Startseite

Sammlung von Newsfeeds

SA-CONTRIB-2012-082 - Zen - Cross Site Scripting

Drupal Security Advisories for Contributed Projects - 16. Mai 2012 - 22:38
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-082
  • Project: Zen (third-party theme)
  • Version: 6.x
  • Date: 2012-May-16
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

CVE: Requested.

The Zen theme provides a configurable breadcrumb which is commonly used as an additional navigation tool for users.

The theme outputs the breadcrumb, but does not provide sufficient filtering to prevent a Cross site scripting (XSS) attack.

This vulnerability is mitigated by the fact that the "Append the content title to the end of the breadcrumb" checkbox is not enabled by default and needs to be enabled for this to be exploited.

Versions affected
  • Zen 6.x-1.x versions prior to 6.x-1.1

Drupal core is not affected. Zen versions 6.x-2.x are not affected. If you do not use the contributed Zen theme, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Zen theme for Drupal 6.x, upgrade to theme 6.x-1.1 or any later version.

If you copied code from the zen_breadcrumb function into a custom sub-theme's template.php file you should compare your code to the changes to ensure that menu_get_active_title() is properly wrapped in check plain like:

check_plain(menu_get_active_title());

Also see the Zen project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategorien: Drupal Security

SA-CONTRIB-2012-081 - Aberdeen - Cross Site Scripting

Drupal Security Advisories for Contributed Projects - 16. Mai 2012 - 22:38
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-081
  • Project: Aberdeen (third-party theme)
  • Version: 6.x
  • Date: 2012-May-16
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

CVE: Requested.

The Aberdeen theme provides a configurable breadcrumb which is commonly used as an additional navigation tool for users.

The theme outputs the breadcrumb, but does not provide sufficient filtering to prevent a Cross site scripting (XSS) attack.

This vulnerability is mitigated by the fact that the "Append the content title to the end of the breadcrumb" checkbox is not enabled by default and needs to be enabled for this to be exploited.

Versions affected
  • Aberdeen 6.x-1.x versions prior to 6.x-1.11

Drupal core is not affected. If you do not use the contributed Aberdeen theme, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Aberdeen theme for Drupal 6.x, upgrade to theme 6.x-1.11

If you copied code from the aberdeen_breadcrumb function into a custom sub-theme's template.php file you should compare your code to the changes to ensure that menu_get_active_title() is properly wrapped in check plain like:

check_plain(menu_get_active_title());

Also see the Aberdeen project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategorien: Drupal Security

SA-CONTRIB-2012-080 - Hostmaster (Aegir) - Access Bypass and Cross Site Scripting (XSS)

Drupal Security Advisories for Contributed Projects - 16. Mai 2012 - 18:35
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-080
  • Project: Hostmaster (Aegir) (third-party module)
  • Version: 6.x
  • Date: 2012-May-16
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities
Description Cross Site Scripting

CVE: Requested.

Hostmaster displays a log from tasks executed in Aegir's backend component, provision. In certain circumstances these log messages were not escaped properly before being displayed to the user. This vulnerability is mitigated by the fact that people wishing to exploit this must have access to the PHP code of either provision itself or one of the sites hosted by Aegir.

Access Bypass

CVE: Requested.

Hostmaster doesn't allow people to edit or create certain node types that are used for the internal representation of data. The implementation of this wasn't fully complete and would still allow privileged users to edit these nodes. This can cause some data corruption in the front-end, leading to tasks that would appear to never finish running. This vulnerability is mitigated by the fact that people wishing to exploit this must have the 'edit package' or 'administer nodes' permissions, which are not given to any roles by the default Aegir install.

Versions affected
  • Hostmaster 6.x-1.x versions prior to 6.x-1.9.

Drupal core is not affected. If you do not use the contributed Hostmaster (Aegir) module, there is nothing you need to do.

Solution

Follow the upgrade instructions in the release notes for the Aegir 1.9 release which can be found at: http://community.aegirproject.org/1.9

Also see the Hostmaster (Aegir) project page.

