Security-news April 2012

security-news@drupal.org

1 participants
12 discussions

SA-CONTRIB-2012-067 - Linkit - Access bypass
by security-news＠drupal.org 25 Apr '12

25 Apr '12

View online: http://drupal.org/node/1547738 * Advisory ID: DRUPAL-SA-CONTRIB-2012-067 * Project: Linkit [1] (third-party module) * Version: 7.x * Date: 2012-April-25 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- Linkitprovides an easy interface for internal and external linking. Linkit links to nodes, users, managed files, terms and have basic support for all entities by default, using an autocomplete field. When searching for entities, no access restrictions were added and users may see information about content that they do not normally have access to see. This issue only affects sites using an entity access module to limit access to content for some users. -------- VERSIONS AFFECTED --------------------------------------------------- * Linkit 7.x-2.x versions prior to 7.x-2.2. Drupal core is not affected. If you do not use the contributed Linkit [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Linkit module for Drupal 7.x, upgrade to Linkit 7.x-2.3 [4] Also see the Linkit [5] project page. -------- REPORTED BY --------------------------------------------------------- * PAULAP [6] -------- FIXED BY ------------------------------------------------------------ * Emil Stjerneman [7] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [8] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/linkit [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/linkit [4] http://drupal.org/node/1547716 [5] http://drupal.org/project/linkit [6] http://drupal.org/user/29978 [7] http://drupal.org/user/464598 [8] http://drupal.org/user/36762 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-066 - Spaces and Spaces OG - Access Bypass
by security-news＠drupal.org 25 Apr '12

25 Apr '12

View online: http://drupal.org/node/1547736 * Advisory ID: DRUPAL-SA-CONTRIB-2012-066 * Project: Spaces [1] (third-party module) * Version: 6.x * Date: 2012-April-25 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- Spaces is an API module intended to make configuration options generally avaliable only at the sitewide level to be configurable and overridden by individual "spaces" on a Drupal site. The spaces and spaces_og modules (part of the spaces package) in some cases do not apply the expected spaces access permission to pages that are non-objects (e.g. /node) This vulnerability is mitigated by the fact that node_access and user profile permissions will prevent node or user data from being exposed, but other information (e.g. block data,etc) is still displayed. This issue only affects sites using spaces to limit access to content for some users. -------- VERSIONS AFFECTED --------------------------------------------------- * Spaces 6.x-3.x versions prior to 6.x-3.4. Drupal core is not affected. If you do not use the contributed Spaces [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Spaces module for Drupal 6.x, upgrade to Spaces 6.x-3.4 [4] Also see the Spaces [5] project page. -------- REPORTED BY --------------------------------------------------------- * hefox [6] -------- FIXED BY ------------------------------------------------------------ * Patrick Settle [7] the module maintainer * Fox [8] -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] of the Drupal Security Team * Michael Hess [10] of the Drupal Security Team * Matt Kleve [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/spaces [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/spaces [4] http://drupal.org/node/1547730 [5] http://drupal.org/project/spaces [6] http://drupal.org/user/426416 [7] http://drupal.org/user/26618 [8] http://drupal.org/user/426416 [9] http://drupal.org/user/36762 [10] http://drupal.org/user/102818 [11] http://drupal.org/user/150473 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-063 - RealName - Cross Site Scripting (XSS)
by security-news＠drupal.org 25 Apr '12

25 Apr '12

View online: http://drupal.org/node/1547660 * Advisory ID: DRUPAL-SA-CONTRIB-2012-063 * Project: RealName [1] (third-party module) * Version: 6.x * Date: 2012-April-25 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- This module allows you to set a pattern for constructing "Real names" for users out of profile fields. The module does not sufficiently escape users' real names under certain circumstances which could lead to a Cross-Site Scripting (XSS) [3] attack. -------- VERSIONS AFFECTED --------------------------------------------------- * RealName 6.x-1.x versions prior to 6.x-1.5 [4]. * RealName 7.x-1.x versions are not vulnerable. Drupal core is not affected. If you do not use the contributed RealName [5] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the RealName module for Drupal 6.x, upgrade to RealName 6.x-1.5 [6]. Also see the RealName [7] project page. -------- REPORTED BY --------------------------------------------------------- * Gabor Szanto [8] * Dave Reid [9], module maintainer and Drupal Security Team member -------- FIXED BY ------------------------------------------------------------ * Gabor Szanto [10] * Dave Reid [11], module maintainer and Drupal Security Team member -------- COORDINATED BY ------------------------------------------------------ * Dave Reid [12] of the Drupal Security Team * Michael Hess [13] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [14]. Learn more about the Drupal Security team and their policies [15], writing secure code for Drupal [16], and securing your site [17]. [1] http://drupal.org/project/realname [2] http://drupal.org/security-team/risk-levels [3] http://en.wikipedia.org/wiki/Cross-site_scripting [4] http://drupal.org/node/1547352 [5] http://drupal.org/project/realname [6] http://drupal.org/node/1547352 [7] http://drupal.org/project/realname [8] http://drupal.org/user/610310 [9] http://drupal.org/user/53892 [10] http://drupal.org/user/610310 [11] http://drupal.org/user/53892 [12] http://drupal.org/user/53892 [13] http://drupal.org/user/102818 [14] http://drupal.org/contact [15] http://drupal.org/security-team [16] http://drupal.org/writing-secure-code [17] http://drupal.org/security/secure-configuration

