View online: http://drupal.org/node/1700594
* Advisory ID: DRUPAL-SA-CONTRIB-2012-118
* Project: Secure Login [1] (third-party module)
* Version: 7.x
* Date: 2012-July-25
* Security risk: Less critical [2]
* Exploitable from: Remote
* Vulnerability: Open Redirect
-------- DESCRIPTION
---------------------------------------------------------
Secure Login module enables the user login and other forms to be submitted
securely via HTTPS, thus preventing passwords and other private user data
from being transmitted in clear text. In addition, Secure Login module by
default redirects non-HTTPS GET requests for pages containing forms that it
secures to the HTTPS site.
The module does not sufficiently validate that a requested path is internal
to the site, allowing an attacker to disguise a malicious destination address
as a GET query parameter passed to a non-HTTPS site URL.
This vulnerability is mitigated by the fact that the target site must render
a form secured by Secure Login module on its 404 page, such as in a block. A
default installation of Drupal 7 renders the user login block on the 404
page, and is thus vulnerable to the open redirect.
CVE: Requested
-------- VERSIONS AFFECTED
---------------------------------------------------
* Secure Login 7.x-1.x versions prior to 7.x-1.3.
Drupal core is not affected. If you do not use the contributed Secure Login
[3] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Secure Login module for Drupal 7.x, upgrade to Secure Login
7.x-1.3 [4].
Also see the Secure Login [5] project page.
-------- REPORTED BY
---------------------------------------------------------
* Albert Martin [6]
-------- FIXED BY
------------------------------------------------------------
* Mark Burdett [7], the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Heine Deelstra [8] of the Drupal Security Team
* Greg Knaddison [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
[1] http://drupal.org/project/securelogin
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/project/securelogin
[4] https://drupal.org/node/1698988
[5] http://drupal.org/project/securelogin
[6] https://drupal.org/user/1888132
[7] https://drupal.org/user/12302
[8] http://drupal.org/user/17943
[9] http://drupal.org/user/36762
[10] http://drupal.org/contact
[11] http://drupal.org/security-team
[12] http://drupal.org/writing-secure-code
[13] http://drupal.org/security/secure-configuration
View online: http://drupal.org/node/1700588
* Advisory ID: DRUPAL-SA-CONTRIB-2012-117
* Project: Location [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2012-July-25
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
The Location module allows real-world geographic locations to be associated
with Drupal nodes, including people, places, and other content. The Location
Search sub-module adds a search page for searching for locations.
The Location Search module fails to enforce content and user access
permissions and node access restrictions, meaning any user can see any node
or user results on the location search page.
From now on users must have the "access content" permission and any relevant
node access rights to see node based location results and the "view user
profiles" and "view all user locations" permissions to see user based
location results.
CVE: Requested
-------- VERSIONS AFFECTED
---------------------------------------------------
* Location Search (Location sub-module) 6.x versions prior to 6.x-3.2.
* Location Search (Location sub-module) 7.x versions prior to
7.x-3.0-alpha1.
Drupal core is not affected. If you do not use the contributed Location [3]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Location Search (Location sub-module) module for Drupal
6.x, upgrade to Location 6.x-3.2 [4]
* If you use the Location Search (Location sub-module) module for Drupal
7.x, upgrade to Location 7.x-3.0-alpha1 [5]
Also see the Location [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Jon Daley [7]
-------- FIXED BY
------------------------------------------------------------
* Reuben Turk [8] the module maintainer
* Ankur Rishi [9] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [10] of the Drupal Security Team
* Ben Jeavons [11] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [12].
Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].
[1] http://drupal.org/project/location
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/project/location
[4] http://drupal.org/node/1699962
[5] http://drupal.org/node/1699984
[6] http://drupal.org/project/location
[7] http://drupal.org/user/586142
[8] http://drupal.org/user/350381
[9] http://drupal.org/user/11703
[10] http://drupal.org/user/36762
[11] http://drupal.org/user/91990
[12] http://drupal.org/contact
[13] http://drupal.org/security-team
[14] http://drupal.org/writing-secure-code
[15] http://drupal.org/security/secure-configuration
View online: http://drupal.org/node/1700584
* Advisory ID: DRUPAL-SA-CONTRIB-2012-116
* Project: Subuser [1] (third-party module)
* Version: 6.x
* Date: 2012-July-25
* Security risk: Less critical [2]
* Exploitable from: Remote
* Vulnerability: Access bypass, Cross Site Request Forgery
-------- DESCRIPTION
---------------------------------------------------------
The Subuser module allows users to be given the permission to create
subusers. The subusers may then be automatically assigned a role or roles.
