October 2013 - Security-news - lists.drupal.org

PSA-2013-002: Direct download links available even during Drupal.org upgrade window
by security-news＠drupal.org 30 Oct '13

30 Oct '13

View online: https://drupal.org/node/2124407 This is a short addition to the security announcements released on October 30th. Due to Drupal.org's scheduled downtime on October 31, not all links in those mails may be available when you need them. If you encounter this situation, please use the following direct URLs to the archives containing the updates. -------- QUIZ: [1] ----------------------------------------------------------- * http://ftp.drupal.org/files/projects/quiz-6.x-4.5.tar.gz * http://ftp.drupal.org/files/projects/quiz-6.x-4.5.zip -------- FILEFIELD SOURCES: [2] ---------------------------------------------- * http://ftp.drupal.org/files/projects/filefield_sources-6.x-1.9.tar.gz * http://ftp.drupal.org/files/projects/filefield_sources-6.x-1.9.zip * http://ftp.drupal.org/files/projects/filefield_sources-7.x-1.9.tar.gz * http://ftp.drupal.org/files/projects/filefield_sources-7.x-1.9.zip -------- MONSTER MENUS: [3] -------------------------------------------------- * http://ftp.drupal.org/files/projects/monster_menus-7.x-1.15.tar.gz * http://ftp.drupal.org/files/projects/monster_menus-7.x-1.15.zip [1] https://drupal.org/node/2123995 [2] https://drupal.org/node/2124241 [3] https://drupal.org/node/2124289

1 0

SA-CONTRIB-2013-086 - Monster Menus - Access bypass
by security-news＠drupal.org 30 Oct '13

30 Oct '13

View online: https://drupal.org/node/2124289 * Advisory ID: DRUPAL-SA-CONTRIB-2013-086 * Project: Monster Menus [1] (third-party module) * Version: 7.x * Date: 2013-October-30 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- Monster Menus includes the ability to protect the visibility of comments for each node based on hierarchical permissions. However, a carefully-crafted URL could be used to bypass these permissions, allowing an anonymous user to view the comments associated with certain nodes. In order for this flaw to be relevant and exploited, the node itself must be readable by the attacker. Furthermore, the "Who can read comments" setting for the node must be something other than "Everyone". -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * monster_menus 7.x-1.x versions prior to 7.x-1.15. Drupal core is not affected. If you do not use the contributed Monster Menus [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the monster_menus module for Drupal 7.x, upgrade to monster_menus 7.x-1.15 [5] Also see the Monster Menus [6] project page. -------- REPORTED BY --------------------------------------------------------- * Dan Wilga [7] -------- FIXED BY ------------------------------------------------------------ * Dan Wilga [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/monster_menus [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/monster_menus [5] https://drupal.org/node/2123287 [6] http://drupal.org/project/monster_menus [7] https://drupal.org/user/56892 [8] https://drupal.org/user/56892 [9] http://drupal.org/user/36762 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-085 - Feed Element Mapper - Cross Site Scripting
by security-news＠drupal.org 30 Oct '13

30 Oct '13

View online: https://drupal.org/node/2124279 * Advisory ID: DRUPAL-SA-CONTRIB-2013-085 * Project: Feed Element Mapper [1] (third-party module) * Version: 6.x * Date: 2013-October-30 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Feed Element Mapper is an add-on module for FeedAPI that maps elements on a feed item such as tags or the author name to taxonomy or CCK fields. The module doesn't sufficiently filter text when displaying options to users. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer taxonomy". -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- All versions of the module. Drupal core is not affected. If you do not use the contributed Feed Element Mapper [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Users of the module are encouraged to evaluate the risks and mitigating factors and remove the module. There is no release with a fix available. The module is generally unsupported and users are encouraged to switch to FeedAPI suite of modules. Also see the Feed Element Mapper [5] project page. -------- REPORTED BY --------------------------------------------------------- * Justin Klein-Keane [6] -------- FIXED BY ------------------------------------------------------------ Not applicable. -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [7] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [8]. Learn more about the Drupal Security team and their policies [9], writing secure code for Drupal [10], and securing your site [11]. [1] http://drupal.org/project/feedapi_mapper [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/feedapi_mapper [5] http://drupal.org/project/feedapi_mapper [6] http://drupal.org/user/302225 [7] http://drupal.org/user/36762 [8] http://drupal.org/contact [9] http://drupal.org/security-team [10] http://drupal.org/writing-secure-code [11] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-083 - Quiz - Access Bypass
by security-news＠drupal.org 30 Oct '13

