Security-news October 2011

security-news@drupal.org

1 participants
8 discussions

SA-CONTRIB-2011-050 - Organic groups - Access bypass
by security-news＠drupal.org 26 Oct '11

26 Oct '11

* Advisory ID: DRUPAL-SA-CONTRIB-2011-050 * Project: Organic groups [1] (third-party module) * Version: 7.x * Date: 2011-October-26 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- Organic groups (OG) enables users to create and manage their own 'groups'. Each group can have subscribers, and maintains a group home page where subscribers communicate amongst themselves. OG has an API function to check access to an entity which is in a group "context". When the entity isn't in a group context, OG takes a permissive approach and allows access to the entity. Implementing modules such as Profile2 that try to check access on a non group/group content might result in access bypass -------- VERSIONS AFFECTED --------------------------------------------------- * Organic Groups 7.x-1.x versions prior to 7.x-1.2. Drupal core is not affected. If you do not use the contributed Organic groups [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Organic Groups module for Drupal 7.x, upgrade to Organic Groups 7.x-1.2 [4] See also the Organic groups [5] project page. -------- REPORTED BY --------------------------------------------------------- * Matthias Hutterer (mh86) [6] -------- FIXED BY ------------------------------------------------------------ * Wolfgang Ziegler (fago) [7] * Amitai Burstein (Amitaibu) [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/og [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/og [4] http://drupal.org/node/1322344 [5] http://drupal.org/project/og [6] http://drupal.org/user/59747 [7] http://drupal.org/user/16747 [8] http://drupal.org/user/57511 [9] http://drupal.org/user/36762 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2011-049 - Cumulus - Cross Site Scripting (XSS)
by security-news＠drupal.org 12 Oct '11

12 Oct '11

* Advisory ID: DRUPAL-SA-CONTRIB-2011-049 * Project: Cumulus [1] (third-party module) * Version: 5.x, 6.x * Date: 2011-October-12 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting (XSS) -------- DESCRIPTION --------------------------------------------------------- The Cumulus module allows you to display your site's tags using a 3D Flash animation. The module ships with a Flash file (cumulus.swf) that contains a cross site scripting (XSS) vulnerability that can be exploited when a user is made to view a specially crafted URL. If the user is logged in to an administrative account, the script can take actions using their permissions or disclose sensitive information to a third party. This vulnerability is mitigated by the fact that user being attacked must be logged in to the site with a privileged account and tricked into visiting a specially crafted URL. -------- VERSIONS AFFECTED --------------------------------------------------- * Cumulus versions prior to 6.x-1.5 [3] Because the vulnerability is in a Flash file that ships with the module rather than in the Drupal code itself, any site that has a vulnerable version of the module in its file system (regardless of whether the module is enabled or not) is potentially affected. The same is true for any custom modules or themes on the site into which a copy of the cumulus.swf file may have been made. Drupal core is not affected. If you do not have the contributed Cumulus [4] module in your site's file system, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you have the Cumulus module anywhere on your site's file system, upgrade to Cumulus 6.x-1.5 [5] (or remove the module if you are no longer using it). Note: all Drupal 5.x modules are not supported, including the Cumulus module for 5.x. If you use Drupal 5.x you should upgrade now. See also the Cumulus [6] project page. -------- REPORTED BY --------------------------------------------------------- * The vulnerability was publicly disclosed. -------- FIXED BY ------------------------------------------------------------ * Florian Weber [7], one of the Cumulus module maintainers -------- COORDINATED BY ------------------------------------------------------ * David Rothstein [8] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/cumulus [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/node/1304616 [4] http://drupal.org/project/cumulus [5] http://drupal.org/node/1304616 [6] http://drupal.org/project/cumulus [7] http://drupal.org/user/254778 [8] http://drupal.org/user/124982 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2011-048 - Certificate Login SQL Injection
by security-news＠drupal.org 12 Oct '11

12 Oct '11

* Advisory ID: DRUPAL-SA-CONTRIB-2011-048 * Project: Certificate Login [1] (third-party module) * Version: 5.x, 6.x * Date: 2011-October-12 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: SQL Injection -------- DESCRIPTION --------------------------------------------------------- The Certificate login module provides client certificate authentication of Drupal users. The authentication is based on the client certificate's data fields, which are then used as the user name for authentication. The obtained data isn't properly sanitized using Drupal's database API, which may cause an SQL injection vulnerability depending on the module settings. -------- VERSIONS AFFECTED --------------------------------------------------- * Certificate Login versions prior to 6.x-2.3. Drupal core is not affected. If you do not use the contributed Certificate Login [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Certificate Login module for Drupal 6.x, upgrade to Certificate Login 6.x-2.3 [4]. Note: all Drupal 5.x modules are not supported, including the Certificate Login module for 5.x. If you use Drupal 5.x you should upgrade now. See also the Certificate Login [5] project page. -------- REPORTED BY --------------------------------------------------------- * Jyri-Petteri ”ZeiP” Paloposki [6] -------- FIXED BY ------------------------------------------------------------ * Jyri-Petteri ”ZeiP” Paloposki [7], a module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [8] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/certificatelogin [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/certificatelogin [4] https://drupal.org/node/1306488 [5] http://drupal.org/project/certificatelogin [6] http://drupal.org/user/201465 [7] http://drupal.org/user/201465 [8] http://drupal.org/user/36762 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2011-047 - OG Features access bypass
by security-news＠drupal.org 05 Oct '11

