* Advisory ID: DRUPAL-SA-CONTRIB-2012-029
* Project:
Taxonomy Views Integrator (third-party module)
* Version: 6.x
* Date: 2012-February-29
* Security risk: Moderately critical [1]
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
The Taxonomy Views Integrator allows selective overriding of taxonomy terms
and/or vocabulary with the view of your choice. Using TVI you can easily
create custom views to output all terms in X vocabulary.
The module doesn't sufficiently filter user supplied text on views pages.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "administer taxonomy".
-------- VERSIONS AFFECTED
---------------------------------------------------
* Taxonomy Views Integrator 6.x-1.x versions prior to 6.x-1.3.
Drupal core is not affected. If you do not use the contributed
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Taxonomy Views Integrator module for Drupal 6.x, upgrade to
Taxonomy Views Integrator 6.x-1.3 [2]
See also the
project page.
-------- REPORTED BY
---------------------------------------------------------
* Dmitry Trt [3]
-------- FIXED BY
------------------------------------------------------------
* Dmitry Trt [4]
* Derek Webb [5] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Michael Hess [6] of the Drupal Security Team
* Greg Knaddison [7] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [8].
Learn more about the Drupal Security team and their policies [9], writing
secure code for Drupal [10], and securing your site [11].
[1] http://drupal.org/security-team/risk-levels
[2] http://drupal.org/node/1306946
[3] http://drupal.org/user/329125
[4] http://drupal.org/user/329125
[5] http://drupal.org/user/64114
[6] http://drupal.org/user/102818
[7] http://drupal.org/user/36762
[8] http://drupal.org/contact
[9] http://drupal.org/security-team
[10] http://drupal.org/writing-secure-code
[11] http://drupal.org/security/secure-configuration
* Advisory ID: DRUPAL-SA-CONTRIB-2012-028
* Project: Hierarchical Select [1] (third-party module)
* Version: 6.x
* Date: 2012-February-29
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
The Hierarchical Select module provides a "hierarchical_select" form element,
which is a greatly enhanced way for letting the user select items in a
taxonomy. The module does not sanitize some of the user-supplied data before
displaying it, leading to a Cross Site Scripting (XSS [3]) vulnerability that
may lead to a malicious user gaining full administrative access.
This vulnerability is mitigated by the fact that the attacker must have a
role with the 'administer taxonomy' permission; specifically he must be able
to create or modify vocabularies and then modify the vocabulary's help text.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Hierarchical Select 6.x-3.x versions prior to 6.x-3.7.
Drupal core is not affected. If you do not use the contributed Hierarchical
Select [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Hierarchical Select module for Drupal 6.x, upgrade to
Hierarchical Select 6.x-3.8 [5]
See also the Hierarchical Select [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Sam Oldak [7]
* Wim Leers [8] the module maintainer
-------- FIXED BY
------------------------------------------------------------
* Wim Leers [9] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Stéphane Corlosquet [10] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
[1] http://drupal.org/project/hierarchical_select
[2] http://drupal.org/security-team/risk-levels
[3] http://en.wikipedia.org/wiki/Cross-site_scripting
[4] http://drupal.org/project/hierarchical_select
[5] http://drupal.org/node/1461318
[6] http://drupal.org/project/hierarchical_select
[7] http://drupal.org/user/366337
[8] http://drupal.org/user/99777
[9] http://drupal.org/user/99777
[10] http://drupal.org/user/52142
[11] http://drupal.org/contact
[12] http://drupal.org/security-team
[13] http://drupal.org/writing-secure-code
[14] http://drupal.org/security/secure-configuration
* Advisory ID: DRUPAL-SA-CONTRIB-2012-027
* Project: Submenu Tree [1] (third-party module)
* Version: 6.x
* Date: 2012-February-29
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
The Submenu Tree module allows sufficiently privileged users to show a
list of menu entries when displaying a node.
The module does not sanitize some of the user-supplied data before
displaying it, leading to a Cross Site Scripting (XSS [3])
vulnerability.
The vulnerability is mitigated by the fact that a malicious user must
be assigned a role that includes permissions to edit the Drupal menus.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Submenu Tree versions prior to 6.x-1.5
Drupal core is not affected. If you do not use the contributed Submenu Tree
[4] module,
there is nothing you need to do.
