Security-news March 2012

security-news@drupal.org

1 participants
27 discussions

SA-CONTRIB-2012-055 - Fusion theme - Cross Site Scripting (XSS)
by security-news＠drupal.org 28 Mar '12

28 Mar '12

* Advisory ID: DRUPAL-SA-CONTRIB-2012-055 * Project: Fusion [1] (third-party theme) * Version: 6.x * Date: 2012-March-28 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Fusion is a base theme that provides a configurable grid system and modular styling for common Drupal UI components. The theme outputs a CSS class for the tag based on the current URL, but does not provide sufficient filtering to prevent a Cross site scripting (XSS) attack. This vulnerability affects all sub-themes of Fusion. -------- VERSIONS AFFECTED --------------------------------------------------- * Fusion 6.x-1.x versions prior to 6.x-1.13 Drupal core is not affected. If you do not use the contributed Fusion [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ If you utilize Fusion or a Fusion-based theme, you should upgrade to Fusion 6.x-1.13 [4]. * Most Fusion sub-themes will inherit this fix. * If you copied code from Fusion core's template.php file into a custom sub-theme's template.php file you should compare your code to the changes made in this release to ensure the vulnerability has not been duplicated. In YOURTHEME_preprocess_page() look for this code: $vars['body_id'] = 'pid-' . strtolower(preg_replace('/[_+\/]/', '-', drupal_get_path_alias($_GET['q']))); If this code exists within your sub-theme, there are two possible solutions: 1) *Recommended:* Delete the line of code. It is unnecessary in your sub-theme since the sub-theme will inherit this functionality from Fusion Core 2) Replace the code with the following: $vars['body_id'] = 'pid-' . strtolower(fusion_core_clean_css_identifier(drupal_get_path_alias($_GET['q']))); fusion_core_clean_css_identifier() is a function added in this security release of Fusion. Making this change to your sub-theme's code without updating Fusion core will result in a WSOD. Also see the Fusion [5] project page. -------- REPORTED BY --------------------------------------------------------- * Jakub Suchy [6], of the Drupal Security Team * Justin Emond [7] * Rick Manelius [8] * Abhishek Nagar [9] * Chris Lee [10] -------- FIXED BY ------------------------------------------------------------ * Jason Yergeau [11], theme co-maintainer * Sheena Donnelly [12], theme co-maintainer -------- COORDINATED BY ------------------------------------------------------ * Derek Wright [13] of the Drupal Security Team * Stéphane Corlosquet [14] of the Drupal Security Team * Greg Knaddison [15] of the Drupal Security Team * David Rothstein [16] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [17]. Learn more about the Drupal Security team and their policies [18], writing secure code for Drupal [19], and securing your site [20]. [1] http://drupal.org/project/fusion [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/fusion [4] http://drupal.org/node/1506600 [5] http://drupal.org/project/fusion [6] http://drupal.org/user/31977 [7] http://drupal.org/user/186334 [8] http://drupal.org/user/680072 [9] http://drupal.org/user/259737 [10] http://drupal.org/user/1117072 [11] http://drupal.org/user/162308 [12] http://drupal.org/user/380305 [13] http://drupal.org/user/46549 [14] http://drupal.org/user/52142 [15] http://drupal.org/user/36762 [16] http://drupal.org/user/124982 [17] http://drupal.org/contact [18] http://drupal.org/security-team [19] http://drupal.org/writing-secure-code [20] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-054 - Chaos tool suite - Cross Site Scripting (XSS)
by security-news＠drupal.org 28 Mar '12