05 Oct '11

* Advisory ID: DRUPAL-SA-CONTRIB-2011-047 * Project: OG Features [1] (third-party module) * Version: 6.x * Date: 2011-October-05 * Security risk: Highly critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- OG Features provides a mechanism for groups to enable or disable certain bundles of functionality, of features, within the groups they administer. The module is able to turn components on and off within given groups by overriding the access callbacks of every menu item, and checking conditions before passing it off to the original access callback. When local task menu items are declared in hook_menu(), they often exclude an access callback and access arguments, leaving it to be inherited by the parent path. OG Features did not check for this condition, and thus granted access to many pages that contained local tasks, regardless of roles or permissions. Because of this, many administration pages are left open to users, both anonymous and not, giving them control over the site. -------- VERSIONS AFFECTED --------------------------------------------------- * OG Features 6.x-1.x versions prior to 6.x-1.2. Drupal core is not affected. If you do not use the contributed OG Features [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the OG Features module for Drupal 6.x, upgrade to OG Features 6.x-1.2 [4] See also the OG Features [5] project page. -------- REPORTED BY --------------------------------------------------------- * Imad Nabli [6] -------- FIXED BY ------------------------------------------------------------ * Mike Stefanello [7] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [8] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/og_features [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/og_features [4] http://drupal.org/node/1300644 [5] http://drupal.org/project/og_features [6] http://drupal.org/user/1489142 [7] http://drupal.org/user/107190 [8] http://drupal.org/user/36762 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2011-043 - Petition Node - Cross Site Scripting
by security-news＠drupal.org 05 Oct '11

05 Oct '11

* Advisory ID: DRUPAL-SA-CONTRIB-2011-043 * Project: petition_node [1] (third-party module) * Version: 6.x * Date: 2011-October-05 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Petition node module allows the creation of petition nodes to collect signatures to show support for a cause. The module contains a cross site scripting (XSS) vulnerability that can be exploited when signing a petition. This vulnerability is mitigated by the fact that it normally requires the 'sign petitions' permission in order to exploit it. -------- VERSIONS AFFECTED --------------------------------------------------- * petition_node 6.x-1.x versions prior to 6.x-1.5. Drupal core is not affected. If you do not use the contributed petition_node [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the petition_node module for Drupal 6.x, upgrade to petition_node 6.x-1.5 [4] See also the petition_node [5] project page. -------- REPORTED BY --------------------------------------------------------- * galooph [6] -------- FIXED BY ------------------------------------------------------------ * galooph [7] the module maintainer * mlhess [8] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/1075944 [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/1075944 [4] http://drupal.org/node/1299412 [5] http://drupal.org/project/1075944 [6] http://drupal.org/user/241220 [7] http://drupal.org/user/241220 [8] http://drupal.org/user/102818 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2011-045 - Rate module Cross Site Scripting
by security-news＠drupal.org 05 Oct '11

05 Oct '11

* Advisory ID: DRUPAL-SA-CONTRIB-2011-045 * Project: Rate [1] (third-party module) * Version: 6.x, 7.x * Date: 2011-October-05 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting (XSS [3]) -------- DESCRIPTION --------------------------------------------------------- The Rate module provides flexible rate widgets. These widgets are refreshed via AJAX after voting. The AJAX callback does not correctly handle certain arguments obtained from the URL. By enticing a suitably privileged user to visit a specially crafted URL, a malicious user is able to insert arbitrary HTML and script code into the rate widget. Such a cross-site scripting attack may lead to the malicious user gaining administrative access. -------- VERSIONS AFFECTED --------------------------------------------------- * rate 6.x-1.x versions prior to 6.x-1.3 [4]. * rate 7.x-1.x versions prior to 7.x-1.2 [5]. Drupal core is not affected. If you do not use the contributed Rate [6] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Rate module for Drupal 6.x, upgrade to Rate 6.x-1.3 [7] * If you use the Rate module for Drupal 7.x, upgrade to Rate 7.x-1.2 [8] See also the Rate [9] project page. -------- REPORTED BY --------------------------------------------------------- * Zakaria Rachid -------- FIXED BY ------------------------------------------------------------ * Maurits Lawende [10] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/rate [2] http://drupal.org/security-team/risk-levels [3] http://en.wikipedia.org/wiki/Cross-site_scripting [4] http://drupal.org/node/1299652 [5] http://drupal.org/node/1299654 [6] http://drupal.org/project/rate [7] http://drupal.org/node/1299652 [8] http://drupal.org/node/1299654 [9] http://drupal.org/project/rate [10] http://drupal.org/user/243897 [11] http://drupal.org/user/36762 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2011-044 - Homebox for Organic Groups Cross Site Scripting
by security-news＠drupal.org 05 Oct '11

