Security-news September 2012

security-news@drupal.org

1 participants
12 discussions

SA-CONTRIB-2012-148 - OG - Access Bypass
by security-news＠drupal.org 26 Sep '12

26 Sep '12

View online: http://drupal.org/node/1796036 * Advisory ID: DRUPAL-SA-CONTRIB-2012-148 * Project: Organic groups [1] (third-party module) * Version: 7.x * Date: 2012-September-26 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- OG (Organic groups) enables users to create and manage their own 'groups'. Each group can have subscribers, and maintains a group home page where subscribers communicate amongst themselves. A group membership can be given immediately upon subscribing, or be pending - waiting for a group administrator to approve it. OG doesn't properly maintain pending memberships if the user is allowed to edit their own account. In addition, under certain circumstances, a user was able to post to a group which they were not a member of. There are no additional mitigating factors for these issues. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * OG (Organic groups) 7.x-1.x versions prior to 7.x-1.5. Drupal core is not affected. If you do not use the contributed Organic groups [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the OG 7.x-1.x module for Drupal 7.x, upgrade to OG (Organic groups) 7.x-1.5 [4] Also see the Organic groups [5] project page. -------- REPORTED BY --------------------------------------------------------- * Zoltán Tóth [6] * John Takousis [7] -------- FIXED BY ------------------------------------------------------------ * Amitai Burstein [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Lee Rowlands [9] * Greg Knaddison [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/og [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/og [4] http://drupal.org/node/1795906 [5] http://drupal.org/project/og [6] http://drupal.org/user/2126442 [7] http://drupal.org/user/1792608 [8] http://drupal.org/user/57511 [9] http://drupal.org/user/395439 [10] http://drupal.org/user/36762 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-147 - FileField Sources - Cross Site Scripting (XSS)
by security-news＠drupal.org 19 Sep '12

19 Sep '12

View online: http://drupal.org/node/1789306 * Advisory ID: DRUPAL-SA-CONTRIB-2012-147 * Project: FileField Sources [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-September-19 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Drupal FileField module lets you upload files from your computer through a CCK field. The FileField Sources module expands on this ability by allowing you to select new or existing files through additional means. The FileField Sources module contains a persistent cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize user supplied filenames before display. This vulnerability is mitigated by the fact that malicious users must have the ability to upload files on a field that has the "Reference existing" source enabled. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * FileField Sources 6.x-1.x versions prior to 6.x-1.6. * FileField Sources 7.x-1.x versions prior to 7.x-1.6. Drupal core is not affected. If you do not use the contributed FileField Sources [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the FileField Sources module for Drupal 6.x, upgrade to FileField Sources 6.x-1.6 [4] * If you use the FileField Sources module for Drupal 7.x, upgrade to FileField Sources 7.x-1.6 [5] Also see the FileField Sources [6] project page. -------- REPORTED BY --------------------------------------------------------- * Disclosed publicly. -------- FIXED BY ------------------------------------------------------------ * Nathan Haug [7] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [8] of the Drupal Security Team * Michael Hess [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/filefield_sources [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/filefield_sources [4] http://drupal.org/node/1789300 [5] http://drupal.org/node/1789302 [6] http://drupal.org/project/filefield_sources [7] http://drupal.org/user/35821 [8] http://drupal.org/user/36762 [9] http://drupal.org/user/102818 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-146 - Simplenews Scheduler - Arbitrary code execution
by security-news＠drupal.org 19 Sep '12