30 Oct '13

View online: https://drupal.org/node/2123995 * Advisory ID: DRUPAL-SA-CONTRIB-2013-083 * Project: Quiz [1] (third-party module) * Version: 6.x * Date: 2013-October-30 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass, Information Disclosure, Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- .... Access bypass on deleting quiz results The Quiz module provides tools for authoring and administering quizzes through Drupal. A quiz is given as a series of questions, with only one question appearing per page. Scores are then stored in the database. The module doesn't sufficiently check the delete quiz results permission. All users who have the permission to view Quiz results can access the delete option in the results page irrespective of "delete any quiz results" and "delete results for own quiz" permissions. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "view any quiz results" or "view results for own quiz". .... Access bypass in viewing quiz views The Quiz module has Views integration including default Views. These default views provided by the module do not have proper access control. If the Views are enabled and the access controls are left unchanged then information about users quiz results may be disclosed. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Quiz 6.x-4.x versions prior to 6.x-4.5. Drupal core is not affected. If you do not use the contributed Quiz [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Quiz module for Drupal 6.x, upgrade to Quiz 6.x-4.5 [5] * For both versions: Review the Quiz results view and delete permissions and ensure it is working as expected for intended users Also see the Quiz [6] project page. -------- REPORTED BY --------------------------------------------------------- * nirvanajyothi [7] * Cat Hirst [8] -------- FIXED BY ------------------------------------------------------------ * Wouter Admiraal [9] * Sivaji Ganesh [10] the module co-maintainer * Falcon [11] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Dan Smith [12], Jakub Suchy [13], Ned McClain [14], Greg Knaddison [15] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [16]. Learn more about the Drupal Security team and their policies [17], writing secure code for Drupal [18], and securing your site [19]. [1] http://drupal.org/project/quiz [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/quiz [5] https://drupal.org/node/2123727 [6] http://drupal.org/project/quiz [7] https://drupal.org/user/252387 [8] https://drupal.org/user/162748 [9] https://drupal.org/user/440510 [10] https://drupal.org/user/328724 [11] https://drupal.org/user/530912 [12] https://drupal.org/user/241220 [13] https://drupal.org/user/31977 [14] https://drupal.org/user/798324 [15] https://drupal.org/user/36762 [16] http://drupal.org/contact [17] http://drupal.org/security-team [18] http://drupal.org/writing-secure-code [19] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-084 - FileField Sources - Access Bypass
by security-news＠drupal.org 30 Oct '13

30 Oct '13

View online: https://drupal.org/node/2124241 * Advisory ID: DRUPAL-SA-CONTRIB-2013-084 * Project: FileField Sources [1] (third-party module) * Version: 6.x, 7.x * Date: 2013-Oct-30 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This module expands on the FileField module by allowing you to select new or existing files through additional means, such as re-using files with an auto-complete textfield, attaching server-side files uploaded via FTP, transferring file files from a remote server, pasting a file directly from the clipboard, and selecting existing files through the IMCE file browser. The module doesn't sufficiently check file access permissions when attaching an existing file. Any existing file could be re-used and the user would then be granted access to that file. This vulnerability is mitigated by the fact that an attacker must have a permission granting the ability to create content which has a file field using the module. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Filefield Sources 6.x-1.x versions prior to 6.x-1.9. * Filefield Sources 7.x-1.x versions prior to 7.x-1.9. Drupal core is not affected. If you do not use the contributed FileField Sources [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the FileField Sources module for Drupal 6.x, upgrade to FileField Sources 6.x-1.9 [5] * If you use the FileField Sources module for Drupal 7.x, upgrade to FileField Sources 7.x-1.9 [6] Also see the FileField Sources [7] project page. -------- REPORTED BY --------------------------------------------------------- * Joseph Lee [8] -------- FIXED BY ------------------------------------------------------------ * Nathan Haug [9] the module maintainer * Cash Williams [10] provisional member of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Cash Williams [11] provisional member of the Drupal Security Team * David Stoline [12] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. [1] http://drupal.org/project/filefield_sources [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/filefield_sources [5] https://drupal.org/node/2124217 [6] https://drupal.org/node/2124219 [7] http://drupal.org/project/filefield_sources [8] http://drupal.org/user/32743 [9] http://drupal.org/user/6399 [10] http://drupal.org/user/29938 [11] http://drupal.org/user/29938 [12] http://drupal.org/user/329570‎ [13] http://drupal.org/contact [14] http://drupal.org/security-team [15] http://drupal.org/writing-secure-code [16] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-082 - Bean - Cross Site Scripting (XSS)
by security-news＠drupal.org 23 Oct '13

