* Advisory ID: DRUPAL-SA-CORE-2011-003
* Project: Drupal core [1]
* Version: 7.x
* Date: 2011-July-27
* Security risk: Less critical [2]
* Exploitable from: Remote
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
.... Access bypass in private file fields on comments.
Drupal 7 contains two new features: the ability to attach File upload fields
to any entity type in the system and the ability to point individual File
upload fields to the private file directory.
If a Drupal site is using these features on comments, and the parent node is
denied access (either by a node access module or by being unpublished), the
file attached to the comment can still be downloaded by non-privileged users
if they know or guess its direct URL.
This issue affects Drupal 7.x only.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Drupal 7.x before version 7.5.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you are running Drupal 7.x then upgrade to Drupal 7.5 or 7.6.
The Security Team has released both a pure security update without other bug
fixes and a security update combined with other bug fixes and improvements.
You can choose to either only include the security update for an immediate
fix (which might require less quality assurance and testing) or more fixes
and improvements alongside the security fixes by choosing between Drupal 7.5
and Drupal 7.6. Read the announcement [3] for more information.
See also the Drupal core [4] project page.
-------- REPORTED BY
---------------------------------------------------------
* The File access bypass was reported by Florian Weber [5].
-------- FIXED BY
------------------------------------------------------------
* The File access bypass was fixed by Stéphane Corlosquet [6] and Károly
Négyesi [7], both members of the Drupal security team.
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [8].
Learn more about the Drupal Security team and their policies [9], writing
secure code for Drupal [10], and securing your site [11].
[1] http://drupal.org/project/drupal
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/drupal-7.6
[4] http://drupal.org/project/drupal
[5] http://drupal.org/user/254778
[6] http://drupal.org/user/52142
[7] http://drupal.org/user/9446
[8] http://drupal.org/contact
[9] http://drupal.org/security-team
[10] http://drupal.org/writing-secure-code
[11] http://drupal.org/security/secure-configuration
* Advisory ID: SA-CONTRIB-2011-31
* Project: SunMailer Newsletter [1] (third-party module)
* Version: 6.x
* Date: 2011-July-20
* Security risk: Less critical [2]
* Exploitable from: Remote
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
SunMailer Newsletter creates an email newsletter that users can subscribe to.
The module includes a page where authenticated users can view and/or edit
their newsletter subscription. Access to this page was accidentally granted
to anonymous users, creating an access bypass that disclosed all user's
newsletter subscription to anonymous users and also allowed anonymous users
to tamper with the newsletter subscription.
This vulnerability is mitigated by the fact that it does not disclose the
email address of the subscriber. The exploit is also accessible only by
directly accessing the URL leading to the user's subscription page; no link
to the vulnerable page is shown in the user interface.
-------- VERSIONS AFFECTED
---------------------------------------------------
* 6.x-1.6 or prior versions
Drupal core is not affected. If you do not use the contributed SunMailer
Newsletter [3] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the SunMailer Newsletter module for Drupal 6.x, upgrade to
version 6.x-1.7 [4]
See also the SunMailer Newsletter [5] project page.
-------- REPORTED BY
---------------------------------------------------------
* Mike Wacker [6] the module maintainer
-------- FIXED BY
------------------------------------------------------------
* Mike Wacker [7] the module maintainer
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [8].
Learn more about the Drupal Security team and their policies [9], writing
secure code for Drupal [10], and securing your site [11].
[1] http://drupal.org/project/sunmailer
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/project/sunmailer
[4] http://drupal.org/node/1199658
[5] http://drupal.org/project/sunmailer
[6] http://drupal.org/user/79520
[7] http://drupal.org/user/79520
[8] http://drupal.org/contact
[9] http://drupal.org/security-team
[10] http://drupal.org/writing-secure-code
[11] http://drupal.org/security/secure-configuration
* Advisory ID: SA-CONTRIB-2011-030
* Project: Devel [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2011-July-20
* Security risk: Not critical [2]
* Exploitable from: Remote
* Vulnerability: Cross Site Request Forgery
-------- DESCRIPTION
---------------------------------------------------------
The devel module is designed as a tool to accelerate Drupal software
development. One of its features enables a highly permissioned developer to
quickly switch to another user's account, without providing credentials.
The module is vulnerable to Cross Site Request Forgeries (CSRF) via the links
and form in the Switch User block.
-------- VERSIONS AFFECTED
---------------------------------------------------
* 6.x-1.24 and prior
* 7.x-1.0 and prior
Note: prior versions are no longer maintained by the security team.
Drupal core is not affected. If you do not use the contributed Devel module,
there is nothing you need to do.
Drupal core is not affected. If you do not use the contributed Devel [3]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Devel module for Drupal 7.x upgrade to Devel 7.x-1.1 [4]
* If you use the Devel module for Drupal 6.x upgrade to Devel 6.x-1.25 [5]
See also the Devel project page [6].
See also the Devel [7] project page.
-------- REPORTED BY
---------------------------------------------------------
The vulnerability was reported independently by:
* Dylan Wilder-Tack (grendzy) [8] of the Drupal Security Team
* Andrew Berry (deviantintegral) [9]
-------- FIXED BY
------------------------------------------------------------
* Hans Salvisberg (salvis [10]) the module co-maintainer.
* Moshe Weitzman [11] module maintainer and member of the Drupal Security
Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [12].
Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].
