Security-news November 2012

security-news@drupal.org

1 participants
13 discussions

SA-CONTRIB-2012-163 - User Read-Only - Permission escalation
by security-news＠drupal.org 14 Nov '12

14 Nov '12

View online: http://drupal.org/node/1840886 * Advisory ID: DRUPAL-SA-CONTRIB-2012-163 * Project: User Read-Only [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-November-14 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- User Read-only is a module that allows an administrator to prevent modification of user account/profile fields. The administrator can select which fields will allow or disallow editing. The module can mistakenly assign roles when performing unrelated operations against a user's account such as changing a password. The vulnerability is particular to certain combinations of configuration and the number of roles available on the site (more than 3). CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * User Read-Only 6.x-1.x versions prior to 6.x-1.4. * User Read-Only 7.x-1.x versions prior to 7.x-1.4. Drupal core is not affected. If you do not use the contributed User Read-Only [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the User Read-Only module for Drupal 6.x, upgrade to User Read-Only 6.x-1.4 [4] * If you use the User Read-Only module for Drupal 7.x, upgrade to User Read-Only 7.x-1.4 [5] Also see the User Read-Only [6] project page. -------- REPORTED BY --------------------------------------------------------- * Kellie Bradford Delaney [7] -------- FIXED BY ------------------------------------------------------------ * David Norman [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] of the Drupal Security Team * Heine Deelstra [10] of the Drupal Security Team * Lee Rowlands [11] provisional member of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/user_readonly [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/user_readonly [4] http://drupal.org/node/1840054 [5] http://drupal.org/node/1840038 [6] http://drupal.org/project/user_readonly [7] http://drupal.org/user/1473110 [8] http://drupal.org/user/972 [9] http://drupal.org/user/36762 [10] http://drupal.org/user/17943 [11] http://drupal.org/user/395439 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-161 - Webform CiviCRM Integration - Access Bypass
by security-news＠drupal.org 07 Nov '12

07 Nov '12

View online: http://drupal.org/node/1834868 * Advisory ID: DRUPAL-SA-CONTRIB-2012-161 * Project: Webform CiviCRM Integration [1] (third-party module) * Version: 7.x * Date: 2012-November-07 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- Webform CiviCRM integration allows you to expose contact data via Webforms. Depending on what fields you have exposed in your form, this may include personal information such as birthdate, phone number, email address, etc. Proper permission settings are important to keep this information from prying eyes. Each "existing contact" on a webform has a setting to enforce CiviCRM permissions -- this setting should rarely be disabled, and only done so by admins who know what they're doing. Unfortunately some circumstances may have led this setting to be incorrectly disabled by the admin: * In version 3.0 - 3.1 of this module, "Enforce Permissions" was not on by default, and needed to be manually selected by the admin. This was fixed in 3.2. * In versions 3.0 - 3.2, the current user could not be autofilled for normal unprivledged users. This may have led some admins to disable the "Enforce Permissions" setting, a dangerous workaround. * In versions 3.0 - 3.3, autofilling a contact via the url with a checksum did not work for anonymous users unless the "Enforce Permissions" setting was disabled. Version 3.4 includes an update script which will automatically set "Enforce Permissions" for all existing contacts to /true/. Once you have upgraded, you may wish to review your webforms and ensure that autofilling contacts works as expected, especially for anonymous users. In a few rare cases where you have established access control through some other means, disabling "Enforce Permissions" may be necessary and you will need to do so manually. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * Webform CiviCRM Integration 7.x-3.0 to 7.x-3.3 Drupal core is not affected. If you do not use the contributed Webform CiviCRM Integration [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Webform CiviCRM Integration version 3.x, upgrade to version 3.4 [4] Also see the Webform CiviCRM Integration [5] project page. -------- REPORTED BY --------------------------------------------------------- * Coleman Watts [6] the module maintainer -------- FIXED BY ------------------------------------------------------------ * Coleman Watts [7] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [8] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/webform_civicrm [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/webform_civicrm [4] http://drupal.org/node/1833974 [5] http://drupal.org/project/webform_civicrm [6] http://drupal.org/user/639856 [7] http://drupal.org/user/639856 [8] http://drupal.org/user/36762 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-160 - OM Maximenu - Cross Site Scripting (XSS)
by security-news＠drupal.org 07 Nov '12

07 Nov '12

View online: http://drupal.org/node/1834866 * Advisory ID: DRUPAL-SA-CONTRIB-2012-160 * Project: OM Maximenu [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-November-07 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- This module enables you to create custom menus with effects and integrate module blocks as it's menu item content. The module doesn't sufficiently state the risk of giving permission to create OM Maximenus. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer OM Maximenu". CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * OM Maximenu 6.x-1.x versions prior to 6.x-1.44. * OM Maximenu 7.x-1.x versions prior to 7.x-1.44. Drupal core is not affected. If you do not use the contributed OM Maximenu [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the OM Maximenu module for Drupal 6.x, upgrade to OM Maximenu 6.x-1.44 [4] * If you use the OM Maximenu module for Drupal 7.x, upgrade to OM Maximenu 7.x-1.44 [5] Also see the OM Maximenu [6] project page. -------- REPORTED BY --------------------------------------------------------- * Justin KleinKeane [7] -------- FIXED BY ------------------------------------------------------------ * Daniel Honrade [8] the module maintainer * Károly Négyesi [9] of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/om_maximenu [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/om_maximenu [4] http://drupal.org/node/1834046 [5] http://drupal.org/node/1834048 [6] http://drupal.org/project/om_maximenu [7] http://drupal.org/user/302225 [8] http://drupal.org/user/351112 [9] http://drupal.org/user/9446 [10] http://drupal.org/user/36762 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news November 2012