Reported by
  • The Cross Site Scripting vulnerability was reported by Steven Jones one of the module maintainers.
  • The Access Bypass vulnerability was reported by Ivo Van Geertruyen of the Drupal Security Team.
Fixed by
  • The Cross Site Scripting vulnerability was fixed by Steven Jones one of the module maintainers.
  • The Access Bypass vulnerability was fixed by Ivo Van Geertruyen of the Drupal Security Team and mig5 one of the module maintainers.
Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategorien: Drupal Security

SA-CONTRIB-2012-079 - Post Affiliate Pro - Cross Site Scripting (XSS) and Access Bypass - Unsupported

Drupal Security Advisories for Contributed Projects - 16. Mai 2012 - 18:21
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-079
  • Project: Post Affiliate Pro (third-party module)
  • Version: 6.x
  • Date: 2012-May-16
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting, Access bypass
Description

CVE: Requested.

Post Affiliate Pro (PAP) is a module providing affiliate functionality for Ubercart and Post Affiliate Pro application.
The module doesn't sufficiently filter user supplied text provided by users registering on the site and also allows unauthorized users to view other user's commission.

Versions affected
  • All versions of the module.

Drupal core is not affected. If you do not use the contributed Post Affiliate Pro module, there is nothing you need to do.

Solution

The module is no longer supported. Users should disable it. Users interested in continuing to use it should see the project page for more information.

Also see the Post Affiliate Pro project page.

Reported by Fixed by

No fix was provided.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategorien: Drupal Security

SA-CONTRIB-2012-078 - Smart Breadcrumb - Cross Site Scripting (XSS)

Drupal Security Advisories for Contributed Projects - 16. Mai 2012 - 17:30
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-078
  • Project: Smart Breadcrumb (third-party module)
  • Version: 6.x
  • Date: 2012-May-16
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

CVE: Requested.

The function filter_titles() incorrectly attempts to set a title to plain-text, but does not properly filter user supplied text.

This vulnerability is mitigated by the fact that an attacker must have the permission to create or edit a node to exploit the issue.

Versions affected
  • Smart Breadcrumb 6.x-2.x versions prior to 6.x-1.3.

Drupal core is not affected. If you do not use the contributed Smart Breadcrumb module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Smart Breadcrumb project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategorien: Drupal Security

SA-CONTRIB-2012-77 - Advertisement - Cross Site Scripting & Information Disclosure

Drupal Security Advisories for Contributed Projects - 16. Mai 2012 - 17:16
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-077
  • Project: Advertisement (third-party module)
  • Version: 6.x
  • Date: 2012-May-16
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting, Information Disclosure, Multiple vulnerabilities
Description

CVE: Requested.

This module enables you to serve advertisements, define pools of ads and show certain ads on certain pages.
The module could, under certain conditions, expose limited site configuration information and a debugging mode did not sufficiently sanitize input, allowing for potential cross-site scripting (XSS).
This vulnerability is mitigated by the fact that exposed data must have been explicitly set in the $conf variable in settings.php.

Versions affected
  • Advertisement 6.x-2.x versions prior to 6.x-2.2.

Drupal core is not affected. If you do not use the contributed Advertisement module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Advertisement project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategorien: Drupal Security

SA-CONTRIB-2012-076 - Ubercart Product Keys Access Bypass

Drupal Security Advisories for Contributed Projects - 16. Mai 2012 - 17:07
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-076
  • Project: Ubercart Product Keys (third-party module)
  • Version: 6.x
  • Date: 2012-May-16
  • Security risk: Moderately Critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

CVE: Requested.

This module enables you to sell product keys from an Ubercart store.

Under certain circumstances, a user can view all unassigned product keys which could grant them access to the software circumventing the process of selling the key.

Versions affected
  • Ubercart Product Keys 6.x-1.x versions prior to 6.x-1.1.

Drupal core is not affected. If you do not use the contributed Ubercart Product Keys module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Ubercart Product Keys project page.