19 Sep '12

View online: http://drupal.org/node/1789284 * Advisory ID: DRUPAL-SA-CONTRIB-2012-146 * Project: Simplenews Scheduler [1] (third-party module) * Version: 6.x * Date: 2012-September-19 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Arbitrary PHP code execution -------- DESCRIPTION --------------------------------------------------------- The Simplenews Scheduler module provides a system for creating automatic email newsletters. These can be set to be sent at a fixed interval, or PHP code can be entered to evaluate a condition for a new newsletter issue to be sent. The module allows a user with the 'send scheduled newsletters' access to the scheduling form where PHP code may be entered. This code is then executed the next time the site runs cron. A site administrator granting permissions is not given sufficient warning that they are granting this level of access to the site. This vulnerability is mitigated by the fact that an attacker must have already been granted a role with the permission 'send scheduled newsletters'. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * Simplenews Scheduler 6.x-2.x versions prior to 6.x-2.3. Drupal core is not affected. If you do not use the contributed Simplenews Scheduler [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Simplenews Scheduler module for Drupal 6.x, upgrade to Simplenews Scheduler 6.x-2.4 [4] Also see the Simplenews Scheduler [5] project page. -------- REPORTED BY --------------------------------------------------------- * Sascha Grossenbacher [6] * Joachim Noreiko [7] the module maintainer -------- FIXED BY ------------------------------------------------------------ * Joachim Noreiko [8] the module maintainer * Sascha Grossenbacher [9] -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/simplenews_scheduler [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/simplenews_scheduler [4] http://drupal.org/node/1789274 [5] http://drupal.org/project/simplenews_scheduler [6] http://drupal.org/user/214652 [7] http://drupal.org/user/107701 [8] http://drupal.org/user/107701 [9] http://drupal.org/user/214652 [10] http://drupal.org/user/36762 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-145 - Imagemenu - Cross Site Scripting (XSS)
by security-news＠drupal.org 19 Sep '12

19 Sep '12

View online: http://drupal.org/node/1789260 * Advisory ID: DRUPAL-SA-CONTRIB-2012-145 * Project: Imagemenu [1] (third-party module) * Version: 6.x * Date: 2012-September-19 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Imagemenu module allows you to create Drupal menus from images files. The module doesn't sufficiently escape image file names when rendering menus, allowing a potential XSS attack. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer imagemenu". CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * Imagemenu 6.x-1.x versions prior to 6.x-1.4. Drupal core is not affected. If you do not use the contributed Imagemenu [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Imagemenu module for Drupal 6.x, upgrade to Imagemenu 6.x-1.4 [4] Also see the Imagemenu [5] project page. -------- REPORTED BY --------------------------------------------------------- * David Houlder [6] -------- FIXED BY ------------------------------------------------------------ * Paul Maddern [7], module maintainer * Marcus Clements [8], module maintainer * Ben Jeavons [9] of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Michael Hess [10], Ben Jeavons [11], and Greg Knaddison [12] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. [1] http://drupal.org/project/imagemenu [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/imagemenu [4] http://drupal.org/node/1788726 [5] http://drupal.org/project/imagemenu [6] http://drupal.org/user/588210 [7] http://drupal.org/user/25159 [8] http://drupal.org/user/190002 [9] http://drupal.org/user/91990 [10] http://drupal.org/user/102818 [11] http://drupal.org/user/91990 [12] http://drupal.org/user/36762 [13] http://drupal.org/contact [14] http://drupal.org/security-team [15] http://drupal.org/writing-secure-code [16] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-144 Fonecta verify - Cross Site Scripting (XSS)
by security-news＠drupal.org 19 Sep '12

19 Sep '12

View online: http://drupal.org/node/1789258 * Advisory ID: DRUPAL-SA-CONTRIB-2012-144 * Project: Fonecta verify [1] (third-party module) * Version: 7.x * Date: 2012-September-19 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Fonecta verify provides an interface to retrieve information from the Finnish Fonecta company information database. The module contains an arbitrary script injection vulnerability (XSS) due to the fact that it fails to sanitize data retrieved from an untrusted third party source. This vulnerability is mitigated by the fact that an attacker must have either gained access to that third party source or use techniques such as DNS spoofing in order to inject malicious data. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * Fonecta verify 7.x-1.x versions prior to 7.x-1.6. Drupal core is not affected. If you do not use the contributed Fonecta verify [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Fonecta verify module for Drupal 7.x, upgrade to Fonecta verify 7.x-1.6 [4] Also see the Fonecta verify [5] project page. -------- REPORTED BY --------------------------------------------------------- * Antti Alamäki [6] the module maintainer -------- FIXED BY ------------------------------------------------------------ * Antti Alamäki [7] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Klaus Purer [8] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/fonecta_verify [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/fonecta_verify [4] http://drupal.org/node/1778782 [5] http://drupal.org/project/fonecta_verify [6] http://drupal.org/user/155131 [7] http://drupal.org/user/155131 [8] http://drupal.org/user/262198 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-143 PRH Search - Cross Site Scripting (XSS)
by security-news＠drupal.org 19 Sep '12

