Security-news January 2013

security-news@drupal.org

1 participants
15 discussions

SA-CONTRIB-2013-014 - Drush Debian Packaging - Information Disclosure - Unsupported
by security-news＠drupal.org 30 Jan '13

30 Jan '13

View online: http://drupal.org/node/1903324 * Advisory ID: DRUPAL-SA-CONTRIB-2013-014 * Project: Drush Debian Packaging [1] (third-party module) * Version: 7.x * Date: 2013-January-30 * Security risk: Critical [2] * Exploitable from: Local * Vulnerability: Information Disclosure -------- DESCRIPTION --------------------------------------------------------- This package is a tool to build debian packages from a Drupal instance. The module doesn't sufficiently protect database credentials. This vulnerability is mitigated by the fact that an attacker must have shell access to the server. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * All versions. Drupal core is not affected. If you do not use the contributed Drush Debian Packaging [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Uninstall the package. Also see the Drush Debian Packaging [5] project page. -------- REPORTED BY --------------------------------------------------------- * jiri-catalyst [6] -------- FIXED BY ------------------------------------------------------------ Not applicable. -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [7] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [8]. Learn more about the Drupal Security team and their policies [9], writing secure code for Drupal [10], and securing your site [11]. [1] http://drupal.org/project/debuild [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/debuild [5] http://drupal.org/project/debuild [6] http://drupal.org/user/2322458 [7] http://drupal.org/user/36762 [8] http://drupal.org/contact [9] http://drupal.org/security-team [10] http://drupal.org/writing-secure-code [11] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-013 - Boxes - Cross site scripting (XSS)
by security-news＠drupal.org 30 Jan '13

30 Jan '13

View online: http://drupal.org/node/1903300 * Advisory ID: DRUPAL-SA-CONTRIB-2013-013 * Project: Boxes [1] (third-party module) * Version: 7.x * Date: 2013-January-30 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The subject field for the included simple box doesn't escape HTML properly. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to administer/edit boxes. Wikipedia has more information about cross site scripting [3] (XSS). -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [4] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Boxes 7.x-1.x versions prior to 7.x-1.1 Drupal core is not affected. If you do not use the contributed Boxes [5] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Boxes module for Drupal 7.x, upgrade to Boxes 7.x-1.1 [6] Also see the Boxes [7] project page. -------- REPORTED BY --------------------------------------------------------- * Laura Dickinson [8] -------- FIXED BY ------------------------------------------------------------ * Tirdad Chaharlengi [9] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/boxes [2] http://drupal.org/security-team/risk-levels [3] http://en.wikipedia.org/wiki/Xss [4] http://cve.mitre.org/ [5] http://drupal.org/project/boxes [6] http://drupal.org/node/1897016 [7] http://drupal.org/project/boxes [8] http://drupal.org/user/337318 [9] http://drupal.org/user/383630 [10] http://drupal.org/user/36762 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-012 - Google Authenticator login - Access Bypass
by security-news＠drupal.org 30 Jan '13

30 Jan '13

View online: http://drupal.org/node/1903282 * Advisory ID: DRUPAL-SA-CONTRIB-2013-012 * Project: Google Authenticator login [1] (third-party module) * Version: 7.x * Date: 2013-January-30 * Security risk: Highly critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This module will allow you to add Time-based One-time Password Algorithm (also called "Two Step Authentication" or "Multi-Factor Authentication") support to user logins. Users with the permission to use multi-factor authentication need to associate a Google Authenticator token with their acount before they can use the multi-factor authentication for login. If this step is not done or not completed, their accounts can be logged-in to by supplying the username only due to a logic bug in the module's validation. This means that when an administrator enables the module and grants the permission to use multi-factor authentication all user accounts with that permission can be logged-in to via the username. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * All 7.x versions prior to 7.x-1.3. Drupal core is not affected. If you do not use the contributed Google Authenticator login [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Google Authenticator login module for Drupal 7.x, upgrade to Google Authenticator login 7.x-1.3 [5] Also see the Google Authenticator login [6] project page. -------- REPORTED BY --------------------------------------------------------- * Patrick C. [7] -------- FIXED BY ------------------------------------------------------------ * attiks [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Heine Deelstra [9] of the Drupal Security Team * Greg Knaddison [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/ga_login [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/ga_login [5] http://drupal.org/node/1902102 [6] http://drupal.org/project/ga_login [7] https://drupal.org/user/127758 [8] http://drupal.org/user/105002 [9] http://drupal.org/user/17943 [10] http://drupal.org/user/36762 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-011 - email2image - Access Bypass - Unsupported
by security-news＠drupal.org 30 Jan '13