23 Oct '13

View online: https://drupal.org/node/2118873 * Advisory ID: DRUPAL-SA-CONTRIB-2013-082 * Project: Bean [1] (third-party module) * Version: 7.x * Date: 2013-10-23 * Security risk: Highly critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- This module enables you to create block entities a.k.a. beans. The module did not sufficiently filter bean titles for dangerous html. This vulnerability is mitigated by the fact that an attacker must have permission to create or edit beans. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Bean 7.x-1.x versions prior to 7.x-1.5 Drupal core is not affected. If you do not use the contributed Bean [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Bean module for Drupal 7.x, upgrade to Bean 7.x-1.5 [5] Also see the Bean [6] project page. -------- REPORTED BY --------------------------------------------------------- * Francesco Quagliati [7] -------- FIXED BY ------------------------------------------------------------ * Damien McKenna [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Hunter Fox [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/bean [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/bean [5] https://drupal.org/node/2118867 [6] http://drupal.org/project/bean [7] http://drupal.org/user/1977720 [8] https://drupal.org/user/108450 [9] http://drupal.org/user/426416 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-081 - Spaces - Access bypass
by security-news＠drupal.org 23 Oct '13

23 Oct '13

View online: https://drupal.org/node/2118717 * Advisory ID: DRUPAL-SA-CONTRIB-2013-081 * Project: Spaces [1] (third-party module) * Version: 6.x * Date: 2013-10-23 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This module enables you to make configuration options generally available only at the sitewide level to be configurable and overridden by individual "spaces" on a Drupal site. The spaces submodule, Spaces OG, doesn't properly handle deleting of organic group group spaces when the option to move to a new group is selected. Instead of moving the content to a new group, the content is left orphaned, and for deleted private groups, that content will then be viewable by anyone with "access content" permission when the site's or content's access is rebuilt. The issue is mitigated by needing to be using the submodule spaces OG, and needing the site users to be in the situation of deleting a group and using that move option, and needing the content's access to be rebuilt. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Spaces 6.x-3.x versions prior to 6.x-3.7. Drupal core is not affected. If you do not use the contributed Spaces [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Spaces module for Drupal 6.x, upgrade to Spaces 6.x-3.7 [5] Also see the Spaces [6] project page. -------- REPORTED BY --------------------------------------------------------- * Hunter Fox [7] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Tobby Hagler [8] a module maintainer * Hunter Fox [9] of the Drupal Security Team, module maintainer. -------- COORDINATED BY ------------------------------------------------------ * Hunter Fox [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/spaces [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/spaces [5] https://drupal.org/node/2118745 [6] http://drupal.org/project/spaces [7] http://drupal.org/user/426416 [8] http://drupal.org/user/154797 [9] http://drupal.org/user/426416 [10] http://drupal.org/user/426416 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-080 - Simplenews - Cross Site Scripting (XSS)
by security-news＠drupal.org 16 Oct '13

16 Oct '13

View online: https://drupal.org/node/2113515 * Advisory ID: DRUPAL-SA-CONTRIB-2013-080 * Project: Simplenews [1] (third-party module) * Version: 6.x, 7.x * Date: 2013-Month-DD * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- This module enables you to publish and send newsletters to lists of subscribers. The module also includes an API that other modules can use to register subscribers. The module doesn't sufficiently sanitize e-mail addresses prior to outputting. The provided forms (sign-up, mass import, ..) validate and only allow valid e-mail addresses, but e-mail addresses could also be added directly through the API, which does not validate. This vulnerability is mitigated by the fact that the Simplnews module performs input validation which prevents known attacks, so the injection vector must be added another module (custom or contributed) without validating the email address using the Simplenews API . -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Simplenews 6.x-1.x versions prior to 6.x-1.5. * Simplenews 7.x-1.x versions prior to 7.x-1.1. Drupal core is not affected. If you do not use the contributed Simplenews [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Simplenews module for Drupal 6.x-1.x, upgrade to Simplenews 6.x-1.5 [5] * If you use the Simplenews module for Drupal 7.x-1.x, upgrade to Simplenews 7.x-1.1 [6] Also see the Simplenews [7] project page. -------- REPORTED BY --------------------------------------------------------- * Pat Redmond [8] -------- FIXED BY ------------------------------------------------------------ * Sascha Grossenbacher [9] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [10] and Lee Rowlands [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/simplenews [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/simplenews [5] https://drupal.org/node/2113487 [6] https://drupal.org/node/2113491 [7] http://drupal.org/project/simplenews [8] https://drupal.org/user/1369488 [9] http://drupal.org/user/214652 [10] http://drupal.org/user/36762 [11] http://drupal.org/user/395439 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-079 - Context - Mulitple Vulnerabilities
by security-news＠drupal.org 16 Oct '13