Reported by
  • Daniel Glucksman
Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategorien: Drupal Security

SA-CONTRIB-2012-075 - Take Control - Cross Site Request Forgery (CSRF)

Drupal Security Advisories for Contributed Projects - 9. Mai 2012 - 18:40
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-075
  • Project: Take Control (third-party module)
  • Version: 6.x
  • Date: 2012-May-09
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Request Forgery
Description

CVE: CVE-2012-2341

This module enables you to manage your Drupal file-system from within Drupal itself.
The module does not sufficiently validate Ajax calls leading to possibility of a Cross Site Request Forgery CSRF attack.
This vulnerability is mitigated by the fact that the attacker must be able to guess your Drupal file-system root path exactly. Further, if your site follows the secure file-system permissions recommendations and the web-server account does not have write access to Drupal root, only files/folders in Drupal's "files" directory are open to manipulation.

Versions affected
  • Take Control 6.x-2.x versions prior to 6.x-2.2.

Drupal core is not affected. If you do not use the contributed Take Control module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Take Control project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategorien: Drupal Security

SA-CONTRIB-2012-074 - Contact Forms - Access Bypass

Drupal Security Advisories for Contributed Projects - 9. Mai 2012 - 18:36
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-074
  • Project: Contact Forms (third-party module)
  • Version: 7.x
  • Date: 2012-May-09
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

CVE: CVE-2012-2340

This module expands the features of the site wide contact form. It eliminates the drop down category menu by generating a clean looking contact form (without a drop down menu) with a unique path for each of the contact form categories.
The module allowed users to edit the Contact Form settings if they have permission to 'access the site-wide contact form' instead of more appropriate 'Administer contact forms and contact form settings' permission.
This vulnerability is only mitigated by the fact that an attacker must know the correct url to access the Contact Forms settings page (though it is the same on all Drupal sites).

Versions affected
  • Contact Forms 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Contact Forms module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Contact Forms project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategorien: Drupal Security

SA-CONTRIB-2012-073 - Glossary - Cross-Site Scripting (XSS)

Drupal Security Advisories for Contributed Projects - 9. Mai 2012 - 18:24
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-073
  • Project: Glossary (third-party module)
  • Version: 6.x
  • Date: 2012-May-09
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

CVE: CVE-2012-2339

The glossary module scans posts for glossary terms, adding an indicator. By hovering over the indicator, users may learn the definition of that term.

The module does not sufficiently sanitize the taxonomy information. This leaves sites vulnerable to Cross-Site Scripting attacks.

This vulnerability is mitigated by the fact that an attacker must have a role with permissions to create or edit taxonomy terms.

Versions affected
  • Glossary 6.x-1.x versions prior to 6.x-1.8.

Drupal core is not affected. If you do not use the contributed Glossary module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Glossary project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategorien: Drupal Security

SA-CONTRIB-2012-072 - cctags - Cross Site Scripting (XSS)

Drupal Security Advisories for Contributed Projects - 2. Mai 2012 - 21:36
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-072
  • Project: cctags (third-party module)
  • Version: 6.x, 7.x
  • Date: 2012-May-02
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

CVE: CVE-2012-2310

This module enables you to create "tag clouds" with taxonomy terms displayed in different sizes depending on how frequently they are used on a site.
The module doesn't sufficiently filter user supplied text leading to a Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the ability to create or edit vocabularies or terms.

Versions affected
  • cctags 6.x-1.x versions prior to 6.x-1.10.
  • cctags 7.x-1.x versions prior to 7.x-1.10.

Drupal core is not affected. If you do not use the contributed cctags module, there is nothing you need to do.

