August 2012 - Security-news - lists.drupal.org

SA-CONTRIB-2012-136 - Apache Solr Search Autocomplete - Cross Site Scripting (XSS)
by security-news＠drupal.org 29 Aug '12

29 Aug '12

View online: http://drupal.org/node/1762734 * Advisory ID: DRUPAL-SA-CONTRIB-2012-136 * Project: Apache Solr Autocomplete [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-August-29 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Apache Solr Search Autocomplete module enables you to add autocomplete capabilities to the search text field for the Apache Solr Search Integration module. The module doesn't sufficiently filter the autocomplete results sent back from the Drupal site, so under the scenario where someone provided a URL with a specially-crafted search string embedded in it, the attacker could have a user execute arbitrary Javascript when clicking or focusing on the autocomplete text field. This vulnerability is mitigated by the fact that the attacked user must click or otherwise give focus to the text widget to have the Javascript activate. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * Apache Solr Autocomplete 6.x-1.x versions prior to 6.x-1.4. * Apache Solr Autocomplete 7.x-1.x versions prior to 7.x-1.3. Drupal core is not affected. If you do not use the contributed Apache Solr Autocomplete [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version. * If you use the Apache Solr Autocomplete module for Drupal 6.x, upgrade to Apache Solr Autocomplete 6.x-1.4 [4] * If you use the Apache Solr Autocomplete module for Drupal 7.x, upgrade to Apache Solr Autocomplete 7.x-1.3 [5] Also see the Apache Solr Autocomplete [6] project page. -------- REPORTED BY --------------------------------------------------------- * drupaledmonk [7] -------- FIXED BY ------------------------------------------------------------ * Alejandro Garza [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/apachesolr_autocomplete [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/apachesolr_autocomplete [4] http://drupal.org/node/1762684 [5] http://drupal.org/node/1762686 [6] http://drupal.org/project/apachesolr_autocomplete [7] http://drupal.org/user/263391 [8] http://drupal.org/user/153120 [9] http://drupal.org/user/36762 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-135 - CAPTCHA - Insufficient anti-automation prevention
by security-news＠drupal.org 29 Aug '12

29 Aug '12

View online: http://drupal.org/node/1762496 * Advisory ID: DRUPAL-SA-CONTRIB-2012-135 * Project: CAPTCHA [1] (third-party module) * Version: 6.x * Date: 2011-August-29 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This module enables you to protect website forms using a CAPTCHA. A CAPTCHA is a test which attempts to differentiate between a human and an automated bot or script. The module doesn't ensure that test submissions have a single-use unique token. This means that web robots could reuse a single successful submission multiple times, reducing the effectiveness of the protection. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * CAPTCHA 6.x-2.x versions prior to 6.x-2.3 Drupal core is not affected. If you do not use the contributed CAPTCHA [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the CAPTCHA module for Drupal 6.x, upgrade to CAPTCHA 6.x-2.3 [4] or greater Also see the CAPTCHA [5] project page. -------- REPORTED BY --------------------------------------------------------- * LeeSai [6] * MustLive -------- FIXED BY ------------------------------------------------------------ * Stefaan Lippens [7] a CAPTCHA module maintainer -------- COORDINATED BY ------------------------------------------------------ * Owen Barton [8] of the Drupal Security Team * Greg Knaddison [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/captcha [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/captcha [4] http://drupal.org/node/967244 [5] http://drupal.org/project/captcha [6] http://drupal.org/user/680166 [7] http://drupal.org/user/41478 [8] http://drupal.org/user/19668 [9] http://drupal.org/user/36762 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-134 - Views - Privilege Escalation
by security-news＠drupal.org 29 Aug '12

