Security-news February 2012

security-news@drupal.org

1 participants
15 discussions

SA-CONTRIB-2012-029 - Taxonomy Views Integrator - Cross Site Scripting (XSS)
by security-news＠drupal.org 29 Feb '12

29 Feb '12

* Advisory ID: DRUPAL-SA-CONTRIB-2012-029 * Project: Taxonomy Views Integrator (third-party module) * Version: 6.x * Date: 2012-February-29 * Security risk: Moderately critical [1] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Taxonomy Views Integrator allows selective overriding of taxonomy terms and/or vocabulary with the view of your choice. Using TVI you can easily create custom views to output all terms in X vocabulary. The module doesn't sufficiently filter user supplied text on views pages. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer taxonomy". -------- VERSIONS AFFECTED --------------------------------------------------- * Taxonomy Views Integrator 6.x-1.x versions prior to 6.x-1.3. Drupal core is not affected. If you do not use the contributed module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Taxonomy Views Integrator module for Drupal 6.x, upgrade to Taxonomy Views Integrator 6.x-1.3 [2] See also the project page. -------- REPORTED BY --------------------------------------------------------- * Dmitry Trt [3] -------- FIXED BY ------------------------------------------------------------ * Dmitry Trt [4] * Derek Webb [5] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Michael Hess [6] of the Drupal Security Team * Greg Knaddison [7] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [8]. Learn more about the Drupal Security team and their policies [9], writing secure code for Drupal [10], and securing your site [11]. [1] http://drupal.org/security-team/risk-levels [2] http://drupal.org/node/1306946 [3] http://drupal.org/user/329125 [4] http://drupal.org/user/329125 [5] http://drupal.org/user/64114 [6] http://drupal.org/user/102818 [7] http://drupal.org/user/36762 [8] http://drupal.org/contact [9] http://drupal.org/security-team [10] http://drupal.org/writing-secure-code [11] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-028 - Hierarchical Select - Cross Site Scripting (XSS)
by security-news＠drupal.org 29 Feb '12

29 Feb '12

* Advisory ID: DRUPAL-SA-CONTRIB-2012-028 * Project: Hierarchical Select [1] (third-party module) * Version: 6.x * Date: 2012-February-29 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Hierarchical Select module provides a "hierarchical_select" form element, which is a greatly enhanced way for letting the user select items in a taxonomy. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting (XSS [3]) vulnerability that may lead to a malicious user gaining full administrative access. This vulnerability is mitigated by the fact that the attacker must have a role with the 'administer taxonomy' permission; specifically he must be able to create or modify vocabularies and then modify the vocabulary's help text. -------- VERSIONS AFFECTED --------------------------------------------------- * Hierarchical Select 6.x-3.x versions prior to 6.x-3.7. Drupal core is not affected. If you do not use the contributed Hierarchical Select [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Hierarchical Select module for Drupal 6.x, upgrade to Hierarchical Select 6.x-3.8 [5] See also the Hierarchical Select [6] project page. -------- REPORTED BY --------------------------------------------------------- * Sam Oldak [7] * Wim Leers [8] the module maintainer -------- FIXED BY ------------------------------------------------------------ * Wim Leers [9] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Stéphane Corlosquet [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/hierarchical_select [2] http://drupal.org/security-team/risk-levels [3] http://en.wikipedia.org/wiki/Cross-site_scripting [4] http://drupal.org/project/hierarchical_select [5] http://drupal.org/node/1461318 [6] http://drupal.org/project/hierarchical_select [7] http://drupal.org/user/366337 [8] http://drupal.org/user/99777 [9] http://drupal.org/user/99777 [10] http://drupal.org/user/52142 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-027 - Submenu Tree -Cross Site Scripting
by security-news＠drupal.org 29 Feb '12

29 Feb '12

* Advisory ID: DRUPAL-SA-CONTRIB-2012-027 * Project: Submenu Tree [1] (third-party module) * Version: 6.x * Date: 2012-February-29 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Submenu Tree module allows sufficiently privileged users to show a list of menu entries when displaying a node. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting (XSS [3]) vulnerability. The vulnerability is mitigated by the fact that a malicious user must be assigned a role that includes permissions to edit the Drupal menus. -------- VERSIONS AFFECTED --------------------------------------------------- * Submenu Tree versions prior to 6.x-1.5 Drupal core is not affected. If you do not use the contributed Submenu Tree [4] module, there is nothing you need to do. Drupal core is not affected. If you do not use the contributed Submenu Tree [5] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Submenu Tree module upgrade to Submenu Tree 6.x-1.5 [6] Please also see the Submenu Tree project page . See also the Submenu Tree [7] project page. -------- REPORTED BY --------------------------------------------------------- * Kyle Small -------- FIXED BY ------------------------------------------------------------ * Beng Tan [8], module maintainer -------- COORDINATED BY ------------------------------------------------------ * Michael Hess [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/submenutree [2] http://drupal.org/security-team/risk-levels [3] http://en.wikipedia.org/wiki/Cross-site_scripting [4] http://drupal.org/project/submenutree [5] http://drupal.org/project/submenutree [6] http://drupal.org/node/1132838 [7] http://drupal.org/project/submenutree [8] http://drupal.org/user/132729 [9] http://drupal.org/user/102818 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-026 - ZipCart - Access bypass
by security-news＠drupal.org 29 Feb '12