28 Mar '12

* Advisory ID: DRUPAL-SA-CONTRIB-2012-054 * Project: Chaos tool suite (ctools) [1] (third-party module) * Version: 7.x * Date: 2012-March-28 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- This suite is primarily a set of APIs and tools to improve the developer experience. It also contains a module called the Page Manager whose job is to manage pages. In particular it manages panel pages, but as it grows it will be able to manage far more than just Panels. The module doesn't appropriate filter user signatures when rendering comments. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "post comments" and a site must use Chaos tool suite to render comments. -------- VERSIONS AFFECTED --------------------------------------------------- * Chaos tool suite 7.x-1.x versions prior to 7.x-1.0. Drupal core is not affected. If you do not use the contributed Chaos tool suite (ctools) [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Chaos tool suite module for Drupal 7.x, upgrade to Chaos tool suite 7.x-1.0 [4] Also see the Chaos tool suite (ctools) [5] project page. -------- REPORTED BY --------------------------------------------------------- * Kristof De Jaeger [6] -------- FIXED BY ------------------------------------------------------------ * Earl Miles [7] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Dylan Tack [8] of the Drupal Security Team * Michael Hess [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/ctools [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/ctools [4] http://drupal.org/node/1507412 [5] http://drupal.org/project/ctools [6] http://drupal.org/user/107403 [7] http://drupal.org/user/26979 [8] http://drupal.org/user/96647 [9] http://drupal.org/user/102818 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-053 - Organic Groups - Access Bypass
by security-news＠drupal.org 28 Mar '12

28 Mar '12

* Advisory ID: DRUPAL-SA-CONTRIB-2012-053 * Project: Organic groups [1] (third-party module) * Version: 6.x * Date: 2012-March-28 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- Organic groups (OG) enables users to create and manage their own 'groups'. Each group can have subscribers, and maintains a group home page where subscribers communicate amongst themselves. The module's Views integration does not filter out information from display groups to which the current user does not have access, exposing private group titles and the fact that the content is associated with the group. -------- VERSIONS AFFECTED --------------------------------------------------- * Organic Groups 6.x-2.x versions prior to 6.x-2.3. Drupal core is not affected. If you do not use the contributed Organic groups [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Organic Groups module for Drupal 6.x, upgrade to Organic Groups 6.x-2.3 [4] Also see the Organic groups [5] project page. -------- REPORTED BY --------------------------------------------------------- * John f Galvin [6] -------- FIXED BY ------------------------------------------------------------ * Adam Ross [7] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Ben Jeavons [8] of the Drupal Security Team * Greg Knaddison [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/og [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/og [4] http://drupal.org/node/1507328 [5] http://drupal.org/project/og [6] http://drupal.org/user/83305 [7] http://drupal.org/user/346868 [8] http://drupal.org/user/91990 [9] http://drupal.org/user/36762 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-052 - Node Limit Number - Cross Site Request Forgery
by security-news＠drupal.org 28 Mar '12

28 Mar '12

* Advisory ID: DRUPAL-SA-CONTRIB-2012-052 * Project: Node Limit Number [1] (third-party module) * Version: 6.x * Date: 2012-March-28 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Request Forgery -------- DESCRIPTION --------------------------------------------------------- The Node Limit Number module enables an administrator to place limits on how many nodes may be created by each user. Node Limit Number does not protect the delete URL against Cross Site Request Forgery attacks, allowing a malicious user to trick someone with "administer node limitnumber" permissions to unknowingly remove existing limits. -------- VERSIONS AFFECTED --------------------------------------------------- * Node Limit Number 6.x-1.x versions prior to 6.x-1.2. Drupal core is not affected. If you do not use the contributed Node Limit Number [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Node Limit Number module for Drupal 6.x, upgrade to Node Limit Number 6.x-1.2 [4] Also see the Node Limit Number [5] project page. -------- REPORTED BY --------------------------------------------------------- * Ivo Van Geertruyen [6] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Joe Wheaton [7] the module maintainer * Ivo Van Geertruyen [8] of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Michael Hess [9] of the Drupal Security Team * Greg Knaddison [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/node_limitnumber [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/node_limitnumber [4] http://drupal.org/node/1506594 [5] http://drupal.org/project/node_limitnumber [6] http://drupal.org/user/383424 [7] http://drupal.org/user/298179 [8] http://drupal.org/user/383424 [9] http://drupal.org/user/102818 [10] http://drupal.org/user/36762 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-051 - Activity - Multiple Vulnerablities
by security-news＠drupal.org 28 Mar '12