30 Jan '13

View online: http://drupal.org/node/1903264 * Advisory ID: DRUPAL-SA-CONTRIB-2013-011 * Project: email2image [1] (third-party module) * Version: 6.x * Date: 2013-January-30 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This module creates images of user email addresses and email fields. The module doesn't sufficiently check node access restrictions when displaying such fields. This vulnerability is mitigated by the fact that it only impacts sites using node access. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * All email2image 6.x-1.x and 6.x-2.x versions. Drupal core is not affected. If you do not use the contributed email2image [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the email2image module for Drupal 6.x you should uninstall the module Also see the email2image [5] project page. -------- REPORTED BY --------------------------------------------------------- * Ayesh Karunaratne [6] -------- FIXED BY ------------------------------------------------------------ Not applicable. -------- COORDINATED BY ------------------------------------------------------ * Lee Rowlands [7] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [8]. Learn more about the Drupal Security team and their policies [9], writing secure code for Drupal [10], and securing your site [11]. [1] http://drupal.org/project/email2image [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/email2image [5] http://drupal.org/project/email2image [6] http://drupal.org/user/796148 [7] http://drupal.org/user/395439 [8] http://drupal.org/contact [9] http://drupal.org/security-team [10] http://drupal.org/writing-secure-code [11] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-010 - Search API sorts - Cross Site Scripting (XSS)
by security-news＠drupal.org 23 Jan '13

23 Jan '13

View online: http://drupal.org/node/1896782 * Advisory ID: DRUPAL-SA-CONTRIB-2013-010 * Project: Search API sorts [1] (third-party module) * Version: 7.x * Date: 2013-January-23 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- This module enables you to sort by Search API facets. The module doesn't sufficiently filter user entered text in field labels. This vulnerability is mitigated by the fact that an attacker must have a role with the ability to modify field labels such as "administer taxonomy". -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Search API Sorts 7.x-1.x versions prior to 7.x-1.4. Drupal core is not affected. If you do not use the contributed Search API sorts [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Search API Sorts module for Drupal 7.x, upgrade to Search API Sorts 7.x-1.4 [5] Also see the Search API sorts [6] project page. -------- REPORTED BY --------------------------------------------------------- * Francisco José Cruz Romanos [7] -------- FIXED BY ------------------------------------------------------------ * Francisco José Cruz Romanos [8] -------- COORDINATED BY ------------------------------------------------------ * Klaus Purer [9] of the Drupal Security Team * Greg Knaddison [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/1097626 [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/1097626 [5] http://drupal.org/node/1896756 [6] http://drupal.org/project/1097626 [7] https://drupal.org/user/848238 [8] https://drupal.org/user/848238 [9] http://drupal.org/user/262198 [10] http://drupal.org/user/36762 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-009 - Keyboard Shortcut Utility - Access Bypass - module unsupported
by security-news＠drupal.org 23 Jan '13

23 Jan '13

View online: http://drupal.org/node/1896752 * Advisory ID: DRUPAL-SA-CONTRIB-2013-009 * Project: Keyboard Shortcut Utility [1] (third-party module) * Version: 7.x * Date: 2013-January-23 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- The Keyboard Shortcut Utility module enables you to create keyboard shortcuts on your website. You can create a shortcut to go to a page (internal or external) or call a JavaScript function. The module doesn't sufficiently check node access to view nodes for users who have "view shortcuts" permission. It also doesn't check node access to view, edit, or delete nodes for users who have the "admin shortcuts" permission. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "view shortcuts" or "admin shortcuts". -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * All Keyboard Shortcut Utility 7.x-1.x versions. Drupal core is not affected. If you do not use the contributed Keyboard Shortcut Utility [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Uninstall the module. No patched version is available. Also see the Keyboard Shortcut Utility [5] project page. -------- REPORTED BY --------------------------------------------------------- * Michael Griego [6] -------- FIXED BY ------------------------------------------------------------ Not applicable. -------- COORDINATED BY ------------------------------------------------------ * Ivo Van Geertruyen [7] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [8]. Learn more about the Drupal Security team and their policies [9], writing secure code for Drupal [10], and securing your site [11]. [1] http://drupal.org/project/keyboard_shortcut [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/keyboard_shortcut [5] http://drupal.org/project/keyboard_shortcut [6] http://drupal.org/user/524484 [7] http://drupal.org/user/383424 [8] http://drupal.org/contact [9] http://drupal.org/security-team [10] http://drupal.org/writing-secure-code [11] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-008 - CurvyCorners - Cross Site Scripting (XSS) - module unsupported
by security-news＠drupal.org 23 Jan '13