[1] http://drupal.org/project/devel
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/project/devel
[4] http://drupal.org/node/1224846
[5] http://drupal.org/node/1224842
[6] http://drupal.org/project/devel
[7] http://drupal.org/project/devel
[8] http://drupal.org/user/96647
[9] http://drupal.org/user/71291
[10] http://drupal.org/user/82964
[11] http://drupal.org/user/23
[12] http://drupal.org/contact
[13] http://drupal.org/security-team
[14] http://drupal.org/writing-secure-code
[15] http://drupal.org/security/secure-configuration
* Advisory ID: DRUPAL-SA-CONTRIB-2011-029
* Project: Taxonomy Filter [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2011-July-20
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
The Taxonomy Filter module enables users to filter taxonomy listings to find
content tagged by multiple terms.
Older versions of the module were susceptible to a Cross Site Scripting (XSS)
attack by way of vocabulary names. The vulnerability was mitigated by the
fact that an attacker must have a role with the "administer taxonomy"
permission. The 6.x-1.6 release of Taxonomy Filter also corrects an XSS issue
in Taxonomy Filter menu names that requires the "administer site
configuration" permission. Vulnerabilities that require the "administer site
configuration" permission to exploit [3] do not necessitate Security
Advisories, however no Advisory had been issued for previous insecure
releases.
-------- VERSIONS AFFECTED
---------------------------------------------------
* 6.x-1.3 and earlier
* 7.x-1.x-dev
Drupal core is not affected. If you do not use the contributed Taxonomy
Filter [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Taxonomy Filter module for Drupal 6.x upgrade to 6.x-1.6
[5]
* If you use the Taxonomy Filter module for Drupal 7.x upgrade to the latest
7.x-1.x-dev [6] release
See also the Taxonomy Filter [7] project page.
-------- REPORTED BY
---------------------------------------------------------
* Sam Oldak
-------- FIXED BY
------------------------------------------------------------
* Jim Berry [8] the module maintainer
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [9].
Learn more about the Drupal Security team and their policies [10], writing
secure code for Drupal [11], and securing your site [12].
[1] http://drupal.org/project/taxonomy_filter
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/security-advisory-policy
[4] http://drupal.org/project/taxonomy_filter
[5] http://drupal.org/node/1223666
[6] http://drupal.org/node/96252
[7] http://drupal.org/project/taxonomy_filter
[8] http://drupal.org/user/240748
[9] http://drupal.org/contact
[10] http://drupal.org/security-team
[11] http://drupal.org/writing-secure-code
[12] http://drupal.org/security/secure-configuration
* Advisory ID: DRUPAL-SA-CONTRIB-2011-028
* Project: Simple Clean [1] (third-party module)
* Version: 7.x
* Date: 2011-July-06
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
Simple Clean is a simple and stripped clean theme for Drupal.
The theme contains a cross site scripting (XSS) vulnerability that can be
exploited when posting comments.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "post comments".
-------- VERSIONS AFFECTED
---------------------------------------------------
* 7.x-1.2 and prior
Drupal core is not affected. If you do not use the contributed Simple Clean
[3] theme, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Simple Clean theme for Drupal 7.x upgrade to Simple Clean
7.x-1.3 [4]
See also the Simple Clean [5] project page.
-------- REPORTED BY
---------------------------------------------------------
* Ben Jeavons [6] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Mattias Axelsson [7] the project maintainer
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [8].
Learn more about the Drupal Security team and their policies [9], writing
secure code for Drupal [10], and securing your site [11].
[1] http://drupal.org/project/simpleclean
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/project/simpleclean
[4] http://drupal.org/node/1210954
[5] http://drupal.org/project/simpleclean
[6] http://drupal.org/user/91990
[7] http://drupal.org/user/765764
[8] http://drupal.org/contact
[9] http://drupal.org/security-team
[10] http://drupal.org/writing-secure-code
[11] http://drupal.org/security/secure-configuration
* Advisory ID: DRUPAL-SA-CONTRIB-2011-027
* Project: Facebook Share [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2011-July-06
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
This module enables Drupal site administrators to add a Facebook Share button
to selected content type nodes.
The module doesn't sufficiently check the override text or button size input
fields on the module configuration form to prevent against an XSS exploit.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "administer facebookshare".
-------- VERSIONS AFFECTED
---------------------------------------------------
* Drupal 6.x-1.1 and prior
* Drupal 7.x-1.2 and prior
Drupal core is not affected. If you do not use the contributed Facebook Share
[3] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the 6.x-1.1 or 6.x-1.0 module for Drupal 6.x upgrade to
Facebook Share 6.x-1.2 [4]
* If you use the 7.x-1.2 or prior module for Drupal 7.x upgrade to Facebook
Share 7.x-1.3 [5]
See also the Facebook Share [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Bèr Kessels [7]
-------- FIXED BY
------------------------------------------------------------
* John Oltman [8] the module maintainer
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [9].
Learn more about the Drupal Security team and their policies [10], writing
secure code for Drupal [11], and securing your site [12].
[1] http://drupal.org/project/facebookshare
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/project/facebookshare
[4] http://drupal.org/node/1210220
[5] http://drupal.org/node/1210190
[6] http://drupal.org/project/facebookshare
[7] http://drupal.org/user/2663
[8] http://drupal.org/user/699926
[9] http://drupal.org/contact
[10] http://drupal.org/security-team
[11] http://drupal.org/writing-secure-code
[12] http://drupal.org/security/secure-configuration