/user/1014606 [8] http://drupal.org/user/45640 [9] http://drupal.org/user/69959/ [10] http://drupal.org/user/1014606 [11] http://drupal.org/user/45640 [12] http://drupal.org/user/69959/ [13] http://drupal.org/user/36762 [14] http://drupal.org/user/91990 [15] http://drupal.org/contact [16] http://drupal.org/security-team [17] http://drupal.org/writing-secure-code [18] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-037 - Rules - Cross Site Scripting (XSS)
View online: http://drupal.org/node/1954592 * Advisory ID: DRUPAL-SA-CONTRIB-2013-037 * Project: Rules [1] (third-party module) * Version: 7.x * Date: 2013-March-27 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - The Rules module allows site administrators to define conditionally executed actions based on occurring events (known as reactive or ECA rules). It's a replacement with more features for the trigger module in core. The module contains a persistent cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize rule tags before display. This vulnerability is mitigated by the fact that an attacker must have a role with the permission administer rules. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Rules 7.x-2.x versions prior to 7.x-2.3. Drupal core is not affected. If you do not use the contributed Rules [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Rules module for Drupal 7.x, upgrade to Rules 7.x-2.3 [5] Also see the Rules [6] project page. REPORTED BY - * Justin C. Klein Keane [7] FIXED BY * Justin C. Klein Keane [8] * Wolfgang Ziegler [9] the module maintainer COORDINATED BY -- * Klaus Purer [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/rules [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/rules [5] http://drupal.org/node/1954508 [6] http://drupal.org/project/rules [7] http://drupal.org/user/302225 [8] http://drupal.org/user/302225 [9] http://drupal.org/user/16747 [10] http://drupal.org/user/262198 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-039 - Commons Wikis - Access bypass Privilege escalation
View online: http://drupal.org/node/1954766 * Advisory ID: DRUPAL-SA-CONTRIB-2013-039 * Project: Commons Wikis [1] (third-party module) * Version: 7.x * Date: 2013-March-27 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass, Multiple vulnerabilities DESCRIPTION - The Drupal Commons distribution is a tool for building social, group-based collaboration communities. The Commons Wikis module is used by the distribution to provide specific wiki functionality. Versions 3.0 and earlier of the Commons Wikis module is vulnerable to an access bypass and privilege escalation vulnerability that allows anonymous users to post content into groups. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Drupal Commons and Commons Wikis versions prior to 7.x-3.1. Drupal core is not affected. If you do not use the contributed Commons Wikis [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use Commons Wikis module upgrade to Commons Wikis 7.x-3.1 [5] or install the latest version of the Drupal Commons distribution (7.x-3.1) which will include the fix for Commons Wikis Also see the Commons Wikis [6] project page. REPORTED BY - Commons project maintainers: * Jakob Perry [7] * Joseph Pontani [8] * Ezra Gildesgame [9] FIXED BY Commons project maintainers: * Jakob Perry [10] * Joseph Pontani [11] * Ezra Gildesgame [12] COORDINATED BY -- * Greg Knaddison [13] of the Drupal Security Team * Ben Jeavons [14] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [15]. Learn more about the Drupal Security team and their policies [16], writing secure code for Drupal [17], and securing your site [18]. [1] http://drupal.org/project/commons_wikis [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/commons_wikis [5] http://drupal.org/node/1954768 [6] http://drupal.org/project/commons_wikis [7] http://drupal.org/user/45640 [8] http://drupal.org/user/1014606 [9] http://drupal.org/user/69959/ [10] http://drupal.org/user/45640 [11] http://drupal.org/user/1014606 [12] http://drupal.org/user/69959/ [13] http://drupal.org/user/36762 [14] http://drupal.org/user/91990 [15] http://drupal.org/contact [16] http://drupal.org/security-team [17] http://drupal.org/writing-secure-code [18] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-035 - Views - Cross Site Scripting (XSS)