29 Aug '12

View online: http://drupal.org/node/1762492 * Advisory ID: DRUPAL-SA-CONTRIB-2012-134 * Project: (third-party module) * Version: 6.x * Date: 2012-August-29 * Security risk: Critical [1] * Exploitable from: Remote * Vulnerability: Privilege escalation -------- DESCRIPTION --------------------------------------------------------- The Views module provides a flexible method for Drupal site designers to control how lists and tables of content, users, taxonomy terms and other data are presented. The module incorrectly modifies the global user object in some situations when a view has a uid argument and performs validation on that argument. This vulnerability is mitigated by the fact that it only affects sites with more roles than default where a role with a low role ID has more privileges than other roles on the site and where untrusted (i.e. potentially malicious) users are granted several of those roles. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * Views 6.x-2.x versions prior to 6.x-2.16. Drupal core is not affected. If you do not use the contributed module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Views module for Drupal 6.x, upgrade to Views 6.x-2.16 [2] Also see the project page. -------- REPORTED BY --------------------------------------------------------- * Derek Wright [3] of the Drupal Security Team * John Preto [4] -------- FIXED BY ------------------------------------------------------------ * Derek Wright [5] one of module maintainers, also of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [6] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [7]. Learn more about the Drupal Security team and their policies [8], writing secure code for Drupal [9], and securing your site [10]. [1] http://drupal.org/security-team/risk-levels [2] http://drupal.org/node/1341504 [3] http://drupal.org/user/46549 [4] http://drupal.org/user/356949 [5] http://drupal.org/user/46549 [6] http://drupal.org/user/36762 [7] http://drupal.org/contact [8] http://drupal.org/security-team [9] http://drupal.org/writing-secure-code [10] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-133 - Taxonomy Image - Cross Site Scripting (XSS) & Arbitrary PHP code execution
by security-news＠drupal.org 29 Aug '12

29 Aug '12

View online: http://drupal.org/node/1762482 * Advisory ID: DRUPAL-SA-CONTRIB-2012-133 * Project: Taxonomy Image [1] (third-party module) * Version: 6.x * Date: 2012-August-29 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting, Arbitrary PHP code execution -------- DESCRIPTION --------------------------------------------------------- The taxonomy_image module allows site administrators to associate images with taxonomy terms. The module did not sufficiently filter retrieval of taxonomy images, allowing users to bypass Drupal's normal file upload protections to install malicious HTML or executable code to the server. This vulnerability is mitigated by the fact that an attacker must have the permissions "administer taxonomy" and "administer taxonomy images", and that the fix for SA-2006-006 - Drupal Core - Execution of arbitrary files in certain Apache configurations [3] should prevent code execution in typical Apache configurations. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * Taxonomy Image 6.x-1.x versions prior to 6.x-1.7. Drupal core is not affected. If you do not use the contributed Taxonomy Image [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Taxonomy Image module for Drupal 6.x, upgrade to Taxonomy Image 6.x-1.7 [5] Also see the Taxonomy Image [6] project page. -------- REPORTED BY --------------------------------------------------------- * Chris Burgess [7] -------- FIXED BY ------------------------------------------------------------ * Nancy Wichmann [8], the module maintainer * Niklas Fiekas [9], the module maintainer * Chris Burgess [10] -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [11] of the Drupal Security Team * Ivo Van Geertruyen [12] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. [1] http://drupal.org/project/taxonomy_image [2] http://drupal.org/security-team/risk-levels [3] https://drupal.org/node/65409 [4] http://drupal.org/project/taxonomy_image [5] http://drupal.org/node/1760678 [6] http://drupal.org/project/taxonomy_image [7] http://drupal.org/user/76026 [8] http://drupal.org/user/101412 [9] http://drupal.org/user/1089248 [10] http://drupal.org/user/76026 [11] http://drupal.org/user/36762 [12] http://drupal.org/user/383424 [13] http://drupal.org/contact [14] http://drupal.org/security-team [15] http://drupal.org/writing-secure-code [16] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-132 - Announcements - Access Bypass
by security-news＠drupal.org 29 Aug '12