23 Jan '13

View online: http://drupal.org/node/1896718 * Advisory ID: DRUPAL-SA-CONTRIB-2013-008 * Project: CurvyCorners [1] (third-party module) * Version: 6.x, 7.x * Date: 2013-January-23 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The CurvyCorners module enables you to create rounded corners on HTML block elements. The module doesn't sufficiently filter user entered text when being displayed. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer curvycorners". -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * CVE-2013-1393 -------- VERSIONS AFFECTED --------------------------------------------------- * All CurvyCorners 6.x-1.x versions. * All CurvyCorners 7.x-1.x versions. Drupal core is not affected. If you do not use the contributed CurvyCorners [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the CurvyCorners module, uninstall the module - there is no patch available to fix this issue Also see the CurvyCorners [4] project page. -------- REPORTED BY --------------------------------------------------------- * rickauer [5] -------- FIXED BY ------------------------------------------------------------ Not applicable. -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [6] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [7]. Learn more about the Drupal Security team and their policies [8], writing secure code for Drupal [9], and securing your site [10]. [1] http://drupal.org/project/curvycorners [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/curvycorners [4] http://drupal.org/project/curvycorners [5] http://drupal.org/user/69553 [6] http://drupal.org/user/36762 [7] http://drupal.org/contact [8] http://drupal.org/security-team [9] http://drupal.org/writing-secure-code [10] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-007 User Relationships - Cross Site Scripting (XSS)
by security-news＠drupal.org 23 Jan '13

23 Jan '13

View online: http://drupal.org/node/1896720 * Advisory ID: DRUPAL-SA-CONTRIB-2013-007 * Project: User Relationships [1] (third-party module) * Version: 6.x, 7.x * Date: 2013-January-23 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The User Relationships module allows you to create multiple relationship types and maintain relationships between users in your Drupal site. The module does not sufficiently escape relationship names before display. This allows users with the correct permissions to create relationship names containing arbitrary Javascript which will then be executed by the browser. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer user relationships". -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * User Relationships 6.x-1.x versions prior to 6.x-1.4 * User Relationships 7.x-1.x versions prior to 7.x-1.0-alpha5 Drupal core is not affected. If you do not use the contributed User Relationships [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the User Relationships module for Drupal 6.x, upgrade to User Relationships 6.x-1.4 [5] * If you use the User Relationships module for Drupal 7.x, upgrade to User Relationships 7.x-1.0-alpha5 [6] Also see the User Relationships [7] project page. -------- REPORTED BY --------------------------------------------------------- * Klaus Purer [8] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Mark Ferree [9] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Klaus Purer [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/user_relationships [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/user_relationships [5] http://drupal.org/node/1896272 [6] http://drupal.org/node/1896276 [7] http://drupal.org/project/user_relationships [8] http://drupal.org/user/262198 [9] http://drupal.org/user/76245 [10] http://drupal.org/user/262198 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-006 - Video - Arbitrary Code Execution
by security-news＠drupal.org 23 Jan '13

23 Jan '13

View online: http://drupal.org/node/1896714 * Advisory ID: DRUPAL-SA-CONTRIB-2013-006 * Project: Video [1] (third-party module) * Version: 7.x * Date: 2013-January-23 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Arbitrary PHP code execution -------- DESCRIPTION --------------------------------------------------------- The video module enables you to upload video and audio files and transcode them into other formats and sizes using other tools like FFmpeg or Zencoder. The module saves information about the FFmpeg executable in a temporary PHP file, but doesn't check if the file has been tampered with when reading the file, allowing any PHP code in that file to be executed. This vulnerability is mitigated by the fact that an attacker must have write access to the temporary PHP file (something which is not known to be possible via the module itself). Sites not using the FFmpeg transcoder are only vulnerable if the attacker has the 'administer site configuration' permission in order to change the transcoder to FFmpeg. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Video 7.x-2.x versions prior to 7.x-2.9. Drupal core is not affected. If you do not use the contributed Video [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Video module for Drupal 7.x, upgrade to Video 7.x-2.9 [5] Also see the Video [6] project page. -------- REPORTED BY --------------------------------------------------------- * Joris van Eijden [7] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Jorrit Schippers [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/video [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/video [5] http://drupal.org/node/1895234 [6] http://drupal.org/project/video [7] http://drupal.org/user/892998 [8] http://drupal.org/user/161217 [9] http://drupal.org/user/36762 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

SA-CORE-2013-001 - Drupal core - Multiple vulnerabilities
by security-news＠drupal.org 16 Jan '13