16 Oct '13

View online: https://drupal.org/node/2113317 * Advisory ID: DRUPAL-SA-CONTRIB-2013-079 * Project: Context [1] (third-party module) * Version: 6.x, 7.x * Date: 2013-2013-16 * Security risk: Highly critical [2] * Exploitable from: Remote * Vulnerability: Access bypass, Arbitrary PHP code execution -------- DESCRIPTION --------------------------------------------------------- Context allows you to manage contextual conditions and reactions for different portions of your site This advisory covers two separate issues. The first, and more severe issue (Highly Critical status), is that the module allows execution of PHP code via manipulation of a URL argument in a path used for AJAX operations when running in a configuration without a json_decode function provided by PHP or the PECL JSON library. This vulnerability is mitigated by the fact that the server must be running a version of PHP prior to 5.2 that does not have the json library installed (PHP 5.2+ come bundled with the JSON library). The second, less severe issue (Less Critical status), is that Context uses Drupal's token scheme to restrict access to the json rendering of a block. This control mechanism is insufficient as Drupal's token scheme is designed to provide security between two different sessions (or a session and a non authenticated user) and is not designed to provide security within a session. This means that a user with access to block A may be able to use the information about block A and the resulting token in order to generate the correct token for accessing block B to which they should not have access. The vulnerability is mitigated by needing blocks that have sensitive information (for example, custom blocks with private information or a list of unpublished nodes.) -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * 6.x-2.x versions prior to 6.x-3.2. * 7.x-3.x versions prior to 7.x-3.0. Drupal core is not affected. If you do not use the contributed Context [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Remote code execution can be resolved by any of * Upgrading your PHP to 5.2+ * Installing the JSON package [5]. * Upgrading context to 6.x-3.2 [6] or 7.x-3.0 [7] Block access issue can be resolved by upgrading context to 6.x-3.2 [8] or 7.x-3.0 [9]. Also see the Context [10] project page. -------- REPORTED BY --------------------------------------------------------- * Heine [11] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Hunter [12] of the Drupal Security Team, a module maintainer * Heine [13] of the Drupal Security Team * tekante [14] a module maintainer -------- COORDINATED BY ------------------------------------------------------ * Hunter [15] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [16]. Learn more about the Drupal Security team and their policies [17], writing secure code for Drupal [18], and securing your site [19]. [1] http://drupal.org/project/context [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/context [5] http://pecl.php.net/package/json [6] https://drupal.org/node/2112791 [7] https://drupal.org/node/2112785 [8] https://drupal.org/node/2112791 [9] https://drupal.org/node/2112785 [10] http://drupal.org/project/context [11] http://drupal.org/user/17943 [12] http://drupal.org/user/426416 [13] http://drupal.org/user/17943 [14] http://drupal.org/user/640024 [15] http://drupal.org/user/426416 [16] http://drupal.org/contact [17] http://drupal.org/security-team [18] http://drupal.org/writing-secure-code [19] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-078 - Quick Tabs - Access Bypass
by security-news＠drupal.org 02 Oct '13

02 Oct '13

View online: https://drupal.org/node/2103187 * Advisory ID: DRUPAL-SA-CONTRIB-2013-078 * Project: Quick Tabs [1] (third-party module) * Version: 6.x, 7.x * Date: 2013-October-02 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- The Quick Tabs module allows you to create blocks of tabbed content, specifically views, blocks, nodes and other quicktabs. You can create a block on your site containing multiple tabs with corresponding content. The module does not sufficiently check block permissions before rendering a Quick Tab. Before this vulnerability was addressed, if a block had been restricted to only appear for certain roles, that access was not checked before rending it within a Quick Tab - leaving the contents of that block visible to the world. This vulnerability is mitigated by the fact that node and view permissions are respected, meaning the vulnerability primarily exists for custom blocks created for specific roles. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Quick Tabs 7.x-3.x versions prior to 7.x-3.6. * Quick Tabs 6.x-3.x versions prior to 6.x-3.2. * Quick Tabs 6.x-2.x versions prior to 6.x-2.2. Drupal core is not affected. If you do not use the contributed Quick Tabs [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Quick Tabs 3.x module for Drupal 7.x, upgrade to Quick Tabs 7.x-3.6 [5] * If you use the Quick Tabs 3.x module for Drupal 6.x, upgrade to Quick Tabs 6.x-3.2 [6] * If you use the Quick Tabs 2.x module for Drupal 6.x, upgrade to Quick Tabs 6.x-2.2 [7] Also see the Quick Tabs [8] project page. -------- REPORTED BY --------------------------------------------------------- * Steven Wiliam [9] -------- FIXED BY ------------------------------------------------------------ * Fengtan [10] * Matt Tucker [11] (one of) the module maintainers -------- COORDINATED BY ------------------------------------------------------ * Lee Rowlands [12] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. [1] http://drupal.org/project/quicktabs [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/quicktabs [5] https://drupal.org/node/2103113 [6] https://drupal.org/node/2103121 [7] https://drupal.org/node/2103127 [8] http://drupal.org/project/quicktabs [9] http://drupal.org/user/299097 [10] http://drupal.org/user/847318 [11] http://drupal.org/user/153963 [12] http://drupal.org/user/395439 [13] http://drupal.org/contact [14] http://drupal.org/security-team [15] http://drupal.org/writing-secure-code [16] http://drupal.org/security/secure-configuration

1 0