Security-news May 2012

security-news@drupal.org

1 participants
24 discussions

SA-CONTRIB-2012-090 - File depot - Session Management Vulnerability
by security-news＠drupal.org 30 May '12

30 May '12

View online: http://drupal.org/node/1608864 * Advisory ID: DRUPAL-SA-CONTRIB-2012-090 * Project: filedepot [1] (third-party module) * Version: 6.x * Date: 2012-May-30 * Security risk: Critical [2] * Exploitable from: remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- The filedepot module is a Document Management module. It fulfills the need for an integrated file management module supporting role and user based security. Documents can be saved outside the Drupal public directory to protect documents for safe access and distribution. The module has a Session Management Vulnerability that caused Internet Explorer browser users to switch users if they uploaded a file using another browser from the same IP address (Internet Protocol address). This vulnerability is mitigated by the fact that it only occurred with Internet Explorer and when multiple sessions where running from the same desktop / IP address. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * filedepot 6.x-1.x versions prior to 6.x-1.3. Drupal core is not affected. If you do not use the contributed filedepot [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the filedepot for Drupal 6.x, upgrade to filedepot 6.x-1.3 [4] Also see the filedepot [5] project page. -------- REPORTED BY --------------------------------------------------------- * dolu [6] -------- FIXED BY ------------------------------------------------------------ * Blaine Lang [7] -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [8] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/filedepot [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/filedepot [4] http://drupal.org/node/1598782 [5] http://drupal.org/project/filedepot [6] http://drupal.org/user/374670 [7] http://drupal.org/user/726382 [8] http://drupal.org/user/36762 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-089 - Counter - SQL Injection (unsupported)
by security-news＠drupal.org 30 May '12

30 May '12

View online: http://drupal.org/node/1608854 * Advisory ID: DRUPAL-SA-CONTRIB-2012-089 * Project: Counter [1] (third-party module) * Version: 6.x * Date: 2012-May-30 * Security risk: Highly critical [2] * Exploitable from: Remote * Vulnerability: SQL Injection -------- DESCRIPTION --------------------------------------------------------- Counter module counts how many visitors on your website. This module provides real time counting with all data saved to the database. The module doesn't sufficiently filter user supplied text when recording visits to the database which leads to a SQL Injection vulnerability. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * All Counter module versions. Drupal core is not affected. If you do not use the contributed Counter [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you currently use the Counter module you should disable the module. Also see the Counter [4] project page. -------- REPORTED BY --------------------------------------------------------- * Balazs Dianiska [5] -------- FIXED BY ------------------------------------------------------------ The issue was not fixed. -------- COORDINATED BY ------------------------------------------------------ * Michael Hess [6] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [7]. Learn more about the Drupal Security team and their policies [8], writing secure code for Drupal [9], and securing your site [10]. [1] http://drupal.org/project/counter [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/counter [4] http://drupal.org/project/counter [5] http://drupal.org/user/58645 [6] http://drupal.org/user/102818 [7] http://drupal.org/contact [8] http://drupal.org/security-team [9] http://drupal.org/writing-secure-code [10] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-088 - Mobile Tools - Cross Site Scripting (XSS)
by security-news＠drupal.org 30 May '12

30 May '12

View online: http://drupal.org/node/1608828 * Advisory ID: DRUPAL-SA-CONTRIB-2012-088 * Project: Mobile Tools [1] (third-party module) * Version: 6.x * Date: 2012-May-30 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Mobile Tools provides Drupal developers with some tools to assist in making a site mobile. The module contains several persistent cross site scripting (XSS) vulnerabilities due to the fact that it fails to sanitize user supplied values before display. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * Mobile Tools 6.x-2.x versions prior to 6.x-2.3 Drupal core is not affected. If you do not use the contributed Mobile Tools [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Mobile Tools module for Drupal 6.x, upgrade to Mobile Tools 6.x-2.3 [4] Also see the Mobile Tools [5] project page. -------- REPORTED BY --------------------------------------------------------- * Justin Klein Keane [6] -------- FIXED BY ------------------------------------------------------------ * Mathew Winstone (minorOffense) [7] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Michael Hess [8] of the Drupal Security Team * Greg Knaddison [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/mobile_tools [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/mobile_tools [4] http://drupal.org/node/1169008 [5] http://drupal.org/project/mobile_tools [6] http://drupal.org/user/302225 [7] http://drupal.org/user/129088 [8] http://drupal.org/user/102818 [9] http://drupal.org/user/36762 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-087 - Comment Moderation - Cross Site Request Forgery
by security-news＠drupal.org 30 May '12