28 Mar '12

* Advisory ID: DRUPAL-SA-CONTRIB-2012-051 * Project: Activity [1] (third-party module) * Version: 6.x * Date: 2012-March-28 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting, Cross Site Request Forgery -------- DESCRIPTION --------------------------------------------------------- The Activity module keeps track of the things people do on your site and provides mini-feeds of these activities in blocks, in a specialized table, and via RSS. The module is extensible so that any other module can integrate with it. The messages that are produced are customizable via the admin interface and are context sensitive. The 6.x-1.x branch of the module does not filter output of the module settings correctly leading to a cross site scripting vulnerability (XSS). It also does not confirm user intent when removing a single activity resulting in a cross site request forgery vulnerability. The XSS vulnerability is mitigated by the fact that it requires the malicious user to have a role with the "access administration pages" and "administer activity" permissions. -------- VERSIONS AFFECTED --------------------------------------------------- * All releases of the 6.x-1.x branch Drupal core is not affected. If you do not use the contributed Activity [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * The 6.x-1.x branch of this module is no longer supported. Upgrade to 6.x-2.0-alpha1 [4] Note that there is currently no upgrade path. Users of the module are encouraged to work in the module queue to help build an upgrade path. Also see the Activity [5] project page. -------- REPORTED BY --------------------------------------------------------- * Ivo Van Geertruyen [6] of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Michael Hess [7] of the Drupal Security Team * Greg Knaddison [8] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/activity [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/activity [4] http://drupal.org/node/944146 [5] http://drupal.org/project/activity [6] http://drupal.org/user/383424 [7] http://drupal.org/user/102818 [8] http://drupal.org/user/36762 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-050 - CDN2 Video - Unsupported
by security-news＠drupal.org 28 Mar '12

28 Mar '12

* Advisory ID: DRUPAL-SA-CONTRIB-2012-050 * Project: CDN2 Video [1] (third-party module) * Version: 6.x * Date: 2012-March-28 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- CDN2 is a plug and play module and video management service for Drupal. The module does not sanitize output correctly, allowing for a cross-site scripting (XSS) vulnerability. Additionally, the Form API is not correctly utilized allowing for cross-site request forgery (CSRF) attempts. This module relies on a backend service that is no longer active therefore the project is unsupported. -------- VERSIONS AFFECTED --------------------------------------------------- All versions are affected. Drupal core is not affected. If you do not use the contributed CDN2 Video [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Uninstall the module. This module is no longer supported. Also see the CDN2 Video [4] project page. -------- REPORTED BY --------------------------------------------------------- * Michael Hess [5] of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Michael Hess [6] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [7]. Learn more about the Drupal Security team and their policies [8], writing secure code for Drupal [9], and securing your site [10]. [1] http://drupal.org/project/cdn2 [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/cdn2 [4] http://drupal.org/project/cdn2 [5] http://drupal.org/user/102818 [6] http://drupal.org/user/102818 [7] http://drupal.org/contact [8] http://drupal.org/security-team [9] http://drupal.org/writing-secure-code [10] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-049 - ShareThis - Multiple Vulnerablies
by security-news＠drupal.org 28 Mar '12

28 Mar '12

* Advisory ID: DRUPAL-SA-CONTRIB-2012-049 * Project: ShareThis [1] (third-party module) * Version: 7.x * Date: 2012-March-28 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting, Cross Site Request Forgery -------- DESCRIPTION --------------------------------------------------------- The ShareThis module allows you to display social networking tools to users. The administration forms of the module do not properly use the Form API allowing a malicious user to inject unexpected settings, allowing for cross-site scripting attacks (XSS). Additionally, the module had an incomplete feature for updating these settings outside of the Form API which was vulnerable to a cross site request forgery attack. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer sharethis". -------- VERSIONS AFFECTED --------------------------------------------------- * ShareThis 7.x-2.x versions prior to 7.x-2.2. Drupal core is not affected. If you do not use the contributed ShareThis [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the ShareThis module for Drupal 7.x, upgrade to ShareThis 7.x-2.3 [4] Also see the ShareThis [5] project page. -------- REPORTED BY --------------------------------------------------------- * Travis Tomka [6] -------- FIXED BY ------------------------------------------------------------ * Greg Knaddison [7] of the Drupal Security Team * Rob Loach [8], the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] of the Drupal Security Team * Michael Hess [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/sharethis [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/sharethis [4] http://drupal.org/node/1504746 [5] http://drupal.org/project/sharethis [6] http://drupal.org/user/718562 [7] http://drupal.org/user/36762 [8] http://drupal.org/user/61114 [9] http://drupal.org/user/36762 [10] http://drupal.org/user/102818 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-048 - Contact Save - Cross Site Scripting
by security-news＠drupal.org 28 Mar '12

