October 2012 - Security-news - lists.drupal.org

SA-CONTRIB-2012-159 - Password policy - Information leakage of hashed passwords
by security-news＠drupal.org 31 Oct '12

31 Oct '12

View online: https://drupal.org/node/1828340 * Advisory ID: DRUPAL-SA-CONTRIB-2012-159 * Project: Password policy [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-October-31 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Information Disclosure -------- DESCRIPTION --------------------------------------------------------- This module provides a way to specify a certain level of password complexity (aka. "password hardening") for user passwords on a system by defining a password policy. The Password policy module allows administrators to request users to enter a new password that does not match any of the previous X passwords they have used (X is determined by the site configuration). If this feature is enabled, a malicious user with the capability to view another user's HTTP traffic can discover the hashed version of their password. This issue is more of a risk for Drupal 6 sites that use the default md5 password encryption. This issue only affects sites that use the module's "previous passwords" feature, and fail to encrypt their users' HTTP transactions with SSL/TLS. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * Password policy 6.x-1.x versions prior to 6.x-1.5. * Password policy 7.x-1.x versions prior to 7.x-1.3. Drupal core is not affected. If you do not use the contributed Password policy [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Password policy module for Drupal 6.x, upgrade to Password policy 6.x-1.5 [4] * If you use the Password policy module for Drupal 7.x, upgrade to Password policy 7.x-1.3 [5] Also see the Password policy [6] project page. -------- REPORTED BY --------------------------------------------------------- * Alexis Wilke [7] -------- FIXED BY ------------------------------------------------------------ * Mark Shropshire [8] -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] of the Drupal Security Team * Michael Hess [10] of the Drupal Security Team * Damien Tournoud [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/password_policy [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/password_policy [4] https://drupal.org/node/1828130 [5] https://drupal.org/node/1828142 [6] http://drupal.org/project/password_policy [7] http://drupal.org/user/356197 [8] http://drupal.org/user/14767 [9] http://drupal.org/user/36762 [10] http://drupal.org/user/102818 [11] http://drupal.org/user/22211 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-158 - MailChimp - Cross Site Scripting (XSS)
by security-news＠drupal.org 24 Oct '12

24 Oct '12

View online: http://drupal.org/node/1822166 * Advisory ID: DRUPAL-SA-CONTRIB-2012-158 * Project: MailChimp [1] (third-party module) * Version: 7.x * Date: 2012-October-24 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- This module provides integration with the MailChimp email delivery service. There are two issues with the webhook processing, which is exposed as an API in mailchimp.module and used by mailchimp_lists.module to update subscriber information. * The webhook URL key can be trivially calculated. * Webhook variables from POST requests are not properly sanitized. Mitigating these issues is the fact that attackers cannot tamper with email subscriptions even if they know the webhook path, because changes are pulled in from the MailChimp API only. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * MailChimp 7.x-2.x versions prior to 7.x-2.7. Drupal core is not affected. If you do not use the contributed MailChimp [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the MailChimp module for Drupal 7.x, upgrade to MailChimp 7.x-2.7 [4] Also see the MailChimp [5] project page. -------- REPORTED BY --------------------------------------------------------- * Dmitriy Trt [6] (Dmitriy.trt) -------- FIXED BY ------------------------------------------------------------ * Lev Tsypin [7] (levelos) the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Klaus Purer [8] (klausi) of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/mailchimp [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/mailchimp [4] http://drupal.org/node/1821330 [5] http://drupal.org/project/mailchimp [6] http://drupal.org/user/329125 [7] http://drupal.org/user/54135 [8] http://drupal.org/user/262198 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-157 - Time Spent - Multiple Vulnerabilities - (unsupported)
by security-news＠drupal.org 24 Oct '12

24 Oct '12

View online: https://drupal.org/node/1822066 * Advisory ID: DRUPAL-SA-CONTRIB-2012-157 * Project: Time Spent [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-October-24 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting, Cross Site Request Forgery, SQL Injection, Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- The Time Spent module tracks the time a registered user spends on a site and a site's content. The module doesn't sufficiently sanitize user input. Cross site scripting, cross-site request forgery, and SQL injection vulnerabilities have all been found. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * All Time Spent module versions. Drupal core is not affected. If you do not use the contributed Time Spent [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Uninstall the module: * If you use the Time Spent module you should disable the module. Also see the Time Spent [4] project page. -------- REPORTED BY --------------------------------------------------------- * Dylan Riordan [5] (amorsent) * Greg Knaddison [6] (greggles) of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Forest Monsen [7] (forestmonster) of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [8]. Learn more about the Drupal Security team and their policies [9], writing secure code for Drupal [10], and securing your site [11]. [1] http://drupal.org/project/time_spent [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/time_spent [4] http://drupal.org/project/time_spent [5] http://drupal.org/user/426464 [6] http://drupal.org/user/36762 [7] http://drupal.org/user/181798 [8] http://drupal.org/contact [9] http://drupal.org/security-team [10] http://drupal.org/writing-secure-code [11] http://drupal.org/security/secure-configuration