19 Sep '12

View online: http://drupal.org/node/1789252 * Advisory ID: DRUPAL-SA-CONTRIB-2012-143 * Project: PRH Search [1] (third-party module) * Version: 7.x * Date: 2012-September-19 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- PRH Search provides an interface to search for association information for Finnish association using the PRH (Patentti- ja Rekisterihallitus) database. The module fails to sanitize data retrieved from an untrusted third party source, thereby exposing an arbitrary script injection vulnerability (XSS). This vulnerability is mitigated by the fact that an attacker must have either gained access to that third party source or use techniques such as DNS spoofing in order to inject malicious data. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * PRH Search 7.x-1.x versions prior to 7.x-1.1 Drupal core is not affected. If you do not use the contributed PRH Search [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the PRH Search module for Drupal 7.x, upgrade to PRH Search 7.x-1.1 [4] Also see the PRH Search [5] project page. -------- REPORTED BY --------------------------------------------------------- * Klaus Purer [6] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Antti Alamäki [7] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Klaus Purer [8] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/prh_search [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/prh_search [4] http://drupal.org/node/1778778 [5] http://drupal.org/project/prh_search [6] http://drupal.org/user/262198 [7] http://drupal.org/user/155131 [8] http://drupal.org/user/262198 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-142 - Spambot - Cross Site Scripting (XSS)
by security-news＠drupal.org 19 Sep '12

19 Sep '12

View online: http://drupal.org/node/1789242 * Advisory ID: DRUPAL-SA-CONTRIB-2012-142 * Project: Spambot [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-September-19 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Spambot module enables you to protect new user registrations from spammers using the database at stopforumspam.com. Spambot doesn't sufficiently sanitize API responses from stopforumspam.com when they are logged to the watchdog, allowing a potential XSS attack. This vulnerability is mitigated by the fact that only stopforumspam.com (or someone pretending to be stopforumspam.com) can exploit it. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * Spambot 6.x-3.x versions prior to 6.x-3.2. * Spambot 7.x-1.x versions prior to 7.x-1.1. Drupal core is not affected. If you do not use the contributed Spambot [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Spambot module for Drupal 6.x, upgrade to Spambot 6.x-3.2 [4] * If you use the Spambot module for Drupal 7.x, upgrade to Spambot 7.x-1.1 [5] Also see the Spambot [6] project page. -------- REPORTED BY --------------------------------------------------------- * Jimmy Axenhus [7] -------- FIXED BY ------------------------------------------------------------ * Beng Tan [8], the module maintainer * Jimmy Axenhus [9] -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [10] of the Drupal Security Team * Ben Jeavons [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/spambot [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/spambot [4] http://drupal.org/node/1789084 [5] http://drupal.org/node/1789086 [6] http://drupal.org/project/spambot [7] http://drupal.org/user/565562 [8] http://drupal.org/user/132729 [9] http://drupal.org/user/565562 [10] http://drupal.org/user/36762 [11] http://drupal.org/user/91990 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-139 - PDFThumb OS Injection
by security-news＠drupal.org 12 Sep '12