29 Feb '12

* Advisory ID: DRUPAL-SA-CONTRIB-2012-026 * Project: ZipCart [1] (third-party module) * Version: 6.x * Date: 2012-February-29 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- ZipCart [3] enables a site to provide users with Zip archives for downloads selected by the user. Versions of ZipCart prior to 6.x-1.4 checks an incorrect permission when building archives. This vulnerability is mitigated by the fact that archive file addition is only permitted if Drupal's normal file download access check permits the user to download the file directly. -------- VERSIONS AFFECTED --------------------------------------------------- * ZipCart 6.x versions prior to 6.x-1.4 [4]. Drupal core is not affected. If you do not use the contributed ZipCart [5] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the ZipCart module for Drupal 6.x, upgrade to ZipCart 6.x-1.4 [6] See also the ZipCart [7] project page. -------- REPORTED BY --------------------------------------------------------- * Chris Burgess [8] -------- FIXED BY ------------------------------------------------------------ * Chris Burgess [9] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Neil Drumm [10] of the Drupal Security Team * Michael Hess [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/zipcart [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/zipcart [4] http://drupal.org/node/1460872 [5] http://drupal.org/project/zipcart [6] http://drupal.org/node/1460872 [7] http://drupal.org/project/zipcart [8] http://drupal.org/user/76026 [9] http://drupal.org/user/76026 [10] http://drupal.org/user/3064 [11] http://drupal.org/user/102818 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-025 - Cool aid; Editable help messages - Multiple vulnerabilities
by security-news＠drupal.org 29 Feb '12

29 Feb '12

* Advisory ID: DRUPAL-SA-CONTRIB-2012-025 * Project: Cool aid; Editable help messages [1] (third-party module) * Version: 6.x * Date: 2012-February-29 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass, Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Cool aid is a Drupal module that allows users to add custom help messages to Drupal pages. The module did not properly clean user input before displaying it, and did not properly check for access permissions, allowing users with "administer coolaid" to inject scripts anywhere on a site. -------- VERSIONS AFFECTED --------------------------------------------------- * Cool aid 6.x-1.x prior to 6.x-1.6 Drupal core is not affected. If you do not use the contributed Cool aid; Editable help messages [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Cool aid module for Drupal 6.x, upgrade to Cool aid 6.x-1.9. [4] See also the Cool aid; Editable help messages [5] project page. -------- REPORTED BY --------------------------------------------------------- * Ivo Van Geertruyen [6] -------- FIXED BY ------------------------------------------------------------ * Daniel Braksator [7] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Michael Hess [8] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/coolaid [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/coolaid [4] http://drupal.org/node/1417186 [5] http://drupal.org/project/coolaid [6] http://drupal.org/user/383424 [7] http://drupal.org/user/134005 [8] http://drupal.org/user/102818 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-024 - MediaFront - Cross Site Scripting
by security-news＠drupal.org 29 Feb '12

29 Feb '12

* Advisory ID: DRUPAL-SA-CONTRIB-2012-024 * Project: MediaFront [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-February-29 * Security risk: Less Critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Within the MediaFront module, there is a PHP library for handling the stand alone application of the Open Standard Media player. Within this library, both the $_SESSION and $_SERVER variables are handled without proper checks to make sure that no malicious code is injected within these variables. -------- VERSIONS AFFECTED --------------------------------------------------- * MediaFront 6.x-1.x versions prior to 6.x-1.5. * MediaFront 7.x-1.x versions prior to 7.x-1.5. Drupal core is not affected. If you do not use the contributed MediaFront [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Mediafront module for Drupal 6.x, upgrade to Mediafront 6.x-1.5 [4] * If you use the Mediafront module for Drupal 7.x, upgrade to Mediafront 7.x-1.5 [5] See also the MediaFront [6] project page. -------- REPORTED BY --------------------------------------------------------- * Óscar Estepa [7] -------- FIXED BY ------------------------------------------------------------ * Travis Tidwell [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Michael Hess [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/mediafront [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/mediafront [4] https://drupal.org/node/1460892 [5] https://drupal.org/node/1460894 [6] http://drupal.org/project/mediafront [7] http://drupal.org/user/1306904 [8] http://drupal.org/user/98581 [9] http://drupal.org/user/102818 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-023 - FAQ - Cross Site Scripting
by security-news＠drupal.org 22 Feb '12

