Security-news February 2012

security-news@drupal.org

1 participants
15 discussions

SA-CONTRIB-2012-019 - Link checker - Access bypass
by security-news＠drupal.org 15 Feb '12

15 Feb '12

* Advisory ID: DRUPAL-SA-CONTRIB-2012-019 * Project: Link checker [1] (third-party module) * Version: 6.x * Date: 2012-February-15 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- The Link checker module extracts links from your site's content and periodically tries to detect broken links and report them so they can be fixed. The module does not correctly check permission to access the site's content before displaying broken links that were found within it, leading to an access bypass vulnerability. This vulnerability is mitigated by several factors: The site must have private content (for example, if a node access or CCK field access module is being used), and the Link checker module must be configured to display broken links to users who do not already have permission to bypass content access control. Also, only the URLs of the broken links are displayed, so this vulnerability is only serious if the content of those URLs is potentially sensitive (for example, if the URL contains a username and password or a secure token, or if it would reveal sensitive information about topics being discussed in the rest of the private content). -------- VERSIONS AFFECTED --------------------------------------------------- * Link checker 6.x-2.x versions prior to 6.x-2.5. Drupal core is not affected. If you do not use the contributed Link checker [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Link checker module for Drupal 6.x, upgrade to Link checker 6.x-2.5 [4]. See also the Link checker [5] project page. -------- REPORTED BY --------------------------------------------------------- Various aspects of the access bypass vulnerability were reported by the following individuals: * Ivo Van Geertruyen [6] of the Drupal Security Team * Dave Reid [7] of the Drupal Security Team * Alexander Hass [8], the module maintainer * David Rothstein [9] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * David Rothstein [10] of the Drupal Security Team * Alexander Hass [11], the module maintainer * Ivo Van Geertruyen [12] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. [1] http://drupal.org/project/linkchecker [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/linkchecker [4] http://drupal.org/node/1440508 [5] http://drupal.org/project/linkchecker [6] http://drupal.org/user/383424 [7] http://drupal.org/user/53892 [8] http://drupal.org/user/85918 [9] http://drupal.org/user/124982 [10] http://drupal.org/user/124982 [11] http://drupal.org/user/85918 [12] http://drupal.org/user/383424 [13] http://drupal.org/contact [14] http://drupal.org/security-team [15] http://drupal.org/writing-secure-code [16] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-018 - Revisioning - Cross Site Scripting
by security-news＠drupal.org 09 Feb '12

09 Feb '12

* Advisory ID: DRUPAL-SA-CONTRIB-2012-018 * Project: Revisioning [1] (third-party module) * Version: 6.x * Date: 2012-FEB-08 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Drupal Revisioning module (https://drupal.org/project/revisioning [3]) "is a module for the configuration of workflows to create, moderate and publish content revisions." The Revisioning module contains a persistent cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize tags before display. Users with the ability to create content and tags that are submitted to a review queue could include malicious JavaScript or HTML as part of their tags. Users reviewing the queue would then become victims of the XSS attack. The risk is mitigated by the fact that the attacker must have the ability to create taxonomy terms (either "administer taxonomy" or via a freetagging vocabulary). -------- VERSIONS AFFECTED --------------------------------------------------- * Revisioning 6.x-3.13 and prior. Drupal core is not affected. If you do not use the contributed Revisioning [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * Upgrade to Revisioning 6.x-3.14 [5] See also the Revisioning [6] project page. -------- REPORTED BY --------------------------------------------------------- * Justin C. Klein Keane [7] -------- FIXED BY ------------------------------------------------------------ * Justin C. Klein Keane [8] * Rik de Boer [9], the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Dylan Tack [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/revisioning [2] http://drupal.org/security-team/risk-levels [3] https://drupal.org/project/revisioning [4] http://drupal.org/project/revisioning [5] http://drupal.org/node/1431114 [6] http://drupal.org/project/revisioning [7] http://drupal.org/user/302225 [8] http://drupal.org/user/302225 [9] http://drupal.org/user/404007 [10] http://drupal.org/user/96647 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-017 - Finder - Multiple vulnerabilities
by security-news＠drupal.org 08 Feb '12

08 Feb '12

* Advisory ID: DRUPAL-SA-CONTRIB-2012-017 * Project: Finder [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-February-08 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting, Arbitrary PHP code execution, Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- Finder is a Drupal module that allows users to create faceted search forms. The module's autocomplete, checkbox, and radio button functionalities previously did not sanitize the output of fields and raw database values. In addition, users with the "administer finder" permission were able to execute arbitrary code through a PHP import interface; specific PHP execution permissions were not required. -------- VERSIONS AFFECTED --------------------------------------------------- * Finder 6.x-1.x prior to 6.x-1.26 * Finder 7.x-1.x versions (all) * Finder 7.x-2.x versions prior to 7.x-2.0-alpha8 Drupal core is not affected. If you do not use the contributed Finder [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Finder module for Drupal 6.x, upgrade to Finder 6.x-1.26 [4]. * If you use the Finder module for Drupal 7.x, upgrade to Finder 7.x-2.0-alpha8 [5]. See also the Finder [6] project page. -------- REPORTED BY --------------------------------------------------------- * Justin C. Klein-Keane [7] -------- FIXED BY ------------------------------------------------------------ * Daniel Braksator [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] and Forest Monsen [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/finder [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/finder [4] http://drupal.org/node/1432318 [5] http://drupal.org/node/1432320 [6] http://drupal.org/project/finder [7] http://drupal.org/user/302225 [8] http://drupal.org/user/134005 [9] http://drupal.org/user/36762 [10] http://drupal.org/user/181798 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-016 - Forward module XSS and Access bypass
by security-news＠drupal.org 01 Feb '12