The parent user then has the ability to manage the subusers they have
created.
A parent user is allowed to assume the role of a subuser they created (switch
users) without having the "switch subuser" permission. However, users are
prevented from switching to subusers that were not created by them.
Additionally users can be switched to a subuser without intending to do so
via a Cross Site Request Forgery attack (CSRF).
CVE: Requested
-------- VERSIONS AFFECTED
---------------------------------------------------
* subuser 6.x-1.x versions prior to 6.x-1.8.
Drupal core is not affected. If you do not use the contributed Subuser [3]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Subuser module for Drupal 6.x, upgrade to Subuser 6.x-1.8
[4]
Also see the Subuser [5] project page.
-------- REPORTED BY
---------------------------------------------------------
* Stella Power [6] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Jimmy Berry [7] the module maintainer
* Lee Rowlands [8]
-------- COORDINATED BY
------------------------------------------------------
* Stella Power [9] of the Drupal Security Team
* Greg Knaddison [10] of the Drupal Security Team
* Michael hess [11] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [12].
Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].
[1] http://drupal.org/project/subuser
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/project/subuser
[4] http://drupal.org/node/1700550
[5] http://drupal.org/project/subuser
[6] http://drupal.org/user/66894
[7] http://drupal.org/user/214218
[8] http://drupal.org/user/395439
[9] http://drupal.org/user/66894
[10] http://drupal.org/user/36762
[11] http://drupal.org/user/102818
[12] http://drupal.org/contact
[13] http://drupal.org/security-team
[14] http://drupal.org/writing-secure-code
[15] http://drupal.org/security/secure-configuration
View online: http://drupal.org/node/1700578
* Advisory ID: DRUPAL-SA-CONTRIB-2012-115
* Project: Gallery formatter [1] (third-party module)
* Version: 7.x
* Date: 2012-July-25
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
Gallery formatter provides a field formatter for images that turns the fields
into jQuery galleries.
The module did not properly escape input from the user before printing it to
the browser, allowing malicious users to inject script code into the page.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission to create the nodes / entities and the fields that use
the formatter.
CVE: Requested
-------- VERSIONS AFFECTED
---------------------------------------------------
* Gallery formatter 7.x-1.x versions prior to 7.x-1.2.
Drupal core is not affected. If you do not use the contributed Gallery
formatter [3] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Gallery formatter module for Drupal 7.x, upgrade to Gallery
formatter 7.x-1.2 [4]
Also see the Gallery formatter [5] project page.
-------- REPORTED BY
---------------------------------------------------------
* Sudipta Bandyopadhyay [6]
-------- FIXED BY
------------------------------------------------------------
* Manuel Garcia [7] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [8] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [9].
Learn more about the Drupal Security team and their policies [10], writing
secure code for Drupal [11], and securing your site [12].
[1] http://drupal.org/project/galleryformatter
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/project/galleryformatter
[4] http://drupal.org/node/1699744
[5] http://drupal.org/project/galleryformatter
[6] http://drupal.org/user/140596
[7] http://drupal.org/user/213194
[8] http://drupal.org/user/36762
[9] http://drupal.org/contact
[10] http://drupal.org/security-team
[11] http://drupal.org/writing-secure-code
[12] http://drupal.org/security/secure-configuration
View online: http://drupal.org/node/1691446
* Advisory ID: SA-CONTRIB-2012-114
* Project: Campaign Monitor [1] (third-party module)
* Version: 6.x
* Date: 2012-July-18
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to integrate Campaign Monitor into Drupal so you can
give users the ability to subscribe and unsubscribe for your Campaign Monitor
lists.
The module doesn't sufficiently validate strings entered in the
administration interface.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "administer campaignmonitor".
CVE: Requested
-------- VERSIONS AFFECTED
---------------------------------------------------
* Campaign Monitor 6.x-2.x versions prior to 6.x-2.5
Drupal core is not affected. If you do not use the contributed Campaign
Monitor [3] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Campaign Monitor module for Drupal 6.x, upgrade to Campaign
Monitor 6.x-2.5 [4]
Also see the Campaign Monitor [5] project page.
-------- REPORTED BY
---------------------------------------------------------
* Andrey Tretyakov [6]
-------- FIXED BY
------------------------------------------------------------
* Jesper Kristensen [7] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [8] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [9].
Learn more about the Drupal Security team and their policies [10], writing
secure code for Drupal [11], and securing your site [12].
