Security-news July 2012

security-news@drupal.org

1 participants
13 discussions

SA-CONTRIB-2012-108 - Drag & Drop Gallery - Arbitrary PHP code execution
by security-news＠drupal.org 11 Jul '12

11 Jul '12

View online: http://drupal.org/node/1679442 * Advisory ID: DRUPAL-SA-CONTRIB-2012-108 * Project: Drag & Drop Gallery [1] (third-party module) * Version: 6.x * Date: 2012-July-11 * Security risk: Highly critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting, Access bypass, Cross Site Request Forgery, SQL Injection, Arbitrary PHP code execution -------- DESCRIPTION --------------------------------------------------------- /Important note: Most of the vulnerabilities discussed below can be exploited when the Drag & Drop Gallery module is disabled on a Drupal site. See Solution below for details./ The Drag & Drop Gallery creates a gallery node type that allows you add images to the gallery by dragging and dropping images from your local file system. The file handling the actual uploads contains a number of bugs. The combination of these bugs allows unauthenticated user to upload PHP-executable files to arbitrary locations. A script exploiting this vulnerability has been published. A succesful exploit requires the webserver to be configured in such a way that it either ignores the .htaccess in the files directory or is able to write to certain web-accessible directories that do not have this .htaccess protection. The module also contains other vulnerabilities such as Cross site scripting (XSS), SQL-injection, Access bypass and Cross site request forgery (CSRF). Though less severe, these vulnerabilities can also be used to get administrator level access to the site. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * Drag & Drop Gallery 6.x versions Drupal core is not affected. If you do not use the contributed Drag & Drop Gallery [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ There is no version of the module that fixes these vulnerabilites. Disable *and remove* the module from your system. Important note: Most vulnerabilities can still be exploited when the module is disabled. Please join the issue in the public queue [4] to fix the problems. Also see the Drag & Drop Gallery [5] project page. -------- REPORTED BY --------------------------------------------------------- The vulnerability was publicly disclosed. An exploit exists. -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [6]. Learn more about the Drupal Security team and their policies [7], writing secure code for Drupal [8], and securing your site [9]. [1] http://drupal.org/project/dragdrop_gallery [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/dragdrop_gallery [4] http://drupal.org/node/1679444 [5] http://drupal.org/project/dragdrop_gallery [6] http://drupal.org/contact [7] http://drupal.org/security-team [8] http://drupal.org/writing-secure-code [9] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-107 - Search autocomplete - Access bypass
by security-news＠drupal.org 11 Jul '12

11 Jul '12

View online: http://drupal.org/node/1679422 * Advisory ID: SA-CONTRIB-2012-107 * Project: Search Autocomplete [1] (third-party module) * Version: 7.x * Date: 2012-July-11 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This module allows you to add autocomplete functionality to virtually any fields of a Drupal site. The module doesn't sufficiently protect access to the module admin page. This vulnerability is mitigated by the fact that the user can only access the page, disable an autocompletion or change priority order. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * Search Autocomplete 7.x-2.x versions prior to 7.x-2.4. Drupal core is not affected. If you do not use the contributed Search Autocomplete [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Search Autocomplete module for Drupal 6.x, upgrade to Search Autocomplete 7.x-2.4 [4] Also see the Search Autocomplete [5] project page. -------- REPORTED BY --------------------------------------------------------- * Reuben Turk [6] (nick: rooby) -------- FIXED BY ------------------------------------------------------------ * Reuben Turk [7] the module maintainer * Dominique CLAUSE [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] of the Drupal Security Team * Chris Hales [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/search_autocomplete [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/search_autocomplete [4] http://drupal.org/node/1649442 [5] http://drupal.org/project/search_autocomplete [6] http://drupal.org/user/10164 [7] http://drupal.org/user/10164 [8] http://drupal.org/user/801982 [9] http://drupal.org/user/36762 [10] http://drupal.org/user/347249 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-106 - Listhandler - Access Bypass
by security-news＠drupal.org 11 Jul '12

11 Jul '12

View online: http://drupal.org/node/1679412 * Advisory ID: DRUPAL-SA-CONTRIB-2012-106 * Project: Listhandler [1] (third-party module) * Version: 6.x * Date: 2012-July-11 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- Listhandler is a module that marries mailing list discussions and Drupal forums. The module doesn't sufficiently check the permissions of comment authors when importing emails. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * All Listhandler 6.x-1.x versions. Drupal core is not affected. If you do not use the contributed Listhandler [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Uninstall the module. There is no fixed version. Also see the Listhandler [4] project page. -------- REPORTED BY --------------------------------------------------------- * Brian Swaney [5] -------- FIXED BY ------------------------------------------------------------ No release nor support for the advisory process was provided by the maintainer. -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [6]. Learn more about the Drupal Security team and their policies [7], writing secure code for Drupal [8], and securing your site [9]. [1] http://drupal.org/project/listhandler [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/listhandler [4] http://drupal.org/project/listhandler [5] http://drupal.org/user/608968 [6] http://drupal.org/contact [7] http://drupal.org/security-team [8] http://drupal.org/writing-secure-code [9] http://drupal.org/security/secure-configuration

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news July 2012