30 May '12

View online: http://drupal.org/node/1608822 * Advisory ID: DRUPAL-SA-CONTRIB-2012-087 * Project: Comment Moderation [1] (third-party module) * Version: 6.x * Date: 2012-May-30 * Security risk: Less Critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Request Forgery -------- DESCRIPTION --------------------------------------------------------- This module enables you to moderate comments in an accelerated way, by providing a complete interface and all useful actions in a unique page. The module doesn't sufficiently protect the publish link URL, thus a Cross Site Request Forgery (CSRF) attack against an administrator could result in unintended publishing of comments. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * Comment Moderation 6.x-1.x versions prior to 6.x-1.1. Drupal core is not affected. If you do not use the contributed Comment Moderation [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Comment Moderation module for Drupal 6.x, upgrade to Comment Moderation 6.x-1.1 [4] Also see the Comment Moderation [5] project page. -------- REPORTED BY --------------------------------------------------------- * Dylan Tack (grendzy [6]) of the Drupal Security Team * Tim Wood (timwood [7]) -------- FIXED BY ------------------------------------------------------------ * David Stosik [8], one of the module maintainers -------- COORDINATED BY ------------------------------------------------------ * Members of the Drupal Security Team [9] -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/comment_moderation [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/comment_moderation [4] http://drupal.org/node/1538768 [5] http://drupal.org/project/comment_moderation [6] http://drupal.org/user/96647 [7] http://drupal.org/user/457434 [8] http://drupal.org/user/49385 [9] https://security.drupal.org/team-members [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-086 - Amadou - Cross Site Scripting
by security-news＠drupal.org 30 May '12

30 May '12

View online: http://drupal.org/node/1608780 * Advisory ID: DRUPAL-SA-CONTRIB-2012-086 * Project: Amadou [1] (third-party theme) * Version: 6.x * Date: 2012-May-30 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Amadou theme outputs additional first and last classes to the list of links to help out themers. This was being done in a way that was not secure. A Cross Site Scripting (XSS) vulnerability was identified in Amadou theme's themes_links() function in the template.php file, which was fixed in the theme_links() function in Drupal 6.3 as noted in (SA-2008-044 http://drupal.org/node/280571 [3]). CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * Amadou 6.x-1.x versions prior to 6.x-1.3. Drupal core is not affected. If you do not use the contributed Amadou [4] theme, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Amadou theme for Drupal 6.x, upgrade to Amadou 6.x-1.3 [5]. If you have created a custom theme with Amadou or are using Amadou as a base theme, please see below for a manual fix: The offending code on line 77 in the original template.php file: $output .= ''; Should be replaced with the following code: $output .= ' * $class)) .'>'; Also see the Amadou [6] project page. -------- REPORTED BY --------------------------------------------------------- * Peter Wolanin [7] and Matt Chapman [8] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Jason Moore [9], Amadou theme maintainer * Matt Chapman [10] of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Matt Chapman [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/amadou [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/node/280571 [4] http://drupal.org/project/amadou [5] http://drupal.org/node/1608730 [6] http://drupal.org/project/amadou [7] http://drupal.org/user/49851 [8] http://drupal.org/user/143172 [9] http://drupal.org/user/149225 [10] http://drupal.org/user/143172 [11] http://drupal.org/user/143172 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-084 - Search API - Cross Site Scripting (XSS)
by security-news＠drupal.org 23 May '12

23 May '12

View online: http://drupal.org/node/1597364 * Advisory ID: DRUPAL-SA-CONTRIB-2012-084 * Project: Search API [1] (third-party module) * Version: 7.x * Date: 2012-May-23 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- CVE: Requested This module enables you to build searches using a wide range of features, data sources and backends. The module doesn't sufficiently sanitize user input in some cases when throwing exceptions or logging errors. This enables attackers to insert arbitrary data into a page by manipulating its URL. Users would have to open such a manipulated URL to see the changed content. This is only possible in some setups of Search API, specifically when users can manually enter field identifiers in some way – e.g., through an exposed Views sort or with the old Facets module. -------- VERSIONS AFFECTED --------------------------------------------------- * Search API 7.x-1.x versions prior to 7.x-1.1. Drupal core is not affected. If you do not use the contributed Search API [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Search API module (especially with Views, the old Facets module or other advanced search forms) for Drupal 7.x, upgrade to Search API 7.x-1.1 [4] * Run update.php to also ensure that previously stored log messages are sanitized. Also see the Search API [5] project page. -------- REPORTED BY --------------------------------------------------------- * Chuck D'Antonio [6] * Chad Oliver [7] -------- FIXED BY ------------------------------------------------------------ * Thomas Seidl [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/search_api [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/search_api [4] http://drupal.org/node/1596524 [5] http://drupal.org/project/search_api [6] http://drupal.org/user/250704 [7] http://drupal.org/user/1959622 [8] http://drupal.org/user/205582 [9] http://drupal.org/user/36762 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-085 - BrowserID - Multiple Vulnerabilities
by security-news＠drupal.org 23 May '12

