November 2013 - Security-news

SA-CORE-2013-003 - Drupal core - Multiple vulnerabilities
by security-news＠drupal.org 21 Nov '13

21 Nov '13

View online: https://drupal.org/SA-CORE-2013-003 * Advisory ID: DRUPAL-SA-CORE-2013-003 * Project: Drupal core [1] * Version: 6.x, 7.x * Date: 2013-November-20 * Security risk: Highly critical [2] * Exploitable from: Remote * Vulnerability: Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7. .... Multiple vulnerabilities due to optimistic cross-site request forgery protection (Form API validation - Drupal 6 and 7) Drupal's form API has built-in cross-site request forgery (CSRF) validation, and also allows any module to perform its own validation on the form. In certain common cases, form validation functions may execute unsafe operations. Given that the CSRF protection is an especially important validation, the Drupal core form API has been changed in this release so that it now skips subsequent validation if the CSRF validation fails. This vulnerability is mitigated by the fact that a form validation callback with potentially unsafe side effects must be active on the site, and none exist in core. However, issues were discovered in several popular contributed modules which allowed remote code execution that made it worthwhile to fix this issue in core. Other similar issues with varying impacts are likely to have existed in other contributed modules and custom modules and therefore will also be fixed by this Drupal core release. .... Multiple vulnerabilities due to weakness in pseudorandom number generation using mt_rand() (Form API, OpenID and random password generation - Drupal 6 and 7) Drupal core directly used the mt_rand() pseudorandom number generator for generating security related strings used in several core modules. It was found that brute force tools could determine the seeds making these strings predictable under certain circumstances. This vulnerability has no mitigation; all Drupal sites are affected until the security update has been applied. .... Code execution prevention (Files directory .htaccess for Apache - Drupal 6 and 7) Drupal core attempts to add a "defense in depth" protection to prevent script execution by placing a .htaccess file into the files directories that stops execution of PHP scripts on the Apache web server. This protection is only necessary if there is a vulnerability on the site or on a server that allows users to upload malicious files. The configuration in the .htaccess file did not prevent code execution on certain Apache web server configurations. This release includes new configuration to prevent PHP execution on several additional common Apache configurations. If you are upgrading a site and the site is run by Apache you must fix the file manually, as described in the "Solution" section below. This vulnerability is mitigated by the fact it only relates to a defense in depth mechanism, and sites would only be vulnerable if they are hosted on a server which contains code that does not use protections similar to those found in Drupal's file API to manage uploads in a safe manner. .... Access bypass (Security token validation - Drupal 6 and 7) The function drupal_valid_token() can return TRUE for invalid tokens if the caller does not make sure that the token is a string. This vulnerability is mitigated by the fact that a contributed or custom module must invoke drupal_validate_token() with an argument that can be manipulated to not be a string by an attacker. There is currently no known core or contributed module that would suffer from this vulnerability. .... Cross-site scripting (Image module - Drupal 7) Image field descriptions are not properly sanitized before they are printed to HTML, thereby exposing a cross-site scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a permission to administer field descriptions, for example the "administer taxonomy" permission to edit fields on taxonomy terms. .... Cross-site scripting (Color module - Drupal 7) A cross-site scripting vulnerability was found in the Color module. A malicious attacker could trick an authenticated administrative user into visiting a page containing specific JavaScript that could lead to a reflected cross-site scripting attack via JavaScript execution in CSS. This vulnerability is mitigated by the fact that it can only take place in older browsers, and in a restricted set of modern browsers, namely Opera through user interaction, and Internet Explorer under certain conditions. .... Open redirect (Overlay module - Drupal 7) The Overlay module displays administrative pages as a layer over the current page (using JavaScript), rather than replacing the page in the browser window. The Overlay module did not sufficiently validate URLs prior to displaying their contents, leading to an open redirect vulnerability. This vulnerability is mitigated by the fact that it can only be used against site users who have the "Access the administrative overlay" permission. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Drupal core 6.x versions prior to 6.29. * Drupal core 7.x versions prior to 7.24. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Drupal 6.x, upgrade to Drupal core 6.29 [4]. * If you use Drupal 7.x, upgrade to Drupal core 7.24 [5]. -------- WARNING: FIXING THE CODE EXECUTION PREVENTION MAY REQUIRE SERVER CONFIGURATION; PLEASE READ: ----------------------------------------- To fix the code execution prevention vulnerability on existing Apache installations also requires changes to your site's .htaccess files in the files directories. Until you do this, your site's status report page at admin/reports/status will display error messages about the problem. Please note that if you are using a different web server such as Nginx the .htaccess files have no effect and you need to configure PHP execution protection yourself in the respective server configuration files. To fix this issue, you must edit or replace the old .htaccess files manually. Copies of the .htaccess files are found in the public files directory and temporary files directory, and (for Drupal 7 only) the private files directory if your site is configured to use one. To find the location of these directories, consult the error messages at admin/reports/status, or visit the file system configuration page at admin/settings/file-system (Drupal 6) or admin/config/media/file-system (Drupal 7). Go onto your server, navigate to each directory, and replace or create the .htaccess file in this directory with the contents described below. Alternatively, you can remove the .htaccess file from each directory using a tool like SFTP and then visit the file system configuration page (admin/settings/file-system in Drupal 6 or admin/config/media/file-system in Drupal 7) and click the save button to have Drupal create the file automatically. The recommended .htaccess file contents are as follows. # Turn off all options we don't need. Options None Options +FollowSymLinks # Set the catch-all handler to prevent scripts from being executed. SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006 # Override the handler again if we're run later in the evaluation list. SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003 # If we know how to do it safely, disable the PHP engine entirely. php_flag engine off # PHP 4, Apache 1. php_flag engine off # PHP 4, Apache 2. php_flag engine off For Drupal 7: # Turn off all options we don't need. Options None Options +FollowSymLinks # Set the catch-all handler to prevent scripts from being executed. SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006 # Override the handler again if we're run later in the evaluation list. SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003 # If we know how to do it safely, disable the PHP engine entirely. php_flag engine off Also see the Drupal core [6] project page. -------- REPORTED BY --------------------------------------------------------- * The form validation cross-site request forgery issue was reported by Heine Deelstra [7] of the Drupal Security Team. * The non-random seed vulnerability was reported by David Stoline [8] of the Drupal Security Team. * The code execution prevention vulnerability was reported by Lee Rowlands [9] of the Drupal Security Team, Miguel Jacq [10], artfulrobot [11], and Dave Fletcher [12]. * The token access bypass issue was reported by Heine Deelstra [13] of the Drupal Security Team. * The Image module cross-site scripting issue was reported by Francisco José Cruz Romanos [14]. * The Color module cross-site scripting issue was reported by Mauro Gentile [15]. * The open redirect in the Overlay module was reported by Stephane Corlosquet [16] of the Drupal Security Team, and by Sebastian Nerz. -------- FIXED BY ------------------------------------------------------------ * The form validation cross-site request forgery issue was fixed by Lee Rowlands [17] and Klaus Purer [18], both of the Drupal Security Team. * The non-random seed vulnerability was fixed by Owen Barton [19], David Stoline [20], Heine Deelstra [21], Damien Tournoud [22], and Peter Wolanin [23], all of the Drupal Security Team. * The code execution prevention vulnerability was fixed by David Rothstein [24] of the Drupal Security Team, Morbus Iff [25] of the Drupal Security Team, Dan Reif [26], Antoine Beaupré [27], Miguel Jacq [28], Christopher Gervais [29], and Herman van Rink [30]. * The token access bypass issue was fixed by Heine Deelstra [31], Klaus Purer [32], and David Rothstein [33], all of the Drupal Security Team. * The Image module cross-site scripting issue was fixed by Francisco José Cruz Romanos [34], and Peter Wolanin [35] of the Drupal Security Team. * The Color module cross-site scripting issue was fixed by David Rothstein [36] of the Drupal Security Team. * The open redirect in the Overlay module was fixed by Heine Deelstra [37] of the Drupal Security Team. -------- COORDINATED BY ------------------------------------------------------ The Drupal Security Team [38] -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [39]. Learn more about the Drupal Security team and their policies [40], writing secure code for Drupal [41], and securing your site [42]. [1] http://drupal.org/project/drupal [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/drupal-6.29-release-notes [5] http://drupal.org/drupal-7.24-release-notes [6] http://drupal.org/project/drupal [7] https://drupal.org/user/17943 [8] https://drupal.org/user/329570 [9] https://drupal.org/user/395439 [10] https://drupal.org/user/153206 [11] https://drupal.org/user/1206300 [12] https://drupal.org/user/72475 [13] https://drupal.org/user/17943 [14] https://drupal.org/user/848238 [15] https://drupal.org/user/1862060 [16] https://drupal.org/user/52142 [17] https://drupal.org/user/395439 [18] https://drupal.org/user/262198 [19] https://drupal.org/user/19668 [20] https://drupal.org/user/329570 [21] https://drupal.org/user/17943 [22] https://drupal.org/user/22211 [23] https://drupal.org/user/49851 [24] https://drupal.org/user/124982 [25] https://drupal.org/user/9034 [26] https://drupal.org/user/454444 [27] https://drupal.org/user/1274 [28] https://drupal.org/user/153206 [29] https://drupal.org/user/368613 [30] https://drupal.org/user/449000 [31] https://drupal.org/user/17943 [32] https://drupal.org/user/262198 [33] https://drupal.org/user/124982 [34] https://drupal.org/user/848238 [35] https://drupal.org/user/49851 [36] https://drupal.org/user/124982 [37] https://drupal.org/user/17943 [38] https://drupal.org/security-team [39] http://drupal.org/contact [40] http://drupal.org/security-team [41] http://drupal.org/writing-secure-code [42] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-096 - Entity reference - Access bypass
by security-news＠drupal.org 20 Nov '13