Drupal core is not affected. If you do not use the contributed Submenu Tree
[5] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Submenu Tree module upgrade to Submenu Tree 6.x-1.5 [6]
Please also see the
Submenu Tree project
page
.
See also the Submenu Tree [7] project page.
-------- REPORTED BY
---------------------------------------------------------
* Kyle Small
-------- FIXED BY
------------------------------------------------------------
* Beng Tan [8], module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Michael Hess [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
[1] http://drupal.org/project/submenutree
[2] http://drupal.org/security-team/risk-levels
[3] http://en.wikipedia.org/wiki/Cross-site_scripting
[4] http://drupal.org/project/submenutree
[5] http://drupal.org/project/submenutree
[6] http://drupal.org/node/1132838
[7] http://drupal.org/project/submenutree
[8] http://drupal.org/user/132729
[9] http://drupal.org/user/102818
[10] http://drupal.org/contact
[11] http://drupal.org/security-team
[12] http://drupal.org/writing-secure-code
[13] http://drupal.org/security/secure-configuration
* Advisory ID: DRUPAL-SA-CONTRIB-2012-026
* Project: ZipCart [1] (third-party module)
* Version: 6.x
* Date: 2012-February-29
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
ZipCart [3] enables a site to provide users with Zip archives for downloads
selected by the user.
Versions of ZipCart prior to 6.x-1.4 checks an incorrect permission when
building archives. This vulnerability is mitigated by the fact that archive
file addition is only permitted if Drupal's normal file download access check
permits the user to download the file directly.
-------- VERSIONS AFFECTED
---------------------------------------------------
* ZipCart 6.x versions prior to 6.x-1.4 [4].
Drupal core is not affected. If you do not use the contributed ZipCart [5]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the ZipCart module for Drupal 6.x, upgrade to ZipCart 6.x-1.4
[6]
See also the ZipCart [7] project page.
-------- REPORTED BY
---------------------------------------------------------
* Chris Burgess [8]
-------- FIXED BY
------------------------------------------------------------
* Chris Burgess [9] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Neil Drumm [10] of the Drupal Security Team
* Michael Hess [11] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [12].
Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].
[1] http://drupal.org/project/zipcart
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/project/zipcart
[4] http://drupal.org/node/1460872
[5] http://drupal.org/project/zipcart
[6] http://drupal.org/node/1460872
[7] http://drupal.org/project/zipcart
[8] http://drupal.org/user/76026
[9] http://drupal.org/user/76026
[10] http://drupal.org/user/3064
[11] http://drupal.org/user/102818
[12] http://drupal.org/contact
[13] http://drupal.org/security-team
[14] http://drupal.org/writing-secure-code
[15] http://drupal.org/security/secure-configuration
* Advisory ID: DRUPAL-SA-CONTRIB-2012-025
* Project: Cool aid; Editable help messages [1] (third-party module)
* Version: 6.x
* Date: 2012-February-29
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Access bypass, Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
Cool aid is a Drupal module that allows users to add custom help messages to
Drupal pages. The module did not properly clean user input before displaying
it, and did not properly check for access permissions, allowing users with
"administer coolaid" to inject scripts anywhere on a site.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Cool aid 6.x-1.x prior to 6.x-1.6
Drupal core is not affected. If you do not use the contributed Cool aid;
Editable help messages [3] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Cool aid module for Drupal 6.x, upgrade to Cool aid
6.x-1.9. [4]
See also the Cool aid; Editable help messages [5] project page.
-------- REPORTED BY
---------------------------------------------------------
* Ivo Van Geertruyen [6]
-------- FIXED BY
------------------------------------------------------------
* Daniel Braksator [7] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Michael Hess [8] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [9].
Learn more about the Drupal Security team and their policies [10], writing
secure code for Drupal [11], and securing your site [12].