29 Aug '12

View online: http://drupal.org/node/1762480 * Advisory ID: DRUPAL-SA-CONTRIB-2012-132 * Project: Announcements [1] (third-party module) * Version: 6.x * Date: 2012-August-29 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- The Announcements module creates an "announcement" content type and provides both node views and block lists. The module doesn't sufficiently check node access under certain conditions. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access announcements". CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * Announcements 6.x-1.x versions prior to 6.x-1.5. Drupal core is not affected. If you do not use the contributed Announcements [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Announcements module for Drupal 6.x, upgrade to Announcements 6.x-1.5 [4] Also see the Announcements [5] project page. -------- REPORTED BY --------------------------------------------------------- * Michael Hess [6] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Nancy Wichmann [7], the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [8] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/announcements [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/announcements [4] http://drupal.org/node/1761038 [5] http://drupal.org/project/announcements [6] http://drupal.org/user/102818 [7] http://drupal.org/user/101412 [8] http://drupal.org/user/36762 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-131 - Email Field - Access Bypass
by security-news＠drupal.org 29 Aug '12

29 Aug '12

View online: http://drupal.org/node/1762470 * Advisory ID: DRUPAL-SA-CONTRIB-2012-131 * Project: Email Field [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-August-29 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- The email module provides a field type (CCK / FieldAPI) for storing email addresses. Furthermore, it provides a formatter to output the email address as a link to a contact form. The contact form formatter allows a site visitor to email the stored address without letting them see what that e-mail address is. The module didn't sufficiently check access for the contact form page, allowing a site visitor to email the stored address on the entity without having access to the entity itself. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * Email Field 6.x-1.x versions prior to 6.x-1.2. * Email Field 7.x-1.x versions prior to 7.x-1.1. Drupal core is not affected. If you do not use the contributed Email Field [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Email Field module for Drupal 6.x, upgrade to Email Field 6.x-1.3 [4] * If you use the Email Field module for Drupal 7.x, upgrade to Email Field 7.x-1.2 [5] Also see the Email Field [6] project page. -------- REPORTED BY --------------------------------------------------------- * Joachim Noreiko [7] -------- FIXED BY ------------------------------------------------------------ * Joachim Noreiko [8] * Matthias Hutterer [9] the module maintainer * Greg Knaddison [10] of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/email [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/email [4] http://drupal.org/node/1761968 [5] http://drupal.org/node/1761948 [6] http://drupal.org/project/email [7] http://drupal.org/user/107701 [8] http://drupal.org/user/107701 [9] http://drupal.org/user/59747 [10] http://drupal.org/user/36762 [11] http://drupal.org/user/36762 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-130 - Jstool - Multiple Vulnerabilities
by security-news＠drupal.org 29 Aug '12

29 Aug '12

View online: http://drupal.org/node/1762220 * Advisory ID: DRUPAL-SA-CONTRIB-2012-130 * Project: Javascript Tool [1] (third-party module) * Version: 7.x * Date: 2012-August-29 * Security risk: Highly critical [2] * Exploitable from: Remote * Vulnerability: Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- Javascript Tool enables administrators to edit any javascript file online from an admin panel. The module does not protect its menu paths, which contain sensitive information about all javascript files on the site and their contents. The module does not validate filenames which can lead to potential read/write access to arbitrary files on the server. Write access to files is mitigated by the fact that an attacker must have the permission to use the full_html text format. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * Javascript Tool 7.x-1.x versions prior to 7.x-1.7. Drupal core is not affected. If you do not use the contributed Javascript Tool [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Javascript Tool module for Drupal 7.x, upgrade to Javascript Tool 7.x-1.7 [4] Also see the Javascript Tool [5] project page. -------- REPORTED BY --------------------------------------------------------- * Klaus Purer [6] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * drupwash [7] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Klaus Purer [8] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/jstool [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/jstool [4] http://drupal.org/node/1759538 [5] http://drupal.org/project/jstool [6] http://drupal.org/user/262198 [7] http://drupal.org/user/1652472 [8] http://drupal.org/user/262198 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-129 - Activism - Access Bypass
by security-news＠drupal.org 29 Aug '12

