Security-news April 2011

security-news@drupal.org

1 participants
3 discussions

SA-CONTRIB-2011-018 - Node Reference URL Widget - Cross Site Scripting
by security-news＠drupal.org 27 Apr '11

27 Apr '11

* Advisory ID: DRUPAL-SA-CONTRIB-2011-018 * Project: Node Reference URL Widget [1] (third-party module) * Version: 6.x, 7.x * Date: 2011-April-27 * Security risk: Moderately critical (definition of risk levels) [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Node Reference URL Widget module adds a new widget to the Node Reference field type, allowing node reference fields to be auto-populated based on a value from the URL. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting (XSS [3]) vulnerability that may lead to a malicious user gaining full administrative access. -------- VERSIONS AFFECTED --------------------------------------------------- * Node Reference URL Widget module for Drupal 6 prior to 6.x-1.10. * Node Reference URL Widget module for Drupal 7 prior to 7.x-1.10. Drupal core is not affected. If you do not use the contributed Node Reference URL Widget [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Node Reference URL Widget module for Drupal 6.x upgrade to Node Reference URL Widget 6.x-1.10 [5]. * If you use the Node Reference URL Widget module for Drupal 7.x upgrade to Node Reference URL Widget 7.x-1.10 [6]. See also the Node Reference URL Widget [7] project page. -------- REPORTED BY --------------------------------------------------------- * Ralf Stamm [8] -------- FIXED BY ------------------------------------------------------------ * Nathan Haug (quicksketch [9]), the module maintainer -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the team and their policies [11], writing secure code for Drupal [12], and secure configuration [13] of your site. [1] http://www.drupal.org/project/nodereference_url [2] http://drupal.org/security-team/risk-levels [3] http://en.wikipedia.org/wiki/Cross-site_scripting [4] http://drupal.org/project/nodereference_url [5] http://drupal.org/node/1140310 [6] http://drupal.org/node/1140312 [7] http://drupal.org/project/nodereference_url [8] http://drupal.org/user/43568 [9] http://drupal.org/user/35821 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2011-017 - Save Draft - Validation Bypass
by security-news＠drupal.org 27 Apr '11

27 Apr '11

* Advisory ID: DRUPAL-SA-CONTRIB-2011-017 * Project: Save Draft [1] (third-party module) * Version: 6.x, 7.x * Date: 2011-April-27 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Validation bypass -------- DESCRIPTION --------------------------------------------------------- The Save Draft module adds a "Save as draft" button to the node form, letting content creators easily save a post in unpublished draft form. The module adds validation to individual form actions, thereby bypassing any form-wide validation that is normally performed before saving content. This is a security vulnerability for sites where other modules are using node validation for security purposes. -------- VERSIONS AFFECTED --------------------------------------------------- * Save Draft module for Drupal 6.x versions prior to 6.x-1.8 * Save Draft module for Drupal 7.x versions prior to 7.x-1.4 Drupal core is not affected. If you do not use the contributed Save Draft [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Save Draft module for Drupal 6.x, upgrade to Save Draft 6.x-1.8 [4]. (Note that the 6.x-2.x branch of the module is not affected. If you use that, you do not need to upgrade.) * If you use the Save Draft module for Drupal 7.x, upgrade to Save Draft 7.x-1.4 [5]. See also the Save Draft project page [6]. -------- REPORTED BY --------------------------------------------------------- * David Rothstein [7] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * David Rothstein [8] of the Drupal Security Team * Katherine Senzee (ksenzee [9]), module co-maintainer -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the team and their policies [11], writing secure code for Drupal [12], and secure configuration [13] of your site. [1] http://drupal.org/project/save_draft [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/save_draft [4] http://drupal.org/node/1139378 [5] http://drupal.org/node/1139380 [6] http://drupal.org/project/save_draft [7] http://drupal.org/user/124982 [8] http://drupal.org/user/124982 [9] http://drupal.org/user/139855 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2011-016 - Node Quick Find - Information Disclosure
by security-news＠drupal.org 06 Apr '11

06 Apr '11

* Advisory ID: DRUPAL-SA-CONTRIB-2011-016 * Project: Node Quick Find [1] (third-party module) * Version: 6.x * Date: 2011-APRIL-06 * Security risk: Not critical (definition of risk levels) [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- The Node Quick Find module provides a block to quickly access nodes by title via an auto-completing text field. The module does not use db_rewrite_sql when generating the list of node titles, allowing users to see the titles of nodes to which they may not have access. Access to the node itself is not compromised. -------- VERSIONS AFFECTED --------------------------------------------------- * 6.x-1.1 Drupal core is not affected. If you do not use the contributed Node Quick Find module, there is nothing you need to do. Drupal core is not affected. If you do not use the contributed Node Quick Find [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Node Quick Find module for Drupal 6.x upgrade to Node Quick Find 6.x-1.2 [4]. See also the Node Quick Find project page. See also the Node Quick Find [5] project page. -------- REPORTED BY --------------------------------------------------------- * Jochen Meyer (derjochenmeyer [6]) -------- FIXED BY ------------------------------------------------------------ * Nicholas Thompson (nicholasThompson [7]) -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [8]. Learn more about the team and their policies [9], writing secure code for Drupal [10], and secure configuration [11] of your site. [1] http://www.drupal.org/project/node_quick_find [2] http://drupal.org/security-team/risk-levels [3] http://www.drupal.org/project/node_quick_find [4] http://drupal.org/node/1080114 [5] http://www.drupal.org/project/node_quick_find [6] http://drupal.org/user/106134 [7] http://drupal.org/user/59351 [8] http://drupal.org/contact [9] http://drupal.org/security-team [10] http://drupal.org/writing-secure-code [11] http://drupal.org/security/secure-configuration

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news April 2011