Security-news June 2011

security-news@drupal.org

1 participants
7 discussions

SA-CORE-2011-002 - Drupal core - Access bypass
by security-news＠drupal.org 30 Jun '11

30 Jun '11

* Advisory ID: DRUPAL-SA-CORE-2011-002 * Project: Drupal core [1] * Version: 7.x * Date: 2011-JUNE-29 * Security risk: Highly critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- .... Access bypass in node listings Listings showing nodes but not JOINing the node table show all nodes regardless of restrictions imposed by the node_access system. In core, this affects the taxonomy and the forum subsystem. Note that fixing this issue in contributed modules requires a backwards-compatible API change for modules listing nodes. See http://drupal.org/node/1204572 [3] for more details. This issue affects Drupal 7.x only. -------- VERSIONS AFFECTED --------------------------------------------------- * Drupal 7.0, 7.1 and 7.2. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you are running Drupal 7.x then upgrade to Drupal 7.3 or 7.4. The Security Team has released both a pure security update without other bug fixes and a security update combined with other bug fixes and improvements. You can choose to either only include the security update for an immediate fix (which might require less quality assurance and testing) or more fixes and improvements alongside the security fixes by choosing between Drupal 7.3 and Drupal 7.4. Read the announcement [4] for more information. See also the Drupal core [5] project page. -------- REPORTED BY --------------------------------------------------------- * The access bypass was reported independently by numerous people, including Sascha Grossenbacher [6], Khaled Alhourani [7], and Ben Ford [8]. -------- FIXED BY ------------------------------------------------------------ * The access bypass was fixed by Károly Négyesi [9], member of the Drupal security team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/drupal [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/node/1204572 [4] http://drupal.org/drupal-7.4 [5] http://drupal.org/project/drupal [6] http://drupal.org/user/214652 [7] http://drupal.org/user/265439 [8] http://drupal.org/user/12534 [9] http://drupal.org/user/9446 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2011-026 - Secure Password Hashes (phpass) - Multiple Vulnerabilities
by security-news＠drupal.org 29 Jun '11

29 Jun '11

* Advisory ID: DRUPAL-SA-CONTRIB-2011-026 * Project: Secure Password Hashes (phpass) [1] (third-party module) * Version: 5.x, 6.x * Date: 2011-June-29 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- This module uses the PHPass hashing library to try to store users hashed passwords securely. The module sets a fixed string for the 'pass' column in the {users} database column but does no replace the pass attribute of the account object used for password reset links. This leads to as a vulnerability where password reset links could be determined using a brute force attack within a matter of minutes in the worst case. In addition, password reset link is not invalidated if a logged-in user changes her password. -------- VERSIONS AFFECTED --------------------------------------------------- * Secure Password Hashes (phpass) for Drupal 6.x before 6.x-1.1 * Secure Password Hashes (phpass) for Drupal 5.x before 5.x-1.5 Drupal core is not affected. If you do not use the contributed Secure Password Hashes (phpass) [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Secure Password Hashes (phpass) module for Drupal 6.x upgrade to 6.x-1.1 [4] or later. See also the Secure Password Hashes (phpass) [5] project page. -------- REPORTED BY --------------------------------------------------------- * PWolanin [6] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * PWolanin [7] of the Drupal Security Team (and new module maintainer) -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [8]. Learn more about the Drupal Security team and their policies [9], writing secure code for Drupal [10], and securing your site [11]. [1] http://drupal.org/project/phpass [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/phpass [4] http://drupal.org/node/1204120 [5] http://drupal.org/project/phpass [6] http://drupal.org/user/49851 [7] http://drupal.org/user/49851 [8] http://drupal.org/contact [9] http://drupal.org/security-team [10] http://drupal.org/writing-secure-code [11] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2011-025 - Juitter & Download Count - Cross Site Scripting (XSS)
by security-news＠drupal.org 22 Jun '11