1 1

SA-CONTRIB-2012-065 - Sitedoc - Information disclosure
by security-news＠drupal.org 25 Apr '12

25 Apr '12

View online: http://drupal.org/node/1547686 * Advisory ID: DRUPAL-SA-CONTRIB-2012-065 * Project: Site Documentation [1] (third-party module) * Version: 6.x * Date: 2012-April-25 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Information Disclosure -------- DESCRIPTION --------------------------------------------------------- This module enables you to display a plethora of information about your site's structure. Optionally, the information may be saved into a file for later comparison. The module doesn't sufficiently verify that the saved file is protected by the Private File System. This vulnerability is mitigated by the fact that the administrator must have configured the module to save the HTML report file to disk. -------- VERSIONS AFFECTED --------------------------------------------------- * Sitedoc 6.x-1.x versions prior to 6.x-1.4. Drupal core is not affected. If you do not use the contributed Site Documentation [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Sitedoc module for Drupal 6.x, upgrade to Sitedoc 6.x-1.4 [4], and * Enable the private file system if you want to save the output file. Also see the Site Documentation [5] project page. -------- REPORTED BY --------------------------------------------------------- * Jakub Suchý [6] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Nancy Wichmann [7], the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Forest Monsen [8] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/sitedoc [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/sitedoc [4] http://drupal.org/node/1546224 [5] http://drupal.org/project/sitedoc [6] http://drupal.org/user/31977 [7] http://drupal.org/user/101412 [8] http://drupal.org/user/181798 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-064 - Ubercart - Multiple vulnerabilities
by security-news＠drupal.org 25 Apr '12

25 Apr '12

View online: http://drupal.org/node/1547674 * Advisory ID: DRUPAL-SA-CONTRIB-2012-064 * Project: Ubercart [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-April-25 * Security risk: Moderately critical [2] * Exploitable from: Varies (Local & Remote) * Vulnerability: Cross Site Scripting, Arbitrary PHP code execution, Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- The Ubercart module for Drupal provides a shopping cart and e-commerce features for Drupal. Parts of Ubercart were vulnerable to a Failure to encrypt data, Cross Site Scripting, and an Arbitrary PHP Execution vulnerability. .... Failure to encrypt data: Exploitable from local Passwords supplied by new customers during checkout were stored as plain text until payment was completed for an order, for a maximum of 15 minutes. This vulnerability is not exploitable remotely, but information may have inadvertently been leaked via database access (e.g. backups, developer laptops that are compromised). .... Cross Site Scripting: Exploitable from remote The product classes feature did not properly sanitize output and was vulnerable to a cross site scripting attack. This vulnerability is mitigated by the fact that an attacker must have the "administer product classes" permission. .... Arbitrary PHP Execution: Exploitable from remote In Ubercart 6.x-2.x, arbitrary PHP code can be executed by users with the "administer conditional actions" permission. This vulnerability is mitigated by the fact that this permission should only granted to trusted users. -------- VERSIONS AFFECTED --------------------------------------------------- * Ubercart 6.x-2.x versions prior to 6.x-2.8. [3] * Ubercart 7.x-3.x versions prior to 7.x-3.1. [4] Drupal core is not affected. If you do not use the contributed Ubercart [5] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Ubercart module for Drupal 6.x, upgrade to Ubercart 6.x-2.8. [6] * If you use the Ubercart module for Drupal 7.x, upgrade to Ubercart 7.x-3.1. [7] Additionally, in Drupal 6.x, ensure that only trusted users have roles that have been granted the "administer conditional actions" permission. Also see the Ubercart [8] project page. -------- REPORTED BY --------------------------------------------------------- * Shaun Dychko [9] reported the Failure to encrypt data issue * Lee Rowlands [10] reported the Cross Site Scripting issue * Dave Long [11] reported the Arbitrary PHP Execution issue -------- FIXED BY ------------------------------------------------------------ * Dave Long [12] the module maintainer * Lyle Mantooth [13] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [14] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [15]. Learn more about the Drupal Security team and their policies [16], writing secure code for Drupal [17], and securing your site [18]. [1] http://drupal.org/project/ubercart [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/node/1547506 [4] http://drupal.org/node/1547508 [5] http://drupal.org/project/ubercart [6] http://drupal.org/node/1547506 [7] http://drupal.org/node/1547508 [8] http://drupal.org/project/ubercart [9] http://drupal.org/user/475828 [10] http://drupal.org/user/395439 [11] http://drupal.org/user/246492 [12] http://drupal.org/user/246492 [13] http://drupal.org/user/86683 [14] http://drupal.org/user/36762 [15] http://drupal.org/contact [16] http://drupal.org/security-team [17] http://drupal.org/writing-secure-code [18] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-062 - Creative Commons - Cross Site Scripting (XSS)
by security-news＠drupal.org 25 Apr '12