23 May '12

View online: http://drupal.org/node/1597414 * Advisory ID: DRUPAL-SA-CONTRIB-2012-085 * Project: BrowserID (Mozilla Persona) [1] (third-party module) * Version: 7.x * Date: 2012-May-23 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Request Forgery (results in Privilege Escalation) -------- DESCRIPTION --------------------------------------------------------- CVE: Requested The BrowserID module provides integration with BrowserID (also known as Mozilla Persona) -- a Mozilla project that lets users of your site quickly and easily log in without needing to remember a password specific to your site. The module did not sufficiently validate requests for authentication to log in, potentially allowing a Cross Site Request Forgery (CSRF) attack and introducing the possibility that logging in to a malicious site with BrowserID could give that site the ability to log in to other websites using your BrowserID identity. -------- VERSIONS AFFECTED --------------------------------------------------- * BrowserID (Mozilla Persona) 7.x-1.x versions prior to 7.x-1.3. Drupal core is not affected. If you do not use the contributed BrowserID (Mozilla Persona) [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the BrowserID module for Drupal 7.x, upgrade to BrowserID 7.x-1.3 [4] This version adds a dependency on the Session API [5] module. Make sure you install Session API /before/ upgrading to BrowserID 7.x-1.3. Also see the BrowserID (Mozilla Persona) [6] project page. -------- REPORTED BY --------------------------------------------------------- * Isaac Sukin [7], the module maintainer -------- FIXED BY ------------------------------------------------------------ * Isaac Sukin [8], the module maintainer * Greg Knaddison [9] of the Drupal Security Team * Ben Adida [10] of Mozilla -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/browserid [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/browserid [4] https://drupal.org/node/1596464 [5] https://drupal.org/project/session_api [6] http://drupal.org/project/browserid [7] https://drupal.org/user/201425 [8] https://drupal.org/user/201425 [9] https://drupal.org/user/36762 [10] https://drupal.org/user/1876458 [11] http://drupal.org/user/36762 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-083 - Taxonomy List - Cross Site Scripting (XSS)
by security-news＠drupal.org 23 May '12

23 May '12

View online: http://drupal.org/node/1597262 * Advisory ID: DRUPAL-SA-CONTRIB-2012-083 * Project: Taxonomy List [1] (third-party module) * Version: 6.x * Date: 2012-May-23 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- CVE: Requested This module enables you to display the terms (and optionally nodes) under categories. The module doesn't sufficiently sanitize user supplied text in the taxonomy information. This vulnerability is mitigated by the fact that an attacker must have a role with permissions to create or edit taxonomy terms. -------- VERSIONS AFFECTED --------------------------------------------------- * Taxonomy List 6.x-1.x versions prior to 6.x-1.4. The 6.x-2.x branch is not affected. Drupal core is not affected. If you do not use the contributed Taxonomy List [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Taxonomy List module for Drupal 6.x, upgrade to Taxonomy List 6.x-2.0 [4]. * If you must use the 6.x-1.x branch of the Taxonomy List module for Drupal 6.x, upgrade to Taxonomy List 6.x-1.4 [5] (which is no longer supported). Also see the Taxonomy List [6] project page. -------- REPORTED BY --------------------------------------------------------- * Dylan Wilder-Tack [7] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Nancy Wichmann [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Lee Rowlands [9] * Forest Monsen [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/taxonomy_list [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/taxonomy_list [4] http://drupal.org/node/815066 [5] http://drupal.org/node/1595396 [6] http://drupal.org/project/taxonomy_list [7] http://drupal.org/user/96647 [8] http://drupal.org/user/101412 [9] http://drupal.org/user/395439 [10] http://drupal.org/user/181798 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-082 - Zen - Cross Site Scripting
by security-news＠drupal.org 16 May '12