Solution

Install the latest version:

Also see the cctags project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategorien: Drupal Security

SA-CORE-2012-002 - Drupal core multiple vulnerabilities

Drupal Security Advisories - 2. Mai 2012 - 17:17
  • Advisory ID: DRUPAL-SA-CORE-2012-002
  • Project: Drupal core
  • Version: 7.x
  • Date: 2012-May-2
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Denial of Service, Access bypass, Unvalidated form redirect
Description Denial of Service

CVE: CVE-2012-1588

Drupal core's text filtering system provides several features including removing inappropriate HTML tags and automatically linking content that appears to be a link. A pattern in Drupal's text matching was found to be inefficient with certain specially crafted strings. This vulnerability is mitigated by the fact that users must have the ability to post content sent to the filter system such as a role with the "post comments" or "Forum topic: Create new content" permission.

Unvalidated form redirect

CVE: CVE-2012-1589

Drupal core's Form API allows users to set a destination, but failed to validate that the URL was internal to the site. This weakness could be abused to redirect the login to a remote site with a malicious script that harvests the login credentials and redirects to the live site. This vulnerability is mitigated only by the end user's ability to recognize a URL with malicious query parameters to avoid the social engineering required to exploit the problem.

Access bypass - forum listing

CVE: CVE-2012-1590

Drupal core's forum lists fail to check user access to nodes when displaying them in the forum overview page. If an unpublished node was the most recently updated in a forum then users who should not have access to unpublished forum posts were still be able to see meta-data about the forum post such as the post title.

Access bypass - private images

CVE: CVE-2012-1591

Drupal core provides the ability to have private files, including images, and Image Styles which create derivative images from an original image that may differ, for example, in size or saturation. Drupal core failed to properly terminate the page request for cached image styles allowing users to access image derivatives for images they should not be able to view. Furthermore, Drupal didn't set the right headers to prevent image styles from being cached in the browser.

Access bypass - content administration

CVE: CVE-2012-2153

Drupal core provides the ability to list nodes on a site at admin/content. Drupal core failed to confirm a user viewing that page had access to each node in the list. This vulnerability only concerns sites running a contributed node access module and is mitigated by the fact that users must have a role with the "Access the content overview page" permission. Unpublished nodes were not displayed to users who only had the "Access the content overview page" permission.

Versions affected
  • Drupal core 7.x versions prior to 7.13.
Solution

Install the latest version:

Also see the Drupal core project page.

Reported by
  • The Denial of Service vulnerability was reported by Jay Wineinger and Lin Clark.
  • The unvalidated form redirect vulnerability was reported by Károly Négyesi of the Drupal Security Team and Katsuhiko Nakanishi.
  • The access bypass in forum listing vulnerability was reported by Glen W.
  • The access bypass for private images vulnerability was reported by frega, Andreas Gonell, Jeremy Meier and Xenza.
  • The access bypass for the content administration vulnerability was reported by Jennifer Hodgdon.
Fixed by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategorien: Drupal Security

SA-CORE-2012-002 - Drupal core multiple vulnerabilities

Drupal Security Advisories - 2. Mai 2012 - 17:17
  • Advisory ID: DRUPAL-SA-CORE-2012-002
  • Project: Drupal core
  • Version: 7.x
  • Date: 2012-May-2
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Denial of Service, Access bypass, Unvalidated form redirect
Description Denial of Service

CVE: CVE-2012-1588

Drupal core's text filtering system provides several features including removing inappropriate HTML tags and automatically linking content that appears to be a link. A pattern in Drupal's text matching was found to be inefficient with certain specially crafted strings. This vulnerability is mitigated by the fact that users must have the ability to post content sent to the filter system such as a role with the "post comments" or "Forum topic: Create new content" permission.

Unvalidated form redirect

CVE: CVE-2012-1589

Drupal core's Form API allows users to set a destination, but failed to validate that the URL was internal to the site. This weakness could be abused to redirect the login to a remote site with a malicious script that harvests the login credentials and redirects to the live site. This vulnerability is mitigated only by the end user's ability to recognize a URL with malicious query parameters to avoid the social engineering required to exploit the problem.

Access bypass - forum listing

CVE: CVE-2012-1590

Drupal core's forum lists fail to check user access to nodes when displaying them in the forum overview page. If an unpublished node was the most recently updated in a forum then users who should not have access to unpublished forum posts were still be able to see meta-data about the forum post such as the post title.