22 Jun '11

* Advisory ID: DRUPAL-SA-CONTRIB-2011-025 * Project: Juitter - jQuery Twitter live search feeds [1] and Download Count [2] (third-party modules) * Version: 6.x * Date: 2011-June-22 * Security risk: Less critical [3] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Two modules are being unsupported due to cross site scripting issues. The Juitter module enables you to use Juitter, a jQuery plugin, to put live Twitter search results on your site. The Juitter module contains a cross site scripting (XSS [4]) vulnerability that can be exploited when setting up the module or translating the module's text strings. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer juitter settings" or be able to translate text strings. The Download Count module tracks downloads of files from a site. The Download Count module contains a cross site scripting (XSS [5]) vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer download count". -------- VERSIONS AFFECTED --------------------------------------------------- * Juitter module: 6.x-1.3 * Download Count module: 6.x-1.x, 6.x-2.x Drupal core is not affected. If you do not use the contributed Juitter - jQuery Twitter live search feeds [6] or the Download Count [7] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Disable the Juitter module and remove the module from your filesystem. There is no fixed version of the Juitter module available. Disable the Download Count module and remove the module from your filesystem. There is no fixed version of the Juitter module available. See also the Juitter - jQuery Twitter live search feeds project page [8] and the Download Count [9] project page . -------- REPORTED BY --------------------------------------------------------- * Maurits Lawende [10] identified the Juitter issue. * Justin Klein Keane [11] identified the Download Count issue. -------- FIXED BY ------------------------------------------------------------ These modules have not been fixed, please disable and remove the module from your file system. -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/juitter [2] http://drupal.org/project/download_count [3] http://drupal.org/security-team/risk-levels [4] http://en.wikipedia.org/wiki/Cross-site_scripting [5] http://en.wikipedia.org/wiki/Cross-site_scripting [6] http://drupal.org/project/juitter [7] http://drupal.org/project/download_count [8] http://drupal.org/project/juitter [9] http://drupal.org/project/download_count [10] http://drupal.org/user/243897 [11] http://drupal.org/user/302225 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration

1 0

PSA-2011-002 - External libraries and plugins
by security-news＠drupal.org 15 Jun '11

15 Jun '11

* Advisory ID: PSA-2011-002 * Date: 2011-June-15 * Project: External libraries and plugins -------- DESCRIPTION --------------------------------------------------------- Just like there's a need to dilligently follow announcements and update contributed modules downloaded from Drupal.org, there's also a need to follow announcements by vendors of third-party libraries or plugins that are required by such modules. Drupal's update module has no functionality to alert you to these announcements. The Drupal security team will not release announcements about security issues in external libraries and plugins. The specific issue precipitating this public service announcement is a cross site scripting vulnerability in (F)CKEditor, a common JavaScript-based WYSIWYG editor used as a library in the modules CKeditor [1], FCKEditor [2] and WYSIWYG [3]. Exploit examples are circulating. -------- VERSIONS AFFECTED --------------------------------------------------- * CKEditor versions prior to version 3.5.4 * FCKEditor versions prior to version 2.6.4.1 -------- SOLUTION ------------------------------------------------------------ Follow release announcements by the vendors of the external libraries and plugins you use. In this specific case, remove the _samples directory from the (f)ckeditor installation or upgrade to a non-vulnerable version. Make sure to test compatibility between Drupal modules and new library versions before deploying. -------- REPORTED BY --------------------------------------------------------- The Drupal security was alerted to this issue by Henry Sudhof [4]. -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/project/ckeditor [2] http://drupal.org/project/fckeditor [3] http://drupal.org/project/wysiwyg [4] http://drupal.org/node/874498

1 0

SA-CONTRIB-2011-024 - Spam - Cross Site Request Forgery (CSFR)
by security-news＠drupal.org 09 Jun '11

09 Jun '11

* Advisory ID: DRUPAL-SA-CONTRIB-2011-024 * Project: Spam [1] (third-party module) * Version: 6.x * Date: 2011-June-08 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Request Forgery -------- DESCRIPTION --------------------------------------------------------- The Spam module provides numerous tools to auto-detect and deal with spam content that is posted to your site, without having to rely on third-party services. The Spam module provides a trainable Bayesian filter, automatic learning of spammer URLs, flagging of content with an excessive number of links, the ability to create custom filters, and more. The module does not properly protect "mark as spam" links against Cross-site Request Forgeries (CSRF), allowing a malicious user to trick an authorized user into marking content as spam. Wikipedia has more information about cross-site request forgery [3]. -------- VERSIONS AFFECTED --------------------------------------------------- * Spam module 6.x-1.x versions prior to 6.x-1.1 Drupal core is not affected. If you do not use the contributed Spam [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the spam module for Drupal 6.x upgrade to 6.x-1.1 [5] See also the Spam [6] project page. -------- REPORTED BY --------------------------------------------------------- * Gerhard Killesreiter [7] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Gerhard Killesreiter [8] a module maintainer -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/spam [2] http://drupal.org/security-team/risk-levels [3] http://en.wikipedia.org/wiki/Cross-site_scripting [4] http://drupal.org/project/spam [5] http://drupal.org/node/1183114 [6] http://drupal.org/project/spam [7] http://drupal.org/user/227 [8] http://drupal.org/user/227 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2011-023 - Prepopulate - Multiple vulnerabilities
by security-news＠drupal.org 08 Jun '11