25 Apr '12

View online: http://drupal.org/node/1547520 * Advisory ID: DRUPAL-SA-CONTRIB-2012-062 * Project: Creative Commons [1] (third-party module) * Version: 6.x * Date: 2012-April-25 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Creative Commons module allows users to select and assign a Creative Commons license to a node and any attached content, or to the entire site. The module did not sufficiently filter the text describing licenses. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer creative commons". -------- VERSIONS AFFECTED --------------------------------------------------- * Creative Commons 6.x-1.x versions prior to 6.x-1.1. [3] Drupal core is not affected. If you do not use the contributed Creative Commons [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Creative Commons module for Drupal 6.x, upgrade to Creative Commons 6.x-1.1 [5] Also see the Creative Commons [6] project page. -------- REPORTED BY --------------------------------------------------------- * Justin Klein-Keane [7] -------- FIXED BY ------------------------------------------------------------ * Kevin Reynen [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] of the Drupal Security Team * Michael Hess [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/creativecommons [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/node/1547478 [4] http://drupal.org/project/creativecommons [5] http://drupal.org/node/1547478 [6] http://drupal.org/project/creativecommons [7] http://drupal.org/user/302225 [8] http://drupal.org/user/48877 [9] http://drupal.org/user/36762 [10] http://drupal.org/user/102818 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-061 - Gigya - Social optimization - Cross Site Scripting (XSS)
by security-news＠drupal.org 18 Apr '12

18 Apr '12

View online: http://drupal.org/node/1538704 * Advisory ID: DRUPAL-SA-CONTRIB-2012-061 * Project: Gigya - Social optimization [1] (third-party module) * Version: 6.x * Date: 2012-April-18 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Gigya - Social optimization [3] module provides a single API that aggregates authentication and social APIs from Facebook Connect, MySpace ID, Twitter, and OpenID webmail providers including Google, Yahoo, and AOL. The module doesn't sufficiently escape URL elements which are printed back to the user. -------- VERSIONS AFFECTED --------------------------------------------------- * Gigya [4] 6.x versions prior to 6.x-3.2 [5]. Drupal core is not affected. If you do not use the contributed Gigya - Social optimization [6] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Gigya module for Drupal 6.x, upgrade to Gigya 6.x-3.2 [7] Also see the Gigya - Social optimization [8] project page. -------- REPORTED BY --------------------------------------------------------- * Marek Lyczba [9] -------- FIXED BY ------------------------------------------------------------ * Yaniv Aran-Shamir [10] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Matt Kleve [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/gigya [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/gigya [4] http://drupal.org/project/gigya [5] http://drupal.org/node/1515084 [6] http://drupal.org/project/gigya [7] http://drupal.org/node/1515084 [8] http://drupal.org/project/gigya [9] http://drupal.org/user/20043 [10] http://drupal.org/user/691662 [11] http://drupal.org/user/150473 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-060 - Commerce Reorder - Cross Site Request Forgery
by security-news＠drupal.org 18 Apr '12