[1] http://drupal.org/project/campaignmonitor
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/project/campaignmonitor
[4] http://drupal.org/node/1689790
[5] http://drupal.org/project/campaignmonitor
[6] http://drupal.org/user/169459
[7] http://drupal.org/user/697210
[8] http://drupal.org/user/36762
[9] http://drupal.org/contact
[10] http://drupal.org/security-team
[11] http://drupal.org/writing-secure-code
[12] http://drupal.org/security/secure-configuration
View online: http://drupal.org/node/1679888
* Advisory ID: SA-CONTRIB-2012-113
* Project: Drupal Commons [1] (third-party module)
* Version: 6.x
* Date: 2012-July-11
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
Drupal Commons is a ready-to-use solution for building either internal or
external communities. The Drupal Commons feature (a central module in the
distribution) includes a listing of recent comments on discussions. This
listing of comments is powered by a view that doesn't fully enforce node
access restrictions, which can expose comments for nodes that the user might
not have access to view.
CVE: Requested
-------- VERSIONS AFFECTED
---------------------------------------------------
* Drupal Commons 6.x-2.x versions prior to 6.x-2.8.
Drupal core is not affected. If you do not use the contributed Drupal Commons
[3] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use Drupal Commons module for Drupal 6.x, upgrade to Drupal Commons
6.x-2.8 [4]
Also see the Drupal Commons [5] project page.
-------- REPORTED BY
---------------------------------------------------------
* Trevor English [6]
* Ezra Gildesgame [7]
-------- FIXED BY
------------------------------------------------------------
* Ezra Gildesgame [8] the distribution maintainer
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [9].
Learn more about the Drupal Security team and their policies [10], writing
secure code for Drupal [11], and securing your site [12].
[1] http://drupal.org/project/commons
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/project/commons
[4] http://network.acquia.com/downloads/drupal-commons
[5] http://drupal.org/project/commons
[6] http://drupal.org/user/193352
[7] http://drupal.org/user/69959
[8] http://drupal.org/user/69959
[9] http://drupal.org/contact
[10] http://drupal.org/security-team
[11] http://drupal.org/writing-secure-code
[12] http://drupal.org/security/secure-configuration
View online: http://drupal.org/node/1679820
* Advisory ID: SA-CONTRIB-2012-112
* Project: Ubercart SecureTrading Payment Method [1] (third-party module)
* Version: 6.x
* Date: 2012-July-11
* Security risk: Highly critical [2]
* Exploitable from: Remote
* Vulnerability: Failure to follow guideline/specification - integrity check
value
-------- DESCRIPTION
---------------------------------------------------------
The Ubercart SecureTrading Payment Method module provides an Ubercart payment
method for the SecureTrading.com gateway.
The module's payment method did not properly verify the validity of payment
notification information. A malicious user could trick a site into thinking
that an item has been paid for when in fact it hasn't. If you do not use the
Ubercart SecureTrading Payment Method payment method then your site is not at
risk to this vulnerability.
CVE: Requested
-------- VERSIONS AFFECTED
---------------------------------------------------
* All versions of the Ubercart SecureTrading Payment Method module.
Drupal core is not affected. If you do not use the contributed Ubercart
SecureTrading Payment Method [3] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
There is not currently a fixed version of the module. You should disable the
module immediately.
You can:
* Change to a new gateway.
* Work with the module maintainer and/or other users to patch the module.
Also see the Ubercart SecureTrading Payment Method [4] project page.
-------- REPORTED BY
---------------------------------------------------------
* Dylan Tack [5] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
No fix provided.
-------- COORDINATED BY
------------------------------------------------------
* Dylan Tack [6] of the Drupal Security Team
* Damien Tournoud [7] of the Drupal Security Team
* Greg Knaddison [8] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [9].
Learn more about the Drupal Security team and their policies [10], writing
secure code for Drupal [11], and securing your site [12].
[1] http://drupal.org/project/uc_securetrading
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/project/uc_securetrading
[4] http://drupal.org/project/uc_securetrading
[5] http://drupal.org/user/96647
[6] http://drupal.org/user/96647
[7] http://drupal.org/user/22211
[8] http://drupal.org/user/36762
[9] http://drupal.org/contact
[10] http://drupal.org/security-team
[11] http://drupal.org/writing-secure-code
[12] http://drupal.org/security/secure-configuration
View online: http://drupal.org/node/1679532
* Advisory ID: SA-CONTRIB-2012-111
* Project: Security Questions [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2012-July-11
* Security risk: Highly critical [2]
* Exploitable from: Remote
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
This module provides administrator configurable challenge questions for use
during the log in and password reset processes.
The module doesn't perform a proper access check, allowing a users' questions
and answers to be edited by other users including anonymous users.