08 Jun '11

* Advisory ID: DRUPAL-SA-CONTRIB-2011-023 * Project: Prepopulate (third-party module) * Version: 6.x * Date: 2011-June-08 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Multiple -------- DESCRIPTION --------------------------------------------------------- The Prepopulate module enables pre-populating forms in Drupal using the $_REQUEST vairable. The module does not adequately validate user input leading to an cross-site scripting (XSS) possibility in certain circumstances. Users privileged to use forms with certain form fields can insert arbitrary HTML and script code into the rendered form. Such a cross-site scripting attack may lead to the malicious user gaining administrative access. Wikipedia has more information about cross-site scripting [1] (XSS). The module does not properly protect the forms against Cross-site Request Forgeries (CSRF), allowing a malicious user to trick an authorized user into submitting unintended values on a form. Wikipedia has more information about cross-site request forgery [2]. -------- VERSIONS AFFECTED --------------------------------------------------- * Prepopulate module for Drupal 6.x versions prior to 6.x-2.2 Drupal core is not affected. If you do not use the contributed Prepopulate [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Prepopulate module for Drupal 6.x upgrade to Prepopulate 6.x-2.2 [4] -------- REPORTED BY --------------------------------------------------------- * XSS by Ezra B. Gildesgame (ezra-g) [5] * CSRF by David Rothstein (David_Rothstein), of the Drupal security team [6] -------- FIXED BY ------------------------------------------------------------ * XSS by Ezra B. Gildesgame (ezra-g) [7] * CSRF by Joshua Brauer (jbrauer), Module maintainer [8] -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact. Learn more about the team and their policies [9], writing secure code for Drupal [10], and secure configuration [11] of your site. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://en.wikipedia.org/wiki/Cross-site_request_forgery [3] http://drupal.org/project/prepopulate [4] http://drupal.org/node/1182972 [5] https://drupal.org/user/69959 [6] http://drupal.org/user/124982 [7] https://drupal.org/user/69959 [8] http://drupal.org/user/12363 [9] http://drupal.org/security-team [10] http://drupal.org/writing-secure-code [11] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2011-022 - Cosign - SQL Injection
by security-news＠drupal.org 08 Jun '11

08 Jun '11

* Advisory ID: DRUPAL-SA-CONTRIB-2011-022 * Project: cosign [1] (third-party module) * Version: 6.x * Date: 2011-MONTH-XX * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: SQL Injection -------- DESCRIPTION --------------------------------------------------------- Under certain conditions the module deletes uid 1 and then does an unparameterized db_query to insert a new uid 1. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer site configuration" and must be able to remotely manipulate the web server environmental variables REMOTE_USER and REMOTE_REALM. -------- VERSIONS AFFECTED --------------------------------------------------- * 6.x-1.4 * 6.x-1.5 * 6.x-1.6 Drupal core is not affected. If you do not use the contributed cosign [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Cosign module for Drupal 6.x, upgrade to version 6.x-1.7. See also the cosign [4] project page. -------- REPORTED BY --------------------------------------------------------- * Steven Merrill [5] -------- FIXED BY ------------------------------------------------------------ * Kris Steinhoff [6] the module maintainer -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [7]. Learn more about the Drupal Security team and their policies [8], writing secure code for Drupal [9], and securing your site [10]. [1] http://drupal.org/project/cosign [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/cosign [4] http://drupal.org/project/cosign [5] http://drupal.org/user/218671 [6] http://drupal.org/user/388809/ [7] http://drupal.org/contact [8] http://drupal.org/security-team [9] http://drupal.org/writing-secure-code [10] http://drupal.org/security/secure-configuration

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news June 2011