Access bypass - private images

CVE: CVE-2012-1591

Drupal core provides the ability to have private files, including images, and Image Styles which create derivative images from an original image that may differ, for example, in size or saturation. Drupal core failed to properly terminate the page request for cached image styles allowing users to access image derivatives for images they should not be able to view. Furthermore, Drupal didn't set the right headers to prevent image styles from being cached in the browser.

Access bypass - content administration

CVE: CVE-2012-2153

Drupal core provides the ability to list nodes on a site at admin/content. Drupal core failed to confirm a user viewing that page had access to each node in the list. This vulnerability only concerns sites running a contributed node access module and is mitigated by the fact that users must have a role with the "Access the content overview page" permission. Unpublished nodes were not displayed to users who only had the "Access the content overview page" permission.

Versions affected
  • Drupal core 7.x versions prior to 7.13.
Solution

Install the latest version:

Also see the Drupal core project page.

Reported by
  • The Denial of Service vulnerability was reported by Jay Wineinger and Lin Clark.
  • The unvalidated form redirect vulnerability was reported by Károly Négyesi of the Drupal Security Team and Katsuhiko Nakanishi.
  • The access bypass in forum listing vulnerability was reported by Glen W.
  • The access bypass for private images vulnerability was reported by frega, Andreas Gonell, Jeremy Meier and Xenza.
  • The access bypass for the content administration vulnerability was reported by Jennifer Hodgdon.
Fixed by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategorien: Drupal Security

SA-CONTRIB-2012-071 - Glossify - Cross Site Scripting (XSS) - Unsupported

Drupal Security Advisories for Contributed Projects - 2. Mai 2012 - 16:34
Description

CVE: CVE-2012-2309

This module generates internal node to node, node to taxonomy or node to external URL links (crosslinks) automatically - ideal for SEO of your site's pages and partner pages.
This module does not protect against an Cross Site Scripting (XSS) attack. The vulnerability is mitigated by the fact that the attacker must be able to create or edit any of: content (nodes), vocabularies, or terms.

Versions affected
  • 6.x-2.5 and before

Drupal core is not affected. If you do not use the contributed Glossify Internal Links Auto SEO module, there is nothing you need to do.

Solution

Uninstall the module, it is no longer supported.

Also see the Glossify Internal Links Auto SEO project page.

Reported by
  • Andrei Turcanu
Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategorien: Drupal Security

SA-CONTRIB-2012-070 - Taxonomy Grid : Catalog - Cross Site Scripting (XSS) - Unsupported

Drupal Security Advisories for Contributed Projects - 2. Mai 2012 - 16:33
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-070
  • Project: Taxonomy Grid : Catalog (third-party module)
  • Version: 6.x
  • Date: 2012-May-02
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

CVE: CVE-2012-2308

This module provides a page where you can see each content types you've selected under terms from vocabularies you've selected.
This module does not properly filter user supplied text resulting in a Cross Site scripting bug. This vulnerability is mitigated by the fact that an attacker would need the ability to create or edit a vocabulary or term.

Versions affected
  • 6.x-1.6 and before

Drupal core is not affected. If you do not use the contributed Taxonomy Grid : Catalog module, there is nothing you need to do.

Solution

Uninstall the module

Also see the Taxonomy Grid : Catalog project page.

Reported by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategorien: Drupal Security

SA-CONTRIB-2012-069 - Addressbook - Multiple vulnerabilities - Unsupported

Drupal Security Advisories for Contributed Projects - 2. Mai 2012 - 16:31
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-069
  • Project: Addressbook (third-party module)
  • Version: 6.x
  • Date: 2012-May-02
  • Security risk: Highly critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting, Cross Site Request Forgery, SQL Injection
Description

This module contains a simple addressbook.
The module has multiple issues including SQL Injection and Cross Site Request Forgery.

For the SQL Injection issue -
CVE: CVE-2012-2306
For the CSRF issue -
CVE: CVE-2012-2307

Versions affected
  • 6.x-4.2 and before

Drupal core is not affected. If you do not use the contributed Addressbook module, there is nothing you need to do.