CVE: Requested
-------- VERSIONS AFFECTED
---------------------------------------------------
* Security Questions 6.x-1.x versions prior to 6.x-1.1.
* Security Questions 7.x-1.x versions prior to 7.x-1.1.
Drupal core is not affected. If you do not use the contributed Security
Questions [3] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Security Questions module for Drupal 6.x, upgrade to
Security Questions 6.x-1.1 [4]
* If you use the Security Questions module for Drupal 7.x, upgrade to
Security Questions 7.x-1.1 [5]
Also see the Security Questions [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Chris Hertzog [7]
-------- FIXED BY
------------------------------------------------------------
* Chris Hertzog [8] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [9] of the Drupal Security Team
* David Rothstein [10] of the Drupal Security Team
* Chris Hales [11] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [12].
Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].
[1] http://drupal.org/project/security_questions
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/project/security_questions
[4] http://drupal.org/node/1648200
[5] http://drupal.org/node/1648204
[6] http://drupal.org/project/security_questions
[7] http://drupal.org/user/806366
[8] http://drupal.org/user/806366
[9] http://drupal.org/user/36762
[10] http://drupal.org/user/124982
[11] http://drupal.org/user/347249
[12] http://drupal.org/contact
[13] http://drupal.org/security-team
[14] http://drupal.org/writing-secure-code
[15] http://drupal.org/security/secure-configuration
View online: http://drupal.org/node/1679486
* Advisory ID: SA-CONTRIB-2012-110
* Project: Colorbox Node [1] (third-party module)
* Version: 7.x
* Date: 2012-July-11
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
Colorbox Node gives the user the ability to display ANY page inside a
colorbox modal without the header and footer. The module accepts some
settings from URL parameters and didn't sufficiently validate them before
printing them to the browser, allowing malicious users to inject script code
into the page.
CVE: Requested
-------- VERSIONS AFFECTED
---------------------------------------------------
* Colorbox Node 7.x-2.x versions prior to 7.x-2.2.
Drupal core is not affected. If you do not use the contributed Colorbox Node
[3] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* Upgrade to Colorbox Node 7.x-2.2 [4]
Also see the Colorbox Node [5] project page.
-------- REPORTED BY
---------------------------------------------------------
* Gerhard Killesreiter [6] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Dennis Blake [7] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Gerhard Killesreiter [8] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [9].
Learn more about the Drupal Security team and their policies [10], writing
secure code for Drupal [11], and securing your site [12].
[1] http://drupal.org/project/colorbox_node
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/project/colorbox_node
[4] http://drupal.org/node/1679410
[5] http://drupal.org/project/colorbox_node
[6] http://drupal.org/user/83
[7] http://drupal.org/user/384543
[8] http://drupal.org/user/227
[9] http://drupal.org/contact
[10] http://drupal.org/security-team
[11] http://drupal.org/writing-secure-code
[12] http://drupal.org/security/secure-configuration
View online: http://drupal.org/node/1679466
* Advisory ID: SA-CONTRIB-2012-109
* Project: Restrict node page view [1] (third-party module)
* Version: 7.x
* Date: 2012-July-11
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to disable direct access to node pages (node/XXX)
based on nodetypes and permissions.
The module issues a NODE_ACCESS_ALLOW if it's permissions are met, but does
not respect the "administer nodes" or "access own unpublished content"
permissions. The consequence is that this module grants access to unpublished
content to any role that has the "view any node page" or "view any node
{type} page" permissions.
CVE: Requested
-------- VERSIONS AFFECTED
---------------------------------------------------
* Restrict node page view 7.x-1.x versions prior to 7.x-1.2.
Drupal core is not affected. If you do not use the contributed Restrict node
page view [3] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Restrict node page view module for Drupal 7.x, upgrade to
Restrict node page view 7.x-1.2 [4]
Also see the Restrict node page view [5] project page.
-------- REPORTED BY
---------------------------------------------------------
* Jake Bell [6]
-------- FIXED BY
------------------------------------------------------------
* Jake Bell [7]
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [8] of the Drupal Security Team
* Chris Hales [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
[1] http://drupal.org/project/restrict_node_page_view
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/project/restrict_node_page_view
[4] http://drupal.org/node/1662724
[5] http://drupal.org/project/restrict_node_page_view
[6] http://drupal.org/user/11219
[7] http://drupal.org/user/11219
[8] http://drupal.org/user/36762
[9] http://drupal.org/user/347249
[10] http://drupal.org/contact
[11] http://drupal.org/security-team
[12] http://drupal.org/writing-secure-code
[13] http://drupal.org/security/secure-configuration