Security-news May 2011

security-news@drupal.org

1 participants
4 discussions

SA-CORE-2011-001 - Drupal core - Multiple vulnerabilities
by security-news＠drupal.org 25 May '11

25 May '11

* Advisory ID: DRUPAL-SA-CORE-2011-001 * Project: Drupal core [1] * Version: 6.x, 7.x * Date: 2011-May-25 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Access bypass, Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Multiple vulnerabilities and weaknesses were discovered in Drupal. .... Reflected cross site scripting vulnerability in error handler A reflected cross site scripting vulnerability was discovered in Drupal's error handler. Drupal displays PHP errors in the messages area, and a specially crafted URL can cause malicious scripts to be injected into the message. The issue can be mitigated by disabling on-screen error display at admin/settings/error-reporting. This is the recommended setting for production sites. This issue affects Drupal 6.x only. .... Cross site scripting vulnerability in Color module When using re-colorable themes, color inputs are not sanitized. Malicious color values can be used to insert arbitrary CSS and script code. Successful exploitation requires the "Administer themes" permission. This issue affects Drupal 6.x and 7.x. .... Access bypass in File module When using private files in combination with a node access module, the File module allows unrestricted access to private files. This issue affects Drupal 7.x only. -------- VERSIONS AFFECTED --------------------------------------------------- * Drupal 7.x before version 7.1. * Drupal 6.x before version 6.21. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you are running Drupal 7.x then upgrade to Drupal 7.1 [3] or 7.2 [4]. * If you are running Drupal 6.x then upgrade to Drupal 6.21 [5] or 6.22. [6] The Security Team has released both a pure security update without other bug fixes and a security update combined with other bug fixes and improvements. You can choose to either only include the security update for an immediate fix (which might require less quality assurance and testing) or more fixes and improvements alongside the security fixes by choosing between Drupal 7.1 [7] and Drupal 7.2 [8] or Drupal 6.21 [9] and Drupal 6.22 [10]. See the release announcement [11] for more information. See also the Drupal core [12] project page. -------- REPORTED BY --------------------------------------------------------- * The reflected cross site scripting vulnerability was reported by Heine Deelstra [13] (*). * The Color module cross site scripting vulnerability was reported by Kasper Lindgaard, Secunia Research. * The File access bypass was reported by Hubert Lecorche, and Peter Bex [14]. -------- FIXED BY ------------------------------------------------------------ * The reflected cross site scripting vulnerability was fixed by Alan Smithee. * The Color module cross site scripting vulnerability was fixed by Stéphane Corlosquet [15] (*), Heine Deelstra [16] (*), and Peter Wolanin [17] (*). * The File access bypass was fixed by Heine Deelstra [18] (*). (*) Member of the Drupal security team. -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [19]. Learn more about the Drupal Security team and their policies [20], writing secure code for Drupal [21], and securing your site [22]. [1] http://drupal.org/project/drupal [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/node/1168910 [4] http://drupal.org/node/1168946 [5] http://drupal.org/node/1168908 [6] http://drupal.org/node/1168950 [7] http://drupal.org/node/1168910 [8] http://drupal.org/node/1168946 [9] http://drupal.org/node/1168908 [10] http://drupal.org/node/1168950 [11] http://drupal.org/drupal-7.2 [12] http://drupal.org/project/drupal [13] http://drupal.org/user/17943 [14] https://drupal.org/user/309898 [15] http://drupal.org/user/52142 [16] http://drupal.org/user/17943 [17] http://drupal.org/user/49851 [18] http://drupal.org/user/17943 [19] http://drupal.org/contact [20] http://drupal.org/security-team [21] http://drupal.org/writing-secure-code [22] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2011-021 - Webform - Multiple Vulnerabilities
by security-news＠drupal.org 18 May '11