Solution

This module is not supported. Uninstall the module.

Also see the Addressbook project page.

Reported by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategorien: Drupal Security

SA-CONTRIB-2012-068 - Node Gallery - Cross Site Request Forgery (CSRF) - Unsupported

Drupal Security Advisories for Contributed Projects - 2. Mai 2012 - 16:09
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-068
  • Project: Node Gallery (third-party module)
  • Version: 6.x
  • Date: 2012-May-02
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Request Forgery
Description

CVE: CVE-2012-2305

Node gallery enable users to create a more flexible and powerful gallery that are fully integrated with Drupal's core node system.
This module does not protect a CSRF attack when creating node galleries.

Versions affected
  • 6.x-3.1 and before

Drupal core is not affected. If you do not use the contributed Node Gallery module, there is nothing you need to do.

Solution

Uninstall the module, this module is no longer supported.

Also see the Node Gallery project page.

Reported by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategorien: Drupal Security

SA-CONTRIB-2012-067 - Linkit - Access bypass

Drupal Security Advisories for Contributed Projects - 25. April 2012 - 21:29
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-067
  • Project: Linkit (third-party module)
  • Version: 7.x
  • Date: 2012-April-25
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

CVE: CVE-2012-2304

Linkitprovides an easy interface for internal and external linking. Linkit links to nodes, users, managed files, terms and have basic support for all entities by default, using an autocomplete field.

When searching for entities, no access restrictions were added and users may see information about content that they do not normally have access to see. This issue only affects sites using an entity access module to limit access to content for some users.

Versions affected
  • Linkit 7.x-2.x versions prior to 7.x-2.2.

Drupal core is not affected. If you do not use the contributed Linkit module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Linkit module for Drupal 7.x, upgrade to Linkit 7.x-2.3

Also see the Linkit project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategorien: Drupal Security

SA-CONTRIB-2012-066 - Spaces and Spaces OG - Access Bypass

Drupal Security Advisories for Contributed Projects - 25. April 2012 - 21:26
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-066
  • Project: Spaces (third-party module)
  • Version: 6.x
  • Date: 2012-April-25
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

CVE: CVE-2012-2303

Spaces is an API module intended to make configuration options generally avaliable only at the sitewide level to be configurable and overridden by individual "spaces" on a Drupal site.

The spaces and spaces_og modules (part of the spaces package) in some cases do not apply the expected spaces access permission to pages that are non-objects (e.g. /node)

This vulnerability is mitigated by the fact that node_access and user profile permissions will prevent node or user data from being exposed, but other information (e.g. block data,etc) is still displayed. This issue only affects sites using spaces to limit access to content for some users.

Versions affected
  • Spaces 6.x-3.x versions prior to 6.x-3.4.

Drupal core is not affected. If you do not use the contributed Spaces module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Spaces module for Drupal 6.x, upgrade to Spaces 6.x-3.4

Also see the Spaces project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategorien: Drupal Security

SA-CONTRIB-2012-065 - Sitedoc - Information disclosure

Drupal Security Advisories for Contributed Projects - 25. April 2012 - 21:14
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-065
  • Project: Site Documentation (third-party module)
  • Version: 6.x
  • Date: 2012-April-25
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Information Disclosure
Description

This module enables you to display a plethora of information about your site's structure. Optionally, the information may be saved into a file for later comparison.

The module doesn't sufficiently verify that the saved file is protected by the Private File System.

This vulnerability is mitigated by the fact that the administrator must have configured the module to save the HTML report file to disk.

Versions affected
  • Sitedoc 6.x-1.x versions prior to 6.x-1.4.

Drupal core is not affected. If you do not use the contributed Site Documentation module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Sitedoc module for Drupal 6.x, upgrade to Sitedoc 6.x-1.4, and
  • Enable the private file system if you want to save the output file.

Also see the Site Documentation project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategorien: Drupal Security
kurzzughalt