01 Feb '12

* Advisory ID: DRUPAL-SA-CONTRIB-2012-016 * Project: Forward [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-February-01 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass, Cross Site Request Forgery -------- DESCRIPTION --------------------------------------------------------- The Forward module enables you to add a "forward this page" link to each node. The link takes regular site visitors to a form where they can generate an email to a friend. The module exhibits multiple vulnerabilities as described below. The module includes "Recent forwards" and "Most forwarded" blocks that display the titles of the most recently forwarded nodes and the nodes forwarded the most for all time. The module doesn't check that site visitors have permissions to view the node titles listed in these blocks, resulting in an access bypass. This vulnerability is mitigated by the fact that these blocks are disabled by default. The module includes a "Dynamic Block" feature which adds a listing of the top 5 node titles to the bottom of the generated email to a friend. The module doesn't sufficiently check that the email recipient has permission to view the node titles included in the block, resulting in an access bypass. This vulnerability is mitigated by the fact that the Dynamic Block feature is disabled by default. The module includes clickthrough tracking so that the site administrator can determine which emails are generating the most clicks back to the site. The tracking code is vulnerable to CSRF because it uses a publicly available link that could be manipulated to falsely boost the perceived importance of a node. -------- VERSIONS AFFECTED --------------------------------------------------- * Forward 6.x-1.x versions prior to 6.x-1.21 * Forward 7.x-1.x versions prior to 7.x-1.3 Drupal core is not affected. If you do not use the contributed Forward [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Forward module for Drupal 6.x, upgrade to Forward 6.x-1.21 [4] * If you use the Forward module for Drupal 7.x, upgrade to Forward 7.x-1.3 [5] The upgrade is "code only" and does not require running the database update script. IMPORTANT: Administrators of sites that rely on the Dynamic Block access bypass to operate correctly need to visit the Forward configuration page and explicitly select the Dynamic Block Access Control bypass option after upgrading. This should be rare, so most site administrators can simply upgrade the module without the need for additional configuration. See also the Forward [6] project page. -------- REPORTED BY --------------------------------------------------------- * Greg Knaddison (greggles) [7] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * John Oltman [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison (greggles) [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/forward [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/forward [4] http://drupal.org/node/1423720 [5] http://drupal.org/node/1423722 [6] http://drupal.org/project/forward [7] http://drupal.org/user/36762 [8] http://drupal.org/user/699926 [9] http://drupal.org/user/36762 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

SA-CORE-2012-001 - Drupal core multiple vulnerabilities
by security-news＠drupal.org 01 Feb '12

01 Feb '12

* Advisory ID: DRUPAL-SA-CORE-2012-001 * Project: Drupal core [1] * Version: 6.x, 7.x * Date: 2012-February-01 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass, Cross Site Request Forgery, Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- .... Cross Site Request Forgery vulnerability in Aggregator module CVE: CVE-2012-0826 An XSRF vulnerability can force an aggregator feed to update. Since some services are rate-limited (e.g. Twitter limits requests to 150 per hour) this could lead to a denial of service. This issue affects Drupal 6.x and 7.x. .... OpenID not verifying signed attributes in SREG and AX CVE: CVE-2012-0825 A group of security researchers identified a flaw in how some OpenID relying parties implement Attribute Exchange (AX). Not verifying that attributes being passed through AX have been signed could allow an attacker to modify users' information. This issue affects Drupal 6.x and 7.x. .... Access bypass in File module CVE: CVE-2012-0827 When using private files in combination with certain field access modules, the File module will allow users to download the file even if they do not have access to view the field it was attached to. This issue affects Drupal 7.x only. -------- VERSIONS AFFECTED --------------------------------------------------- * Drupal 6.x core prior to 6.23. * Drupal 7.x core prior to 7.11. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Drupal 6.x upgrade to 6.23 [3] * If you use Drupal 7.x upgrade to 7.11 [4] See also the Drupal core [5] project page. -------- REPORTED BY --------------------------------------------------------- * The Aggregator module CSRF vulnerability was reported by Dylan Tack [6] of the Drupal Security Team. * The OpenID vulnerability was reported by Rui Wang, Shuo Chen and Xiao Feng Wang [7]. * The File module access bypass issue was reported by David Rothstein [8] of the Drupal Security Team, and by Sascha Grossenbacher [9]. -------- FIXED BY ------------------------------------------------------------ * Aggregator CSRF issue fixed by Dave Reid [10] of the Drupal Security Team * OpenID issue fixed by Vojtech Kusy [11] and Christian Schmidt [12] * The File module access bypass issue was fixed by David Rothstein [13] of the Drupal Security Team, Sascha Grossenbacher [14], and Derek Wright [15] of the Drupal Security Team. -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [16]. Learn more about the Drupal Security team and their policies [17], writing secure code for Drupal [18], and securing your site [19]. [1] http://drupal.org/project/drupal [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/node/1425082 [4] http://drupal.org/node/1425092 [5] http://drupal.org/project/drupal [6] http://drupal.org/user/96647 [7] http://openid.net/2011/05/05/attribute-exchange-security-alert/ [8] http://drupal.org/user/124982 [9] http://drupal.org/user/214652 [10] http://drupal.org/user/53892 [11] http://drupal.org/user/56154 [12] http://drupal.org/user/216078 [13] http://drupal.org/user/124982 [14] http://drupal.org/user/214652 [15] http://drupal.org/user/46549 [16] http://drupal.org/contact [17] http://drupal.org/security-team [18] http://drupal.org/writing-secure-code [19] http://drupal.org/security/secure-configuration

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news February 2012