16 May '12

View online: http://drupal.org/node/1585960 * Advisory ID: DRUPAL-SA-CONTRIB-2012-082 * Project: Zen [1] (third-party theme) * Version: 6.x * Date: 2012-May-16 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- CVE: Requested. The Zen theme provides a configurable breadcrumb which is commonly used as an additional navigation tool for users. The theme outputs the breadcrumb, but does not provide sufficient filtering to prevent a Cross site scripting (XSS) attack. This vulnerability is mitigated by the fact that the "Append the content title to the end of the breadcrumb" checkbox is not enabled by default and needs to be enabled for this to be exploited. -------- VERSIONS AFFECTED --------------------------------------------------- * Zen 6.x-1.x versions prior to 6.x-1.1 Drupal core is not affected. Zen versions 6.x-2.x are not affected. If you do not use the contributed Zen [3] theme, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Zen theme for Drupal 6.x, upgrade to theme 6.x-1.1 [4] or any later version. If you copied code from the zen_breadcrumb function into a custom sub-theme's template.php file you should compare your code to the changes to ensure that menu_get_active_title() is properly wrapped in check plain like: check_plain(menu_get_active_title()); Also see the Zen [5] project page. -------- REPORTED BY --------------------------------------------------------- * Jakub Suchy [6] of the Drupal Security Team * Premek Sumpela [7] -------- FIXED BY ------------------------------------------------------------ * Jakub Suchy [8] of the Drupal Security Team * John Albin Wilkins [9] the theme maintainer -------- COORDINATED BY ------------------------------------------------------ * Dave Reid [10] of the Drupal Security Team * Peter Wolanin [11] of the Drupal Security Team * Greg Knaddison [12] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. [1] http://drupal.org/project/zen [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/zen [4] http://drupal.org/node/628480 [5] http://drupal.org/project/zen [6] http://drupal.org/user/31977 [7] http://drupal.org/user/31391 [8] http://drupal.org/user/31977 [9] http://drupal.org/user/32095 [10] http://drupal.org/user/53892 [11] http://drupal.org/user/49851 [12] http://drupal.org/user/36762 [13] http://drupal.org/contact [14] http://drupal.org/security-team [15] http://drupal.org/writing-secure-code [16] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-081 - Aberdeen - Cross Site Scripting
by security-news＠drupal.org 16 May '12

16 May '12

View online: http://drupal.org/node/1585890 * Advisory ID: DRUPAL-SA-CONTRIB-2012-081 * Project: Aberdeen [1] (third-party theme) * Version: 6.x * Date: 2012-May-16 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- CVE: Requested. The Aberdeen theme provides a configurable breadcrumb which is commonly used as an additional navigation tool for users. The theme outputs the breadcrumb, but does not provide sufficient filtering to prevent a Cross site scripting (XSS) attack. This vulnerability is mitigated by the fact that the "Append the content title to the end of the breadcrumb" checkbox is not enabled by default and needs to be enabled for this to be exploited. -------- VERSIONS AFFECTED --------------------------------------------------- * Aberdeen 6.x-1.x versions prior to 6.x-1.11 Drupal core is not affected. If you do not use the contributed Aberdeen [3] theme, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Aberdeen theme for Drupal 6.x, upgrade to theme 6.x-1.11 [4] If you copied code from the aberdeen_breadcrumb function into a custom sub-theme's template.php file you should compare your code to the changes to ensure that menu_get_active_title() is properly wrapped in check plain like: check_plain(menu_get_active_title()); Also see the Aberdeen [5] project page. -------- REPORTED BY --------------------------------------------------------- * Jakub Suchy [6] of the Drupal Security Team * Premek Sumpela [7] -------- FIXED BY ------------------------------------------------------------ * Jakub Suchy [8] of the Drupal Security Team * Michael Hess [9] of the Drupal Security Team * Ishmael Sanchez [10] the theme maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [11] of the Drupal Security Team * Michael Hess [12] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. [1] http://drupal.org/project/aberdeen [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/aberdeen [4] http://drupal.org/node/1585878 [5] http://drupal.org/project/aberdeen [6] http://drupal.org/user/31977 [7] http://drupal.org/user/31391 [8] http://drupal.org/user/31977 [9] http://drupal.org/user/102818 [10] http://drupal.org/user/464624 [11] http://drupal.org/user/36762 [12] http://drupal.org/user/102818 [13] http://drupal.org/contact [14] http://drupal.org/security-team [15] http://drupal.org/writing-secure-code [16] http://drupal.org/security/secure-configuration

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news May 2012