29 Aug '12

View online: http://drupal.org/node/1762160 * Advisory ID: DRUPAL-SA-CONTRIB-2012-129 * Project: Activism [1] (third-party module) * Version: 6.x * Date: 2012-08-29 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access Bypass -------- DESCRIPTION --------------------------------------------------------- The Activism module is an attempt to standardize the way online advocacy tools are built in Drupal 6. It ships with and creates a "Campaign" content type which is always viewable, even when an administrator unpublishes it or otherwise restricts viewing access. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * Activism 6.x-2.0. Drupal core is not affected. If you do not use the contributed Activism [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Activism module for Drupal 6.x, upgrade to Activism 6.x-2.1 [4] Also see the Activism [5] project page. -------- REPORTED BY --------------------------------------------------------- * Sheldon Rampton [6] -------- FIXED BY ------------------------------------------------------------ * Sheldon Rampton [7], the issue reporter * Stella Power [8] of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Stella Power [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/activism [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/activism [4] http://drupal.org/node/1762152 [5] http://drupal.org/project/activism [6] http://drupal.org/user/13085 [7] http://drupal.org/user/13085 [8] http://drupal.org/user/66894 [9] http://drupal.org/user/66894 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-128 - Elegant Theme - Cross Site Scripting (XSS)
by security-news＠drupal.org 15 Aug '12

15 Aug '12

View online: http://drupal.org/node/1733056 * Advisory ID: DRUPAL-SA-CONTRIB-2012-128 * Project: Elegant Theme [1] (third-party module) * Version: 7.x * Date: 2012-August-15 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Elegant Theme is a light weight Drupal 7 theme with a modern look and feel. The theme doesn't properly sanitize user-entered content in the 3 slide gallery on the homepage leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker would have to have the 'administer themes' permission. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * Elegant Theme 7.x-1.x versions prior to 7.x-1.0. Drupal core is not affected. If you do not use the contributed Elegant Theme [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Elegant Theme for Drupal 7.x, upgrade to Elegant Theme 7.x-1.1 [4] Also see the Elegant Theme [5] project page. -------- REPORTED BY --------------------------------------------------------- * Greg Knaddison [6] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * saran.quardz [7] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [8] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/elegant_theme [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/elegant_theme [4] http://drupal.org/node/1722880 [5] http://drupal.org/project/elegant_theme [6] http://drupal.org/user/36762 [7] http://drupal.org/user/1031208 [8] http://drupal.org/user/36762 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-127 - Custom Publishing Options - Cross Site Scripting (XSS) Vulnerability
by security-news＠drupal.org 15 Aug '12

15 Aug '12

View online: http://drupal.org/node/1732980 * Advisory ID: DRUPAL-SA-CONTRIB-2012-127 * Project: Custom Publishing Options [1] (third-party module) * Version: 6.x * Date: 2012-August-15 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Custom Publishing Options module allows you to create custom publishing options for nodes. It allows you to add to the default options of Publish, Promote to Front Page, and Sticky. It also ingrates with views to allow you add as a field, sort and filter by, your custom options. The module doesn't sufficiently sanitize status labels containing HTML. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer nodes". CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * Custom Publishing Options 6.x-1.x versions prior to 6.x-1.4. Drupal core is not affected. If you do not use the contributed Custom Publishing Options [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Custom Publishing Options module for Drupal 6.x, upgrade to Custom Publishing Options 6.x-1.5 [4] Also see the Custom Publishing Options [5] project page. -------- REPORTED BY --------------------------------------------------------- * Publicly disclosed. -------- FIXED BY ------------------------------------------------------------ * Kevin Quillen [6] -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [7] of the Drupal Security Team * Ivo Van Geertruyen [8] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/custom_pub [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/custom_pub [4] http://drupal.org/node/1730766 [5] http://drupal.org/project/custom_pub [6] http://drupal.org/user/317279 [7] http://drupal.org/user/36762 [8] http://drupal.org/user/383424 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration

1 0