18 May '11

* Advisory ID: DRUPAL-SA-CONTRIB-2010-021 * Project: Webform [1] (third-party module) * Version: 6.x, 7.x * Date: 2010-May-18 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting, Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- Webform module enables you to create custom webform or survey nodes. These nodes typically may be created either by editorial teams or administrators. Webform does not sufficiently check directory access when a user configures an upload field. This may allow a user to upload malicious files to the server in unsafe locations but is mitigated by the fact that a properly configured will use directory access control to limit those locations. Webform also does not properly sanitize some user-submitted information leading to XSS vulnerabilities. Most of these vulnerabilities are mitigated by the fact that an attacker must have a role with the permission "create webform content" or "administer nodes". The user must be able to create a webform node (or another node type that has been Webform-enabled) in order leverage these exploits. One vulnerability requires that a malicious user has a role that can submit a webform that accepts file uploads which is a more common scenario. -------- VERSIONS AFFECTED --------------------------------------------------- * 6.x-2.10 * 6.x-3.9 * 7.x-3.9 Drupal core is not affected. If you do not use the contributed Webform [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the 2.10 or 3.9 versions of the module for Drupal 6.x upgrade to Webform 6.x-3.10 [4] (security fix only) or Webform 6.x-3.11 [5] (security fix and latest fixes/features), * If you use the 3.9 versions of the module for Drupal 7.x upgrade to Webform 7.x-3.10 [6] (security fix only) or Webform 7.x-3.11 [7] (security fix and latest fixes/features), See also the Webform [8] project page. -------- REPORTED BY --------------------------------------------------------- * Justin Klein Keane [9] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Nathan Haug [10] the module maintainer * Justin Klein Keane [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/webform [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/webform [4] http://drupal.org/node/1161880 [5] http://drupal.org/node/1161904 [6] http://drupal.org/node/1161882 [7] http://drupal.org/node/1161906 [8] http://drupal.org/project/webform [9] http://drupal.org/user/302225 [10] http://drupal.org/user/35821 [11] http://drupal.org/user/302225 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2011-020 - Taxonomy Access Control Lite (tac_lite) - Cross Site Scripting
by security-news＠drupal.org 11 May '11

11 May '11

* Advisory ID: DRUPAL-SA-CONTRIB-2010-020 * Project: Taxonomy Access Control Lite [1] (third-party module) * Version: 6.x * Date: 2010-MAY-11 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The tac_lite module allows site administrators to hide nodes and taxonomy terms from users without permission to view them. The permission to view terms can be granted to a specific user, or all users with a specific role. The module doesn't sufficiently strip markup when rendering taxonomy names, leading to a Cross Site Scripting (XSS [3]) vulnerability that may lead to a malicious user gaining full administrative access. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer taxonomy". Only users with the permission "administer tac_lite" are vulnerable to the attack. -------- VERSIONS AFFECTED --------------------------------------------------- * tac_lite 6.x-1.4 and earlier Drupal core is not affected. If you do not use the contributed Taxonomy Access Control Lite [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the tac_lite module for Drupal 6.x upgrade to tac_lite 6.x-1.5 [5] See also the Taxonomy Access Control Lite [6] project page. -------- REPORTED BY --------------------------------------------------------- * AlexisWilke [7] -------- FIXED BY ------------------------------------------------------------ * Dave Cohen [8] the module maintainer * Stéphane Corlosquet [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/tac_lite [2] http://drupal.org/security-team/risk-levels [3] http://en.wikipedia.org/wiki/Cross-site_scripting [4] http://drupal.org/project/tac_lite [5] http://drupal.org/node/1154232 [6] http://drupal.org/project/tac_lite [7] http://drupal.org/user/356197 [8] http://drupal.org/user/18468 [9] http://drupal.org/user/52142 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2011-019 - Menu Access - Cross Site Scripting
by security-news＠drupal.org 04 May '11

04 May '11

* Advisory ID: DRUPAL-SA-CONTRIB-2011-019 * Project: Menu Access [1] (third-party module) * Version: 6.x * Date: 2011-MAY-04 * Security risk: Moderately critical (definition of risk levels) [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Menu Access module provides global, menu specific, and per menu item security permissions by role and user account. The Menu Access module contains a cross site scripting (XSS) [3] vulnerability that can be exploited when a specially formatted menu description is viewed. This could result in administrative account compromise leading to web server process compromise. This vulnerability is mitigated by the fact that the attacker must have a role with the 'administer menu' permission which should generally only be granted to trusted roles. -------- VERSIONS AFFECTED --------------------------------------------------- * Menu Access module for Drupal 6.x versions prior to 6.x-1.9 [4] Drupal core is not affected. If you do not use the contributed Menu Access [5] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Menu Access module for Drupal 6.x upgrade to upgrade to Menu Access 6.x-1.9 [6] See also the Menu Access [7] project page. -------- REPORTED BY --------------------------------------------------------- * Kyle Small [8] -------- FIXED BY ------------------------------------------------------------ * Robert Foley [9] the module maintainer -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the team and their policies [11], writing secure code for Drupal [12], and secure configuration [13] of your site. [1] http://www.drupal.org/project/menu_access [2] http://drupal.org/security-team/risk-levels [3] http://en.wikipedia.org/wiki/Cross-site_scripting [4] http://drupal.org/node/1147032 [5] http://www.drupal.org/project/menu_access [6] http://drupal.org/node/1147032 [7] http://www.drupal.org/project/menu_access [8] http://drupal.org/user/832278 [9] http://drupal.org/user/234626 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news May 2011