28 Mar '12

* Advisory ID: DRUPAL-SA-CONTRIB-2012-048 * Project: Contact Save [1] (third-party module) * Version: 6.x * Date: 2012-March-28 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- This module stores in the database all messages submitted through the core contact forms, and provides a way to respond to these messages through the website. The module doesn't sufficiently filter user supplied text, leading to a cross-site scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with either the "access site-wide contact form". -------- VERSIONS AFFECTED --------------------------------------------------- * Contact Save 6.x-1.x versions prior to 6.x-1.5. Drupal core is not affected. If you do not use the contributed Contact Save [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Contact Save module for Drupal 6.x, upgrade to Contact Save 6.x-1.5 [4]. Also see the Contact Save [5] project page. -------- REPORTED BY --------------------------------------------------------- * Stella Power [6] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Joel Stein [7] the module maintainer -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [8]. Learn more about the Drupal Security team and their policies [9], writing secure code for Drupal [10], and securing your site [11]. [1] http://drupal.org/project/contact_save [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/contact_save [4] http://drupal.org/node/953788 [5] http://drupal.org/project/contact_save [6] http://drupal.org/user/66894 [7] http://drupal.org/user/36598 [8] http://drupal.org/contact [9] http://drupal.org/security-team [10] http://drupal.org/writing-secure-code [11] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-047 - Ubercart Views - Information disclosure
by security-news＠drupal.org 28 Mar '12

28 Mar '12

* Advisory ID: DRUPAL-SA-CONTRIB-2012-047 * Project: Ubercart Views [1] (third-party module) * Version: 6.x * Date: 2012-March-28 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- Ubercart Views provides Views integration for the Ubercart shopping cart module, and includes default views that contain a critical information disclosure bug. In some versions, these views are disabled by default, but still disclose information if you enable them. -------- VERSIONS AFFECTED --------------------------------------------------- All versions of Ubercart Views for Drupal 6.x prior to 6.x-3.2. Drupal core is not affected. If you do not use the contributed Ubercart Views [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Ubercart Views module for Drupal 6.x upgrade to Ubercart Views 6.x-3.2 [4] After installing, if you have enabled or previously edited the "orders" or "order_management" views, you must either revert these views to their default settings, or edit the "access" settings for these views and ensure that all displays require the "view all orders" permission. Also see the Ubercart Views [5] project page. -------- REPORTED BY --------------------------------------------------------- * Derek Wright [6] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * David Long [7] the module maintainer * Derek Wright [8] of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Gerhard Killesreiter [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/uc_views [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/uc_views [4] http://drupal.org/node/1505210 [5] http://drupal.org/project/uc_views [6] http://drupal.org/user/46549 [7] http://drupal.org/user/246492 [8] http://drupal.org/user/46549 [9] http://drupal.org/user/227 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-046 - Bundle Copy - Arbitrary Code execution
by security-news＠drupal.org 28 Mar '12

28 Mar '12

* Advisory ID: DRUPAL-SA-CONTRIB-2012-046 * Project: Bundle copy [1] (third-party module) * Version: 7.x * Date: 2012-March-28 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Arbitrary PHP code execution -------- DESCRIPTION --------------------------------------------------------- Bundle copy is a replacement for the Content copy module which lives in the CCK project for Drupal 6. Besides the ability to import and export content types, taxonomy and user entities are also supported. Field groups can be exported easily as well. The module doesn't sufficiently check whether the user has the "use PHP for settings" permission, allowing to execute arbitrary PHP code while importing settings. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer taxonomy", "administer content types" or "administer users". -------- VERSIONS AFFECTED --------------------------------------------------- * Bundle copy 7.x-1.x versions prior to 7.x-1.0. Drupal core is not affected. If you do not use the contributed Bundle copy [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Bundle copy module for Drupal 7.x, upgrade to Bundle copy 7.x-1.1 [4] Also see the Bundle copy [5] project page. -------- REPORTED BY --------------------------------------------------------- * David Rothstein [6] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Kristof De Jaeger [7] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Ivo Van Geertruyen [8] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/bundle_copy [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/bundle_copy [4] http://drupal.org/node/1506166 [5] http://drupal.org/project/bundle_copy [6] http://drupal.org/user/124982 [7] http://drupal.org/user/107403 [8] http://drupal.org/user/383424 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news March 2012