View online: http://drupal.org/node/1948358 * Advisory ID: DRUPAL-SA-CONTRIB-2013-035 * Project: Views [1] (third-party module) * Version: 7.x * Date: 2013-March-20 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - The Views module provides a flexible method for Drupal site designers to control how lists and tables of content, users, taxonomy terms and other data are presented. The module incorrectly prints some view configuration fields without proper sanitization opening a Cross-Site Scripting vulnerability. The vulnerability is mitigated by the fact that an attacker must have a role with the permission Administer vocabularies and terms or other administer-related permissions from contributed modules that integrate with Views. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Views 7.x-3.x versions prior to 7.x-3.6. Drupal core is not affected. If you do not use the contributed Views [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Views module for Drupal 7.x, upgrade to Views 7.x-3.6 [5] Also see the Views [6] project page. REPORTED BY - * Francisco José Cruz Romanos [7] FIXED BY * Francisco José Cruz Romanos [8] * Daniel Wehner [9] the module maintainer COORDINATED BY -- * Greg Knaddison [10] of the Drupal Security Team * Ben Jeavons [11] of the Drupal Security Team * David Stoline [12] provisional member of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. [1] http://drupal.org/project/views [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/views [5] http://drupal.org/node/1948354 [6] http://drupal.org/project/views [7] http://drupal.org/user/848238 [8] http://drupal.org/user/848238 [9] http://drupal.org/user/99340 [10] http://drupal.org/user/36762 [11] http://drupal.org/user/91990 [12] http://drupal.org/user/329570 [13] http://drupal.org/contact [14] http://drupal.org/security-team [15] http://drupal.org/writing-secure-code [16] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-034 - Node Parameter Control - Access Bypass
View online: http://drupal.org/node/1942330 * Advisory ID: DRUPAL-SA-CONTRIB-2013-034 * Project: Node Parameter Control [1] (third-party module) * Version: 6.x * Date: 2013-Mar-13 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - This module enables you to limit the visibility of the fields on the node edit form. The module doesn't sufficiently check access before allowing users to view and edit the configuration options allowing anonymous and authenticated users the ability to view and edit the configuration options. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * All 6.x-1.x versions Drupal core is not affected. If you do not use the contributed Node Parameter Control [4] module, there is nothing you need to do. SOLUTION Uninstall the module. No patched version is available. Also see the Node Parameter Control [5] project page. REPORTED BY - * Talbot [6] FIXED BY The module maintainer opted to mark the module as unsupported. COORDINATED BY -- * Lee Rowlands [7] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [8]. Learn more about the Drupal Security team and their policies [9], writing secure code for Drupal [10], and securing your site [11]. [1] http://drupal.org/project/node_parameter_control [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/node_parameter_control [5] http://drupal.org/project/node_parameter_control [6] http://drupal.org/user/36138 [7] http://drupal.org/user/395439 [8] http://drupal.org/contact [9] http://drupal.org/security-team [10] http://drupal.org/writing-secure-code [11] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-031 - Premium Responsive theme - Cross Site Scripting (XSS)
View online: http://drupal.org/node/1929508 * Advisory ID: DRUPAL-SA-CONTRIB-2013-031 * Project: Premium Responsive [1] (third-party theme) * Version: 7.x * Date: 2013-February-27 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - This third-party contributed theme change Drupal's interface. The theme doesn't properly sanitize user-entered content in the 3 slide gallery on the homepage leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker would have to have the 'administer themes' permission. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Premium Responsive versions prior to 7.x-1.6 Drupal core is not affected. If you do not use the contributed Premium Responsive [4] theme, there is nothing you need to do. SOLUTION Install the latest version: * Premium Responsive 7.x-1.6 [5] Also see the Premium Responsive [6] project page. REPORTED BY - * Greg Knaddison [7] of the Drupal Security Team FIXED BY * saran.quardz [8] the theme maintainer COORDINATED BY -- * Greg Knaddison [9] of the Drupal Security Team * Ben Jeavons [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/responsive [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/responsive [5] http://drupal.org/node/1730752 [6] http://drupal.org/project/responsive [7] http://drupal.org/user/36762 [8] http://drupal.org/user/1031208 [9] http://drupal.org/user/36762 [10] http://drupal.org/user/91990 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-024 - Creative Theme - Cross Site Scripting (XSS)