1 0

SA-CORE-2012-003 - Drupal core - Arbitrary PHP code execution and Information disclosure
by security-news＠drupal.org 17 Oct '12

17 Oct '12

View online: http://drupal.org/node/1815912 * Advisory ID: DRUPAL-SA-CORE-2012-003 * Project: Drupal core [1] * Version: 7.x * Date: 2012-October-17 * Security risk: Highly critical [2] * Exploitable from: Remote * Vulnerability: Information Disclosure, Arbitrary PHP code execution -------- DESCRIPTION --------------------------------------------------------- Multiple vulnerabilities were discovered in Drupal core. .... Arbitrary PHP code execution A bug in the installer code was identified that allows an attacker to re-install Drupal using an external database server under certain transient conditions. This could allow the attacker to execute arbitrary PHP code on the original server. This vulnerability is mitigated by the fact that the re-installation can only be successful if the site's settings.php file or sites directories are writeable by or owned by the webserver user. Configuring the Drupal installation to be owned by a different user than the webserver user (and not to be writeable by the webserver user) is a recommended security best practice [3]. However, in all cases the transient conditions expose information to an attacker who accesses install.php, and therefore this security update should be applied to all Drupal 7 sites. .... Information disclosure - OpenID module For sites using the core OpenID module, an information disclosure vulnerability was identified that allows an attacker to read files on the local filesystem by attempting to log in to the site using a malicious OpenID server. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * Drupal core 7.x versions prior to 7.16. Drupal 6 is not affected. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Drupal 7.x, upgrade to Drupal core 7.16 [4]. If you are unable to deploy the security release immediately, removing or blocking access to install.php is a sufficient mitigation step for the arbitrary PHP code execution vulnerability. Also see the Drupal core [5] project page. -------- REPORTED BY --------------------------------------------------------- * The arbitrary PHP code execution vulnerability was reported by Heine Deelstra [6] and Noam Rathaus [7] working with Beyond Security's SecuriTeam Secure Disclosure Program. Heine Deelstra is also a member of the Drupal Security Team. * The information disclosure vulnerability in the OpenID module was reported by Reginaldo Silva [8]. -------- FIXED BY ------------------------------------------------------------ * The arbitrary PHP code execution vulnerability was fixed by Damien Tournoud [9], David Rothstein [10], Peter Wolanin [11], and Károly Négyesi [12], all members of the Drupal Security Team. * The information disclosure vulnerability in the OpenID module was fixed by Reginaldo Silva [13], Christian Schmidt [14], Vojtěch Kusý [15], and Frédéric Marand [16], and by Peter Wolanin [17], David Rothstein [18], Damien Tournoud [19], and Heine Deelstra [20] of the Drupal Security Team. -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [21]. Learn more about the Drupal Security team and their policies [22], writing secure code for Drupal [23], and securing your site [24]. [1] http://drupal.org/project/drupal [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/node/244924 [4] http://drupal.org/node/1815904 [5] http://drupal.org/project/drupal [6] http://drupal.org/user/17943 [7] http://drupal.org/user/2317662 [8] http://drupal.org/user/2305626 [9] http://drupal.org/user/22211 [10] http://drupal.org/user/124982 [11] http://drupal.org/user/49851 [12] http://drupal.org/user/9446 [13] http://drupal.org/user/2305626 [14] http://drupal.org/user/216078 [15] http://drupal.org/user/56154 [16] http://drupal.org/user/27985 [17] http://drupal.org/user/49851 [18] http://drupal.org/user/124982 [19] http://drupal.org/user/22211 [20] http://drupal.org/user/17943 [21] http://drupal.org/contact [22] http://drupal.org/security-team [23] http://drupal.org/writing-secure-code [24] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-156 - Search API - Cross Site Request Forgery (CSRF)
by security-news＠drupal.org 17 Oct '12