12 Sep '12

View online: http://drupal.org/node/1782580 * Advisory ID: DRUPAL-SA-CONTRIB-2012-139 * Project: PDFThumb [1] (third-party module) * Version: 7.x * Date: 2012-September-12 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: OS Injection -------- DESCRIPTION --------------------------------------------------------- PDFThumb module creates thumbnail images of PDF files. The module doesn't sufficiently escape user-entered values when executing commands on the server allowing an attacker to execute whatever commands are available to the web server user (e.g. www-data). This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer PDFThumb". CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * PDFThumb 7.x-1.x versions prior to 7.x-1.1 Drupal core is not affected. If you do not use the contributed PDFThumb [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the PDFThumb module for Drupal 7.x, upgrade to PDFThumb 7.x-1.1 [4] Also see the PDFThumb [5] project page. -------- REPORTED BY --------------------------------------------------------- * Matt Kleve [6] of the Drupal Security Team * mdespeuilles [7], the module maintainer -------- FIXED BY ------------------------------------------------------------ * Matt Kleve [8] of the Drupal Security Team * mdespeuilles [9], the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [10] of the Drupal Security Team * Matt Kleve [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/pdfthumb [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/pdfthumb [4] http://drupal.org/node/1776248 [5] http://drupal.org/project/pdfthumb [6] http://drupal.org/user/150473 [7] http://drupal.org/user/939504 [8] http://drupal.org/user/150473 [9] http://drupal.org/user/939504 [10] http://drupal.org/user/36762 [11] http://drupal.org/user/150473 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-140 - Inf08 - Cross Site Scripting (XSS)
by security-news＠drupal.org 12 Sep '12

12 Sep '12

View online: http://drupal.org/node/1782686 * Advisory ID: DRUPAL-SA-CONTRIB-2012-140 * Project: Inf08 [1] (third-party module) * Version: 6.x * Date: 2012-September-12 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Inf08 is a valid XHTML 1.0 Strict / CSS 2.1 theme ported from the free CSS template. The theme contains an arbitrary script injection vulnerability (XSS) due to the fact that it fails to sanitize user supplied taxonomy vocabulary names before display. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer taxonomy". CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * Inf08 6.x-1.x versions prior to 6.x-1.10. Drupal core is not affected. If you do not use the contributed Inf08 [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Inf08 theme for Drupal 6.x, upgrade to Inf08 6.x-1.10 [4] Also see the Inf08 [5] project page. -------- REPORTED BY --------------------------------------------------------- * Justin C. Klein Keane [6] -------- FIXED BY ------------------------------------------------------------ * kong [7], the theme maintainer -------- COORDINATED BY ------------------------------------------------------ * Klaus Purer [8] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/inf08 [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/inf08 [4] http://drupal.org/node/1782286 [5] http://drupal.org/project/inf08 [6] http://drupal.org/user/15344 [7] http://drupal.org/user/46601 [8] http://drupal.org/user/262198 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-141 - Mass Contact - Access bypass
by security-news＠drupal.org 12 Sep '12

12 Sep '12

View online: http://drupal.org/node/1782832 * Advisory ID: DRUPAL-SA-CONTRIB-2012-141 * Project: Mass Contact [1] (third-party module) * Version: 6.x * Date: 2012-September-12 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This module allows anyone with permission to send a single message to multiple users of a site, using its roles functionality. The module doesn't sufficiently check permissions after the form has been submitted. This vulnerability is mitigated by the fact that an attacker must use a tool of some kind (like the Tamper Data Firefox add-on) to intercept the form submission request in order to modify the settings. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * Mass Contact 6.x-1.x versions prior to 6.x-1.2. Drupal core is not affected. If you do not use the contributed Mass Contact [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Mass Contact module for Drupal 6.x, upgrade to Mass Contact 6.x-1.2 [4] Also see the Mass Contact [5] project page. -------- REPORTED BY --------------------------------------------------------- * Michael Orlitzky [6] -------- FIXED BY ------------------------------------------------------------ * Michael Orlitzky [7] * Jason Flatt [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/mass_contact [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/mass_contact [4] http://drupal.org/node/1782766 [5] http://drupal.org/project/mass_contact [6] http://drupal.org/user/1731656 [7] http://drupal.org/user/1731656 [8] http://drupal.org/user/4649 [9] http://drupal.org/user/36762 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news September 2012