18 Apr '12

View online: http://drupal.org/node/1538436 * Advisory ID: DRUPAL-SA-CONTRIB-2012-060 * Project: Commerce Reorder [1] (third-party module) * Version: 7.x * Date: 2012-April-18 * Security risk: Not critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Request Forgery -------- DESCRIPTION --------------------------------------------------------- The Commerce Reorder module enables you to reorder previously purchased products for Drupal Commerce. The module does not sufficiently protect the re-order URL against Cross Site Request Forgery (CSRF [3]), allowing a malicious user to trick someone into adding unwanted items to their shopping cart. This vulnerability is mitigated by by the fact that while items can be placed in a shopping cart, the user still has to complete the checkout process, and by the fact that re-ordering is restricted by access to the "source" order. -------- VERSIONS AFFECTED --------------------------------------------------- * Commerce Reorder versions prior to 7.x-1.1. Drupal core is not affected. If you do not use the contributed Commerce Reorder [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Commerce Reorder module, upgrade to Commerce Reorder 7.x-1.1 [5] Also see the Commerce Reorder [6] project page. -------- REPORTED BY --------------------------------------------------------- * Ivo Van Geertruyen (mr.baileys [7]) of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Pedro Cambra (pcambra [8]), the module maintainer * Ivo Van Geertruyen (mr.baileys [9]) of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Ivo Van Geertruyen (mr.baileys [10]) of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/commerce_reorder [2] http://drupal.org/security-team/risk-levels [3] http://en.wikipedia.org/wiki/Csrf [4] http://drupal.org/project/commerce_reorder [5] http://drupal.org/node/1538198 [6] http://drupal.org/project/commerce_reorder [7] http://drupal.org/user/383424 [8] http://drupal.org/user/122101 [9] http://drupal.org/user/383424 [10] http://drupal.org/user/383424 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-059 - Autosave - Cross Site Scripting
by security-news＠drupal.org 11 Apr '12

11 Apr '12

View online: http://drupal.org/node/1528864 * Advisory ID: DRUPAL-SA-CONTRIB-2012-059 * Project: Autosave [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-April-11 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Request Forgery -------- DESCRIPTION --------------------------------------------------------- This module enables snapshots of your node edit form to be saved in the background while you are editing to help prevent the data from being lost. The module doesn't sufficiently protect against a user being tricked into submitting saved results to a node. -------- VERSIONS AFFECTED --------------------------------------------------- * Autosave 6.x versions prior to 6.x-1.10 Drupal core is not affected. If you do not use the contributed Autosave [3] module, there is nothing you need to do. Drupal core is not affected. If you do not use the contributed Autosave [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Autosave module for Drupal 6.x, upgrade to Autosave 6.x-1.0 [5] Also see the Autosave [6] project page. -------- REPORTED BY --------------------------------------------------------- * Ryan Jud Hughes -------- FIXED BY ------------------------------------------------------------ * liquidcms [7] the module maintainer * Crell [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Michael Hess [9] of the Drupal Security Team * Greg Knaddison [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/autosave [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/autosave [4] http://drupal.org/project/autosave [5] http://drupal.org/node/1525998 [6] http://drupal.org/project/autosave [7] http://drupal.org/user/44114 [8] http://drupal.org/user/26398 [9] http://drupal.org/user/102818 [10] http://drupal.org/user/36762 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-058 - Fivestar - Input Validation
by security-news＠drupal.org 11 Apr '12

11 Apr '12

View online: http://drupal.org/node/1528614 * Advisory ID: DRUPAL-SA-CONTRIB-2012-058 * Project: Fivestar [1] (third-party module) * Version: 6.x * Date: 2012-April-11 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Input Validation -------- DESCRIPTION --------------------------------------------------------- The Fivestar module enables you to add a voting widget to nodes and comments. The module does not sufficiently validate all votes passed by the asynchronous voting widget allowing a malicious user to improperly modify voting averages. -------- VERSIONS AFFECTED --------------------------------------------------- * Fivestar 6.x-1.x versions prior to 6.x-1.20 Drupal core is not affected. If you do not use the contributed Fivestar [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Fivestar module for Drupal 6.x, upgrade to Fivestar 6.x-1.20 [4] Also see the Fivestar [5] project page. -------- REPORTED BY --------------------------------------------------------- * Ezra Barnett Gildesgame [6] -------- FIXED BY ------------------------------------------------------------ * Eric J. Duran [7], the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Ben Jeavons [8] of the Drupal Security Team * Michael Hess [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/fivestar [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/fivestar [4] http://drupal.org/node/1528600 [5] http://drupal.org/project/fivestar [6] http://drupal.org/user/69959 [7] http://drupal.org/user/244460 [8] http://drupal.org/user/91990 [9] http://drupal.org/user/102818 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news April 2012