20 Nov '13

View online: https://drupal.org/node/2140237 * Advisory ID: DRUPAL-SA-CONTRIB-2013-096 * Project: Entity reference [1] (third-party module) * Version: 7.x * Date: 2013-November-20 * Security risk: Not critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- By default, with an autoselect or a select widget, a user cannot autocomplete an entity title, nor can they select an entity that they have no access to. This will correctly throw a 'invalid id' error and does not show the title of the entity. However, if a user (A) that has access to the referenced entity (Node 1), makes that reference on a node (Node 2), and gives edit access to another user (B), user B will be able to see the node title for the referenced node (Node 2). This vulnerability is mitigated by the fact that an attacker must get a user with access to a private node to reference it via another node that attacker has edit access to. No other node information is leaked other than the title. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Entityreference 7.x-1.x versions prior to 7.x-1.1-rc1 Drupal core is not affected. If you do not use the contributed Entity reference [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Entityreference module for Drupal 7.x, upgrade to Entityreference 7.x-1.1 [5] Also see the Entity reference [6] project page. -------- REPORTED BY --------------------------------------------------------- * Jakob Perry [7] -------- FIXED BY ------------------------------------------------------------ * Damien Tournoud [8] the module maintainer * Jakob Perry [9] * Amitai Burstein [10] -------- COORDINATED BY ------------------------------------------------------ * David Stoline [11] and Greg Knaddison [12] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. [1] http://drupal.org/project/entityreference [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/entityreference [5] https://drupal.org/node/2140229 [6] http://drupal.org/project/entityreference [7] https://drupal.org/user/45640 [8] http://drupal.org/user/22211 [9] http://drupal.org/user/45640 [10] http://drupal.org/user/57511 [11] https://drupal.org/user/329570 [12] https://drupal.org/user/36762 [13] http://drupal.org/contact [14] http://drupal.org/security-team [15] http://drupal.org/writing-secure-code [16] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-095 - Organic Groups - Access bypass
by security-news＠drupal.org 20 Nov '13