17 Oct '12

View online: http://drupal.org/node/1815770 * Advisory ID: DRUPAL-SA-CONTRIB-2012-156 * Project: Search API [1] (third-party module) * Version: 7.x * Date: 2012-October-17 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Request Forgery -------- DESCRIPTION --------------------------------------------------------- This module enables you to build searches using a wide range of features, data sources and backends. The module doesn't sufficiently guard the “enable index” action against Cross Site Request Forgery (CSRF) attacks which could allow an attacker to enable existing search indexes on your site. This vulnerability is mitigated by the fact that the attacker would need to guess the machine name or ID of a disabled index or server, and a disabled index would have to be connected to an enabled server for the operation to be successful. The impact from such an enabled index has little effect besides using additional resources for indexing because search pages or views related to the index are not automatically enabled. The enabling of a server has no effect unless existing indexes assigned to that server are subsequently enabled as well. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * Search API 7.x-1.x versions prior to 7.x-1.3. Drupal core is not affected. If you do not use the contributed Search API [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Search API module for Drupal 7.x, upgrade to Search API 7.x-1.3 [4] Alternatively, you can remove the vulnerability without upgrading by moving disabled indexes away from servers: * If you have disabled indexes, set them to “< No server >” in the index settings. Also see the Search API [5] project page. -------- REPORTED BY --------------------------------------------------------- * Ivo Van Geertruyen (mr.baileys [6]) of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Ivo Van Geertruyen (mr.baileys [7]) of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Ivo Van Geertruyen (mr.baileys [8]) and Klaus Purer (klausi [9]) of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/search_api [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/search_api [4] http://drupal.org/node/1815124 [5] http://drupal.org/project/search_api [6] http://drupal.org/user/383424 [7] http://drupal.org/user/383424 [8] http://drupal.org/user/383424 [9] http://drupal.org/user/262198 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-155 - ShareThis - Cross Site Scripting (XSS)
by security-news＠drupal.org 10 Oct '12

10 Oct '12

View online: http://drupal.org/node/1808856 * Advisory ID: DRUPAL-SA-CONTRIB-2012-155 * Project: ShareThis [1] (third-party module) * Version: 7.x * Date: 2012-October-10 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- This module enables integration with the ShareThis [3] web service to allow social bookmarking amongst your users. The module doesn't sufficiently filter JavaScript settings before outputting them. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer sharethis". CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * ShareThis 7.x-2.x versions prior to 7.x-2.5. Drupal core is not affected. If you do not use the contributed ShareThis [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the ShareThis module for Drupal 7.x, upgrade to ShareThis 7.x-2.5 [5] Also see the ShareThis [6] project page. -------- REPORTED BY --------------------------------------------------------- * Jake Bell [7] -------- FIXED BY ------------------------------------------------------------ * Rob Loach [8], the module maintainer -------- COORDINATED BY ------------------------------------------------------ * David Stoline [9] provisional member of the Drupal Security Team * Ben Jeavons [10] of the Drupal Security Team * Greg Knaddison [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/sharethis [2] http://drupal.org/security-team/risk-levels [3] http://sharethis.com/ [4] http://drupal.org/project/sharethis [5] http://drupal.org/node/1808760 [6] http://drupal.org/project/sharethis [7] http://drupal.org/user/71548 [8] http://drupal.org/user/61114 [9] http://drupal.org/user/329570 [10] http://drupal.org/user/91990 [11] http://drupal.org/user/36762 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-154 - Basic webmail - Multiple vulnerabilities
by security-news＠drupal.org 10 Oct '12

10 Oct '12

View online: http://drupal.org/node/1808852 * Advisory ID: DRUPAL-SA-CONTRIB-2012-154 * Project: Basic webmail [1] (third-party module) * Version: 6.x * Date: 2012-October-10 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting, Information Disclosure, Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- This module allows site users to read and write e-mail through an IMAP mail server. There are four issues being addressed by this security advisory: * The module doesn't sufficiently sanitize data when setting page title. * The module may store Drupal login IDs and passwords in plain text in the data column of the users table. * The module doesn't sufficiently sanitize data displayed from email messages. * The module allows users who have the 'access basic_webmail' permission to view the e-mail addressof other site users. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * Basic webmail 6.x-1.x versions prior to 6.x-1.2. Drupal core is not affected. If you do not use the contributed Basic webmail [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Basic webmail module for Drupal 6.x, upgrade to Basic webmail 6.x-1.2 [4] Also see the Basic webmail [5] project page. -------- REPORTED BY --------------------------------------------------------- * Hunter Fox [6] provisional member of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Jason Flatt [7] the module maintainer * Hunter Fox [8] provisional member of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Hunter Fox [9] provisional member of the Drupal Security Team * Ben Jeavons [10] of the Drupal Security Team * Greg Knaddison [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/basic_webmail [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/basic_webmail [4] https://drupal.org/node/1808616 [5] http://drupal.org/project/basic_webmail [6] http://drupal.org/user/426416 [7] http://drupal.org/user/4649 [8] http://drupal.org/user/426416 [9] http://drupal.org/user/426416 [10] http://drupal.org/user/91990 [11] http://drupal.org/user/36762 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-153 - Mandrill - Information Disclosure
by security-news＠drupal.org 10 Oct '12