View online: https://drupal.org/node/1929474 * Advisory ID: DRUPAL-SA-CONTRIB-2013-024 * Project: Creative Theme [1] (third-party theme) * Version: 7.x * Date: 2013-February-27 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - Creative Theme is a light weight Drupal 7 theme with a modern look and feel. The theme doesn't properly sanitize user-entered content in the social icon leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker would have to have the 'administer themes' permission. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Creative Theme 7.x-1.x versions prior to 7.x-1.2. Drupal core is not affected. If you do not use the contributed Creative Theme [4], there is nothing you need to do. SOLUTION Install the latest version: * If you use the Creative Theme for Drupal 7.x, upgrade to Creative Theme 7.x-1.2 [5] Also see the Creative Theme [6] project page. REPORTED BY - * Greg Knaddison [7] of the Drupal Security Team FIXED BY * saran.quardz [8] the theme maintainer COORDINATED BY -- * Greg Knaddison [9] of the Drupal Security Team * Ben Jeavons [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/creative [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/creative [5] http://drupal.org/node/1929380 [6] http://drupal.org/project/creative [7] http://drupal.org/user/36762 [8] http://drupal.org/user/1031208 [9] http://drupal.org/user/36762 [10] http://drupal.org/user/91990 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-026 - Best Responsive Theme - Cross Site Scripting (XSS)
View online: https://drupal.org/node/1929484 * Advisory ID: DRUPAL-SA-CONTRIB-2013-026 * Project: Best Responsive [1] (third-party theme) * Version: 7.x * Date: 2013-February-27 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - Best Responsive theme is a light weight Drupal 7 theme with a modern look and feel. The theme doesn't properly sanitize user-entered content in the social icon leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker would have to have the 'administer themes' permission. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Best Responsive Theme 7.x-1.x versions prior to 7.x-1.1. Drupal core is not affected. If you do not use the contributed Best Responsive [4] theme, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Best responsive Theme for Drupal 7.x, upgrade to Best responsive Theme 7.x-1.1 [5] Also see the Best Responsive [6] project page. REPORTED BY - * Greg Knaddison [7] of the Drupal Security Team FIXED BY * saran.quardz [8] the theme maintainer COORDINATED BY -- * Greg Knaddison [9] of the Drupal Security Team * Ben Jeavons [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/best_responsive [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/best_responsive [5] http://drupal.org/node/1929390 [6] http://drupal.org/project/best_responsive [7] http://drupal.org/user/36762 [8] http://drupal.org/user/1031208 [9] http://drupal.org/user/36762 [10] http://drupal.org/user/91990 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-025 - Fresh Theme - Cross Site Scripting (XSS)
View online: https://drupal.org/node/1929482 * Advisory ID: DRUPAL-SA-CONTRIB-2013-025 * Project: Fresh theme [1] (third-party theme) * Version: 7.x * Date: 2013-February-27 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - This third-party contributed theme change Drupal's interface. The theme doesn't properly sanitize user-entered content in the 3 slide gallery on the homepage leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker would have to have the 'administer themes' permission. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Fresh Theme versions prior to 7.x-1.4 Drupal core is not affected. If you do not use the contributed Fresh Theme [4], there is nothing you need to do. SOLUTION Install the latest version: * Fresh Theme 7.x-1.4 [5] Also see the Fresh Theme [6] project page. REPORTED BY - * Greg Knaddison [7] of the Drupal Security Team FIXED BY * saran.quardz [8] the theme maintainer COORDINATED BY -- * Greg Knaddison [9] of the Drupal Security Team * Ben Jeavons [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/fresh [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/fresh [5] http://drupal.org/node/1723316 [6] http://drupal.org/project/fresh [7] http://drupal.org/user/36762 [8] http://drupal.org/user/1031208 [9] http://drupal.org/user/36762 [10] http://drupal.org/user/91990 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