20 Nov '13

View online: https://drupal.org/node/2140217 * Advisory ID: DRUPAL-SA-CONTRIB-2013-095 * Project: Organic groups [1] (third-party module) * Version: 7.x * Date: 2013-November-20 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- Two issues exist within entity references and permissions relating to OG, allowing users potential access bypass. .... Posting content into groups where a user is not a member Organic Groups does not sufficiently check the group audience fields (e.g. og_group_ref) field from being populated with invalid data. The autocomplete reference field only needs a node id to validate. An attacker could modify a group audience field in order to post within a group they had no access. Any user with the ability to create content can use this vulnerability. .... Inconsistent access checking in posting content Organic Groups manages its own group based permissions. This allows users to have escalated privileges sets in specific groups, but not site-wide. Organic Groups makes the assumption that the group field is populated and when this not populated, a user may have permission to create or edit content outside of a group even though they shouldn't be allowed to do that. This vulnerability is mitigated because the following must be true in order for it to work: 1) The node in question must have all of its groups be set as optional input 2) The user must not have site-wide access to post content of a certain type, but also a member of a group that does permit create/edit privileges to the same type. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * OG 7.x-2.x versions prior to 7.x-2.3 Drupal core is not affected. If you do not use the contributed Organic groups [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Organic Groups module for Drupal 7.x, upgrade to og 7.x-2.4 [5] Also see the Organic groups [6] project page. -------- REPORTED BY --------------------------------------------------------- * Jakob Perry [7] * Richard Goodrow [8] * Bruce Hoppe [9] -------- FIXED BY ------------------------------------------------------------ * Amitai Burstein [10] the module maintainer * Roy Segall [11] * Jakob Perry [12] -------- COORDINATED BY ------------------------------------------------------ * David Stoline [13] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [14]. Learn more about the Drupal Security team and their policies [15], writing secure code for Drupal [16], and securing your site [17]. [1] http://drupal.org/project/og [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/og [5] http://drupal.org/node/2140209 [6] http://drupal.org/project/og [7] http://drupal.org/user/45640 [8] http://drupal.org/user/802140 [9] http://drupal.org/user/2470954 [10] https://drupal.org/user/57511 [11] https://drupal.org/user/1812910 [12] http://drupal.org/user/45640 [13] https://drupal.org/user/329570 [14] http://drupal.org/contact [15] http://drupal.org/security-team [16] http://drupal.org/writing-secure-code [17] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-094 - EU Cookie Compliance - Cross Site Scripting (XSS)
by security-news＠drupal.org 20 Nov '13

20 Nov '13

View online: https://drupal.org/node/2140123 * Advisory ID: DRUPAL-SA-CONTRIB-2013-094 * Project: EU Cookie Compliance [1] (third-party module) * Version: 7.x * Date: 2013-November-20 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Request Forgery -------- DESCRIPTION --------------------------------------------------------- This module enables you to display notifications so that visitors can give their consent to setting cookies by your website. The module doesn't sufficiently fiter and validate configuration values entered by administrators. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer EU Cookie Compliance popup". -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * EU Cookie Compliance 7.x-1.x versions prior to 7.x-1.12. Drupal core is not affected. If you do not use the contributed EU Cookie Compliance [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the EU Cookie Compliance module for Drupal 7.x, upgrade to 7.x-1.12 [5] Also see the EU Cookie Compliance [6] project page. -------- REPORTED BY --------------------------------------------------------- * Lode Vanstechelman [7] -------- FIXED BY ------------------------------------------------------------ * Marcin Pajdzik [8] - the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Hunter Fox [9] and Klaus Purer [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/eu-cookie-compliance [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/eu-cookie-compliance [5] https://drupal.org/node/2139875 [6] http://drupal.org/project/eu-cookie-compliance [7] http://drupal.org/user/657472 [8] http://drupal.org/user/160555 [9] http://drupal.org/user/426416 [10] https://drupal.org/user/262198 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-093 - Invitation - Access Bypass
by security-news＠drupal.org 20 Nov '13