[1] http://drupal.org/project/coolaid
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/project/coolaid
[4] http://drupal.org/node/1417186
[5] http://drupal.org/project/coolaid
[6] http://drupal.org/user/383424
[7] http://drupal.org/user/134005
[8] http://drupal.org/user/102818
[9] http://drupal.org/contact
[10] http://drupal.org/security-team
[11] http://drupal.org/writing-secure-code
[12] http://drupal.org/security/secure-configuration
* Advisory ID: DRUPAL-SA-CONTRIB-2012-024
* Project: MediaFront [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2012-February-29
* Security risk: Less Critical [2]
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
Within the MediaFront module, there is a PHP library for handling the stand
alone application of the Open Standard Media player. Within this library,
both the $_SESSION and $_SERVER variables are handled without proper checks
to make sure that no malicious code is injected within these variables.
-------- VERSIONS AFFECTED
---------------------------------------------------
* MediaFront 6.x-1.x versions prior to 6.x-1.5.
* MediaFront 7.x-1.x versions prior to 7.x-1.5.
Drupal core is not affected. If you do not use the contributed MediaFront [3]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Mediafront module for Drupal 6.x, upgrade to Mediafront
6.x-1.5 [4]
* If you use the Mediafront module for Drupal 7.x, upgrade to Mediafront
7.x-1.5 [5]
See also the MediaFront [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Óscar Estepa [7]
-------- FIXED BY
------------------------------------------------------------
* Travis Tidwell [8] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Michael Hess [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
[1] http://drupal.org/project/mediafront
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/project/mediafront
[4] https://drupal.org/node/1460892
[5] https://drupal.org/node/1460894
[6] http://drupal.org/project/mediafront
[7] http://drupal.org/user/1306904
[8] http://drupal.org/user/98581
[9] http://drupal.org/user/102818
[10] http://drupal.org/contact
[11] http://drupal.org/security-team
[12] http://drupal.org/writing-secure-code
[13] http://drupal.org/security/secure-configuration
* Advisory ID: DRUPAL-SA-CONTRIB-2012-023
* Project: Frequently Asked Questions [1] (third-party module)
* Version: 6.x
* Date: 2012-February-22
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
The Frequently Asked Questions (faq) module allows users, with the
appropriate permissions, to create question and answer pairs which are
displayed on the 'faq' page, and in the random and recent FAQ blocks. The
module does not sanitize some of the user-supplied data before displaying it,
leading to a Cross Site Scripting (XSS [3]) vulnerability. This vulnerability
is mitigated by the fact that the attacker must have a role with the
'administer faq', 'create faq', 'edit faq' or 'edit own faq' permissions. If
using the FAQ module with the FAQ Ask module, the attacker may also exploit
the vulnerability if they have the 'ask question' permission.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Frequently Asked Questions 6.x-1.x versions prior to 6.x-1.13 [4].
Drupal core is not affected. If you do not use the contributed Frequently
Asked Questions [5] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the FAQ module for Drupal 6.x, upgrade to FAQ 6.x-1.13 [6]
See also the Frequently Asked Questions [7] project page.
-------- REPORTED BY
---------------------------------------------------------
* phdruplover [8]
-------- FIXED BY
------------------------------------------------------------
* Stella Power [9] the module maintainer and member of the Drupal Security
Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
[1] http://drupal.org/project/faq
[2] http://drupal.org/security-team/risk-levels
[3] http://en.wikipedia.org/wiki/Cross-site_scripting
[4] http://drupal.org/node/1451186
[5] http://drupal.org/project/faq
[6] http://drupal.org/node/1451186
[7] http://drupal.org/project/faq
[8] http://drupal.org/user/1505850
[9] http://drupal.org/user/66894
[10] http://drupal.org/contact
[11] http://drupal.org/security-team
[12] http://drupal.org/writing-secure-code
[13] http://drupal.org/security/secure-configuration
* Advisory ID: DRUPAL-SA-CONTRIB-2012-022
* Project: CDN [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2012-February-15
* Security risk: Critical [2]
* Exploitable from: Remote
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
The CDN module provides easy Content Delivery Network integration for Drupal
sites. It alters file URLs, so that files are downloaded from a CDN instead
of your web server.
When running in Origin Pull mode together with the "Far Future expiration"
option, the module contains a vulnerability that allows anyone to view the
contents of any *.php file within the site, including settings.php.