22 Feb '12

* Advisory ID: DRUPAL-SA-CONTRIB-2012-023 * Project: Frequently Asked Questions [1] (third-party module) * Version: 6.x * Date: 2012-February-22 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Frequently Asked Questions (faq) module allows users, with the appropriate permissions, to create question and answer pairs which are displayed on the 'faq' page, and in the random and recent FAQ blocks. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting (XSS [3]) vulnerability. This vulnerability is mitigated by the fact that the attacker must have a role with the 'administer faq', 'create faq', 'edit faq' or 'edit own faq' permissions. If using the FAQ module with the FAQ Ask module, the attacker may also exploit the vulnerability if they have the 'ask question' permission. -------- VERSIONS AFFECTED --------------------------------------------------- * Frequently Asked Questions 6.x-1.x versions prior to 6.x-1.13 [4]. Drupal core is not affected. If you do not use the contributed Frequently Asked Questions [5] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the FAQ module for Drupal 6.x, upgrade to FAQ 6.x-1.13 [6] See also the Frequently Asked Questions [7] project page. -------- REPORTED BY --------------------------------------------------------- * phdruplover [8] -------- FIXED BY ------------------------------------------------------------ * Stella Power [9] the module maintainer and member of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/faq [2] http://drupal.org/security-team/risk-levels [3] http://en.wikipedia.org/wiki/Cross-site_scripting [4] http://drupal.org/node/1451186 [5] http://drupal.org/project/faq [6] http://drupal.org/node/1451186 [7] http://drupal.org/project/faq [8] http://drupal.org/user/1505850 [9] http://drupal.org/user/66894 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-022 - CDN - Information disclosure
by security-news＠drupal.org 15 Feb '12

15 Feb '12

* Advisory ID: DRUPAL-SA-CONTRIB-2012-022 * Project: CDN [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-February-15 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- The CDN module provides easy Content Delivery Network integration for Drupal sites. It alters file URLs, so that files are downloaded from a CDN instead of your web server. When running in Origin Pull mode together with the "Far Future expiration" option, the module contains a vulnerability that allows anyone to view the contents of any *.php file within the site, including settings.php. This vulnerability is mitigated by the fact that the site owner must have enabled the "Far Future expiration" option, and must be using the latest version of the module. -------- VERSIONS AFFECTED --------------------------------------------------- * CDN version 6.x-2.2 * CDN version 7.x-2.2 Drupal core is not affected. If you do not use the contributed CDN [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * Upgrade to CDN module 6.x-2.3 [4] * Upgrade to CDN module 7.x-2.3 [5] See also the CDN [6] project page. -------- REPORTED BY --------------------------------------------------------- * Ivo Van Geertruyen [7] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Wim Leers [8] the module maintainer * Ivo Van Geertruyen [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/cdn [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/cdn [4] http://drupal.org/node/1441482 [5] http://drupal.org/node/1441480 [6] http://drupal.org/project/cdn [7] http://drupal.org/user/383424 [8] http://drupal.org/user/99777 [9] http://drupal.org/user/383424 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-021 - Organic Groups Vocab Access Bypass
by security-news＠drupal.org 15 Feb '12

15 Feb '12

* Advisory ID: DRUPAL-SA-CONTRIB-2012-021 * Project: Organic Groups Vocabulary [1] (third-party module) * Version: 6.x * Date: 2012-February-15 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This module enables you to have a specific vocabulary per organic group. The module doesn't sufficiently check access to vocabularies while allowing a group admin to edit the vocabularies. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to "administer own group vocabulary" and be an admin of another group. -------- VERSIONS AFFECTED --------------------------------------------------- * OG Vocab 6.x-1.x versions prior to 6.x-1.2. Drupal core is not affected. If you do not use the contributed OG Vocabulary [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the OG Vocab module for Drupal 6.x, upgrade to OG Vocab 6.x-1.2 [4] See also the OG Vocabulary [5] project page. -------- REPORTED BY --------------------------------------------------------- * Chris Czeyka [6] -------- FIXED BY ------------------------------------------------------------ * Amitai Burstein [7] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [8] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/og_vocab [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/og_vocab [4] http://drupal.org/node/1441086 [5] http://drupal.org/project/og_vocab [6] http://drupal.org/user/223351 [7] http://drupal.org/user/57511 [8] http://drupal.org/user/36762 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-020 - Faster Permissions - Access bypass
by security-news＠drupal.org 15 Feb '12

15 Feb '12

* Advisory ID: DRUPAL-SA-CONTRIB-2012-020 * Project: Faster Permissions [1] (third-party module) * Version: 7.x * Date: 2012-February-15 * Security risk: Highly critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This module enables you to configure the permissions of a specific module on a separate page. This is especially handy for sites with a large list of permissions. The module doesn't sufficiently check for the required permissions when the provided permission administration is displayed and therefore allows users without the required permissions to configure module permissions. -------- VERSIONS AFFECTED --------------------------------------------------- * Faster Permissions 7.x-2.x versions prior to 7.x-1.2. Drupal core is not affected. If you do not use the contributed Faster Permissions [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Faster Permissions module for Drupal 7.x, upgrade to Faster Permissions 7.x-1.2 [4] See also the Faster Permissions [5] project page. -------- REPORTED BY --------------------------------------------------------- * Sascha Grossenbacher [6] -------- FIXED BY ------------------------------------------------------------ * Sascha Grossenbacher [7] * Jason Savino [8] the module maintainer. -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/fp [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/fp [4] http://drupal.org/node/1441264 [5] http://drupal.org/project/fp [6] http://drupal.org/user/214652 [7] http://drupal.org/user/214652 [8] http://drupal.org/user/411241 [9] http://drupal.org/user/36762 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news February 2012