16 Jan '13

View online: http://drupal.org/SA-CORE-2013-001 * Advisory ID: DRUPAL-SA-CORE-2013-001 * Project: Drupal core [1] * Version: 6.x, 7.x * Date: 2013-January-16 * Security risk: Highly critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting, Access bypass -------- DESCRIPTION --------------------------------------------------------- Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7. .... Cross-site scripting (Various core and contributed modules - Drupal 6 and 7) A reflected cross-site scripting vulnerability (XSS) was identified in certain Drupal JavaScript functions that pass unexpected user input into jQuery causing it to insert HTML into the page when the intended behavior is to select DOM elements. Multiple core and contributed modules are affected by this issue. jQuery versions 1.6.3 and higher provide protection against common forms of this problem; thus, the vulnerability is mitigated if your site has upgraded to a recent version of jQuery. However, the versions of jQuery that are shipped with Drupal 6 and Drupal 7 core do not contain this protection. Although the fix added to Drupal as part of this security release prevents the most common forms of this issue in the same way as newer versions of jQuery do, developers should be aware that passing untrusted user input directly to jQuery functions such as jQuery() and $() is unsafe and should be avoided. CVE: Requested. .... Access bypass (Book module printer friendly version - Drupal 6 and 7) A vulnerability was identified that exposes the title or, in some cases, the content of nodes that the user should not have access to. This vulnerability is mitigated by the fact that the bypass is only accessible to users who already have the 'access printer-friendly version' permission (which is not granted to Anonymous or Authenticated users by default) and it only affects nodes that are part of a book outline. CVE: Requested. .... Access bypass (Image module - Drupal 7) Drupal core provides the ability to have private files, including images. A vulnerability was identified in which derivative images (which Drupal automatically creates from these images based on "image styles" and which may differ, for example, in size or saturation) did not always receive the same protection. Under some circumstances, this would allow users to access image derivatives for images they should not be able to view. This vulnerability is mitigated by the fact that it only affects sites which use the Image module and which store images in a private file system. CVE: Requested. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Drupal core 6.x versions prior to 6.28. * Drupal core 7.x versions prior to 7.19. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Drupal 6.x, upgrade to Drupal core 6.28 [4]. * If you use Drupal 7.x, upgrade to Drupal core 7.19 [5]. Also see the Drupal core [6] project page. -------- REPORTED BY --------------------------------------------------------- * The cross-site scripting issue in various Drupal core and contributed modules was reported by t.ashula, and by David Rothstein [7] of the Drupal Security Team. * The access bypass issue in the Book module was reported by Mark Lindsey [8]. * The access bypass issue in the Drupal 7 Image module was reported by Kressin Roger [9], Christian Johansson [10], Anders Olsson [11] and saschadrupal [12]. -------- FIXED BY ------------------------------------------------------------ * The cross-site scripting issue in various Drupal core and contributed modules was fixed by t.ashula, Théodore Biadala [13], Katherine Bailey [14], Steve De Jonghe [15] and J. Renée Beach [16], and by Dylan Tack [17], Greg Knaddison [18], David Rothstein [19] and Damien Tournoud [20] of the Drupal Security Team. * The access bypass issue in the Book module was fixed by Mark Lindsey [21], and by Fox [22], David Rothstein [23] and Peter Wolanin [24] of the Drupal Security Team. * The access bypass issue in the Drupal 7 Image module was fixed by Heine Deelstra [25] of the Drupal Security Team, and by Anders Olsson [26]. -------- COORDINATED BY ------------------------------------------------------ * David Rothstein [27], Gábor Hojtsy [28], Stéphane Corlosquet [29], Greg Knaddison [30], Heine Deelstra [31] and Peter Wolanin [32] of the Drupal Security Team * Jeremy Thorson [33] of the QA/Testing Infrastructure Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [34]. Learn more about the Drupal Security team and their policies [35], writing secure code for Drupal [36], and securing your site [37]. [1] http://drupal.org/project/drupal [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/drupal-6.28-release-notes [5] http://drupal.org/drupal-7.19-release-notes [6] http://drupal.org/project/drupal [7] http://drupal.org/user/124982 [8] http://drupal.org/user/1924632 [9] http://drupal.org/user/1605796 [10] http://drupal.org/user/204187 [11] http://drupal.org/user/855656 [12] http://drupal.org/user/245825 [13] http://drupal.org/user/598310 [14] http://drupal.org/user/172987 [15] http://drupal.org/user/264148 [16] http://drupal.org/user/748566 [17] http://drupal.org/user/96647 [18] http://drupal.org/user/36762 [19] http://drupal.org/user/124982 [20] http://drupal.org/user/22211 [21] http://drupal.org/user/1924632 [22] http://drupal.org/user/426416 [23] http://drupal.org/user/124982 [24] http://drupal.org/user/49851 [25] http://drupal.org/user/17943 [26] http://drupal.org/user/855656 [27] http://drupal.org/user/124982 [28] http://drupal.org/user/4166 [29] http://drupal.org/user/52142 [30] http://drupal.org/user/36762 [31] http://drupal.org/user/17943 [32] http://drupal.org/user/49851 [33] http://drupal.org/user/148199 [34] http://drupal.org/contact [35] http://drupal.org/security-team [36] http://drupal.org/writing-secure-code [37] http://drupal.org/security/secure-configuration

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news January 2013