This vulnerability is mitigated by the fact that the site owner must have
enabled the "Far Future expiration" option, and must be using the latest
version of the module.
-------- VERSIONS AFFECTED
---------------------------------------------------
* CDN version 6.x-2.2
* CDN version 7.x-2.2
Drupal core is not affected. If you do not use the contributed CDN [3]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* Upgrade to CDN module 6.x-2.3 [4]
* Upgrade to CDN module 7.x-2.3 [5]
See also the CDN [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Ivo Van Geertruyen [7] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Wim Leers [8] the module maintainer
* Ivo Van Geertruyen [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
[1] http://drupal.org/project/cdn
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/project/cdn
[4] http://drupal.org/node/1441482
[5] http://drupal.org/node/1441480
[6] http://drupal.org/project/cdn
[7] http://drupal.org/user/383424
[8] http://drupal.org/user/99777
[9] http://drupal.org/user/383424
[10] http://drupal.org/contact
[11] http://drupal.org/security-team
[12] http://drupal.org/writing-secure-code
[13] http://drupal.org/security/secure-configuration
* Advisory ID: DRUPAL-SA-CONTRIB-2012-021
* Project: Organic Groups Vocabulary [1] (third-party module)
* Version: 6.x
* Date: 2012-February-15
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to have a specific vocabulary per organic group.
The module doesn't sufficiently check access to vocabularies while allowing a
group admin to edit the vocabularies.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission to "administer own group vocabulary" and be an admin of
another group.
-------- VERSIONS AFFECTED
---------------------------------------------------
* OG Vocab 6.x-1.x versions prior to 6.x-1.2.
Drupal core is not affected. If you do not use the contributed OG Vocabulary
[3] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the OG Vocab module for Drupal 6.x, upgrade to OG Vocab 6.x-1.2
[4]
See also the OG Vocabulary [5] project page.
-------- REPORTED BY
---------------------------------------------------------
* Chris Czeyka [6]
-------- FIXED BY
------------------------------------------------------------
* Amitai Burstein [7] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [8] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [9].
Learn more about the Drupal Security team and their policies [10], writing
secure code for Drupal [11], and securing your site [12].
[1] http://drupal.org/project/og_vocab
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/project/og_vocab
[4] http://drupal.org/node/1441086
[5] http://drupal.org/project/og_vocab
[6] http://drupal.org/user/223351
[7] http://drupal.org/user/57511
[8] http://drupal.org/user/36762
[9] http://drupal.org/contact
[10] http://drupal.org/security-team
[11] http://drupal.org/writing-secure-code
[12] http://drupal.org/security/secure-configuration
* Advisory ID: DRUPAL-SA-CONTRIB-2012-020
* Project: Faster Permissions [1] (third-party module)
* Version: 7.x
* Date: 2012-February-15
* Security risk: Highly critical [2]
* Exploitable from: Remote
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to configure the permissions of a specific module on
a separate page. This is especially handy for sites with a large list of
permissions.
The module doesn't sufficiently check for the required permissions when the
provided permission administration is displayed and therefore allows users
without the required permissions to configure module permissions.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Faster Permissions 7.x-2.x versions prior to 7.x-1.2.
Drupal core is not affected. If you do not use the contributed Faster
Permissions [3] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Faster Permissions module for Drupal 7.x, upgrade to Faster
Permissions 7.x-1.2 [4]
See also the Faster Permissions [5] project page.
-------- REPORTED BY
---------------------------------------------------------
* Sascha Grossenbacher [6]
-------- FIXED BY
------------------------------------------------------------
* Sascha Grossenbacher [7]
* Jason Savino [8] the module maintainer.
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
[1] http://drupal.org/project/fp
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/project/fp
[4] http://drupal.org/node/1441264
[5] http://drupal.org/project/fp
[6] http://drupal.org/user/214652
[7] http://drupal.org/user/214652
[8] http://drupal.org/user/411241
[9] http://drupal.org/user/36762
[10] http://drupal.org/contact
[11] http://drupal.org/security-team
[12] http://drupal.org/writing-secure-code
[13] http://drupal.org/security/secure-configuration