05 Oct '11

* Advisory ID: DRUPAL-SA-CONTRIB-2011-044 * Project: Homebox [1] (third-party module) * Version: 6.x, 7.x * Date: 2011-October-05 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting (XSS [3]) -------- DESCRIPTION --------------------------------------------------------- Homebox allows site administrators to create dashboards for their users, using blocks as widgets. Blocks in a Homebox page are resizeable, and reorderable by dragging. Homebox OG is a submodule of Homebox which allows Organics Groups administrators to specify a Homebox to be used as the group homepage for any Organic Group. Homebox OG does not do sufficient filtering of user supplied text which presents a cross site scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a user account with a role permitted to create or edit an Organic Groups node. -------- VERSIONS AFFECTED --------------------------------------------------- * Homebox 6.x-2.x versions. * Homebox 6.x-3.x versions prior to 6.x-3.0-beta3. * Homebox 7.x-2.x versions prior to 7.x-2.0-beta4. Drupal core is not affected. If you do not use the contributed Homebox [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Homebox module for Drupal 6.x, upgrade to Homebox 6.x-3.0-beta5 [5] note that 6.x-2.x branch is no longer supported users of 6.x-2.x should upgrade to 6.x-3.x * If you use the Homebox module for Drupal 7.x, upgrade to Homebox 7.x-2.0-beta6 [6] If you do not use the contributed homebox_og module you do not need to upgrade. See also the Homebox [7] project page. -------- REPORTED BY --------------------------------------------------------- * Greg Knaddison [8] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Brian Vuyk [9] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/homebox [2] http://drupal.org/security-team/risk-levels [3] http://en.wikipedia.org/wiki/Cross-site_scripting [4] http://drupal.org/project/homebox [5] http://drupal.org/node/1300578 [6] http://drupal.org/node/1300428 [7] http://drupal.org/project/homebox [8] http://drupal.org/user/36762 [9] http://drupal.org/user/46854 [10] http://drupal.org/user/36762 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2011-046
by security-news＠drupal.org 05 Oct '11

05 Oct '11

* Advisory ID: DRUPAL-SA-CONTRIB-2011-046 * Project: Echo [1] (third-party module) * Version: 6.x, 7.x, 8.x * Date: 2011-October-05 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- The Echo module generates a fully-themed Drupal page, returning the rendered page as a text string and allowing other modules to style an HTML message as if it had been generated by the live website. The module does not properly sanitize user-supplied content, resulting in a Cross-Site Scripting (XSS [3]) vulnerability. Additionally, the module allows arbitrary content passed via the URL to be embedded on the site, rendering the site vulnerable to phishing [4] exploits. -------- VERSIONS AFFECTED --------------------------------------------------- * Echo 6.x-1.x versions prior to 6.x-1.7 [5]. * Echo 7.x-1.x versions prior to 7.x-1.7 [6]. * Echo 8.x-1.x versions prior to 8.x-1.7 [7]. Drupal core is not affected. If you do not use the contributed Echo [8] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Echo module for Drupal 6.x, upgrade to Echo 6.x-1.7 [9]. * If you use the Echo module for Drupal 7.x, upgrade to Echo 7.x-1.7 [10]. * If you use the Echo module for Drupal 8.x, upgrade to Echo 8.x-1.7 [11]. See also the Echo [12] project page. -------- REPORTED BY --------------------------------------------------------- * Francesco Placella (plach [13]) -------- FIXED BY ------------------------------------------------------------ * Bob Vincent (pillarsdotnet [14]) the module maintainer -------- COORDINATED BY ------------------------------------------------------ * mr.baileys [15] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [16]. Learn more about the Drupal Security team and their policies [17], writing secure code for Drupal [18], and securing your site [19]. [1] http://drupal.org/project/echo [2] http://drupal.org/security-team/risk-levels [3] http://en.wikipedia.org/wiki/Cross-site_scripting [4] http://en.wikipedia.org/wiki/Phishing [5] http://drupal.org/node/1274528 [6] http://drupal.org/node/1274530 [7] http://drupal.org/node/1274532 [8] http://drupal.org/project/echo [9] http://drupal.org/node/1274528 [10] http://drupal.org/node/1274530 [11] http://drupal.org/node/1274532 [12] http://drupal.org/project/echo [13] http://drupal.org/user/183211 [14] http://drupal.org/user/36148 [15] http://drupal.org/user/383424 [16] http://drupal.org/contact [17] http://drupal.org/security-team [18] http://drupal.org/writing-secure-code [19] http://drupal.org/security/secure-configuration

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news October 2011