10 Oct '12

View online: http://drupal.org/node/1808846 * Advisory ID: DRUPAL-SA-CONTRIB-2012-153 * Project: Mandrill [1] (third-party module) * Version: 7.x * Date: 2012-October-10 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Information Disclosure -------- DESCRIPTION --------------------------------------------------------- This module enables you to send emails using an external gateway and by default logs the contents of the messages. An attacker who gains access to the Mandrill dashboard can trigger password reset emails from the Drupal site, get the reset links from the Mandrill logs, and take over an account. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * Mandrill 7.x-1.x versions prior to 7.x-1.2. Drupal core is not affected. If you do not use the contributed Mandrill [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Mandrill module for Drupal 7.x, upgrade to Mandrill 7.x-1.2 [4] Also see the Mandrill [5] project page. -------- REPORTED BY --------------------------------------------------------- * Patrick Dawkins [6] -------- FIXED BY ------------------------------------------------------------ * Lev Tsypin [7] the module maintainer * Ned McClain [8] provisional member of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Ned McClain [9] provisional member of the Drupal Security Team * Ben Jeavons [10] of the Drupal Security Team * Greg Knaddison [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/mandrill [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/mandrill [4] http://drupal.org/node/1807894 [5] http://drupal.org/project/mandrill [6] http://drupal.org/user/1025236 [7] http://drupal.org/user/54135 [8] http://drupal.org/user/798324 [9] http://drupal.org/user/798324 [10] http://drupal.org/user/91990 [11] http://drupal.org/user/36762 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-152 - Feeds - Access bypass
by security-news＠drupal.org 10 Oct '12

10 Oct '12

View online: https://drupal.org/node/1808832 * Advisory ID: DRUPAL-SA-CONTRIB-2012-152 * Project: Feeds [1] (third-party module) * Version: 7.x * Date: 2012-October-10 * Security risk: Not critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- The feeds module enables you to import or aggregate data as nodes, users, taxonomy terms or simple database records. The module doesn't sufficiently check permissions when creating nodes on behalf of a user. This vulnerability is mitigated by the fact that an attacker must have control over the source feed, and the Feeds importer must have a field from that feed mapped to the node's author. /Note: the Feeds module doesn't have a stable release and therefore a Security Advisory would not normally be issued, per the Drupal Security Team policy [3]. However, this issue affects the Mailhandler [4] module, which does have a stable release. For modules with dependencies, maintainers are encouraged to create stable releases only for those modules dependent on stable releases./ CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * Feeds 7.x-2.x versions prior to 7.x-2.0-alpha6. Drupal core is not affected. If you do not use the contributed Feeds [5] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Feeds module for Drupal 7.x, upgrade to Feeds 7.x-2.0-alpha6 [6]. Also see the Feeds [7] project page. -------- REPORTED BY --------------------------------------------------------- * Iñaki Lopez [8] -------- FIXED BY ------------------------------------------------------------ * Chris Leppanen [9] the module maintainer * Lee Rowlands [10] provisional member of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/feeds [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/security-advisory-policy [4] http://drupal.org/project/mailhandler [5] http://drupal.org/project/feeds [6] https://drupal.org/node/1808282 [7] http://drupal.org/project/feeds [8] http://drupal.org/user/118449 [9] http://drupal.org/user/473738 [10] http://drupal.org/user/395439 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-151 - Commerce Extra Panes - Cross Site Request Forgery
by security-news＠drupal.org 03 Oct '12

03 Oct '12

View online: http://drupal.org/node/1802258 * Advisory ID: DRUPAL-SA-CONTRIB-2012-151 * Project: Commerce extra panes [1] (third-party module) * Version: 7.x * Date: 2012-October-3 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Request Forgery -------- DESCRIPTION --------------------------------------------------------- This module, an add-on for Drupal Commerce, allows site builders to place one or more nodes in one of the checkout phases of an order. The module doesn't sufficiently confirm the intent of a site builder when taking certain administrative operations. This could allow an attacker to trick an administrator into unknowingly enabling/disabled a Commerce extra panes pane. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * Commerce extra panes 7.x-1.x versions prior to 7.x-1.1. Drupal core is not affected. If you do not use the contributed Commerce extra panes [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Commerce extra panes module for Drupal 7.x, upgrade to Commerce extra panes 7.x-1.1 [4] Also see the Commerce extra panes [5] project page. -------- REPORTED BY --------------------------------------------------------- * Ivo Van Geertruyen [6] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Ivo Van Geertruyen [7] of the Drupal Security Team * Pedro Cambra [8] the Module Maintainer -------- COORDINATED BY ------------------------------------------------------ * Ivo Van Geertruyen [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/commerce_extra_panes [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/commerce_extra_panes [4] http://drupal.org/node/1802192 [5] http://drupal.org/project/commerce_extra_panes [6] http://drupal.org/user/383424 [7] http://drupal.org/user/383424 [8] http://drupal.org/user/122101 [9] http://drupal.org/user/383424 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0