20 Nov '13

View online: https://drupal.org/node/2140097 * Advisory ID: DRUPAL-SA-CONTRIB-2013-093 * Project: Invitation [1] (third-party module) * Version: 7.x * Date: 2013-November-20 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- The Invitation module restricts registration to users who have an invite code (for running a private beta). The module provides default views that don't check access to views prior to displaying private information like usernames and email addresses. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Invitation 7.x-2.x versions prior to 7.x-2.2. Drupal core is not affected. If you do not use the contributed Invitation [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ If you use the Invitation module for Drupal 7.x, you should disable the module. There is no release with a fix. Also see the Invitation [5] project page. -------- REPORTED BY --------------------------------------------------------- * j1ndustry [6] -------- FIXED BY ------------------------------------------------------------ Not applicable. -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [7] and Lee Rowlands [8] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/invitation [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/invitation [5] http://drupal.org/project/invitation [6] http://drupal.org/user/2688277 [7] http://drupal.org/user/36762 [8] https://drupal.org/user/395439 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-090 - Revisioning - Access Bypass
by security-news＠drupal.org 13 Nov '13

13 Nov '13

View online: https://drupal.org/node/2135257 * Advisory ID: DRUPAL-SA-CONTRIB-2013-090 * Project: Revisioning [1] (third-party module) * Version: 7.x * Date: 2013-November-13 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This module enables you to create content publication workflows whereby one version of the content is "live" (publicly visible), while another is being edited and moderated privately until found fit for publication. The module doesn't sufficiently apply node access permissions when used in combination with BOTH the Scheduler module AND a module that modifies the node access permissions table. As a result it is possible that content that was Scheduled to be unpublished can still be viewed by authenticated users who, based on the node access table, should no longer have permission to view this content. This vulnerability is mitigated by the fact that this only occurs for Authenticated users for Scheduled content on Drupal sites with the combination of all three modules: Revisioning, Scheduler and a module that modifies the node access table conditional on the publication status of the content. In this report this was the Organic Groups Moderation module. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Revisioning 7.x-1.x versions prior to 7.x-1.6 Drupal core is not affected. If you do not use the contributed Revisioning [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Revisioning module, version 7.x-1.5 or older, upgrade to Revisioning 7.x-1.6 [5] Also see the Revisioning [6] project page. -------- REPORTED BY --------------------------------------------------------- * Pete Gillis [7] -------- FIXED BY ------------------------------------------------------------ * Rik de Boer [8], the module maintainer, with assistance from Pete Gillis [9] -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/revisioning [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/revisioning [5] https://drupal.org/node/2133555 [6] http://drupal.org/project/revisioning [7] http://drupal.org/user/373976 [8] http://drupal.org/user/404007 [9] http://drupal.org/user/373976 [10] http://drupal.org/user/36762 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-092 - Misery - Denial of Service (DOS) vulnerability.
by security-news＠drupal.org 13 Nov '13

13 Nov '13

View online: https://drupal.org/node/2135273 * Advisory ID: DRUPAL-SA-CONTRIB-2013-092 * Project: Misery [1] (third-party module) * Version: 6.x, 7.x * Date: 2013-November-13 * Security risk: Not critical [2] * Exploitable from: Remote * Vulnerability: Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- This module enables you to make life difficult for certain users, such as trolls, as an alternative to banning or deleting them from a community. The module provides means by which to punish members of your website. The aim of misery is to be not traceable by users on the misery list, so misery actions should be sufficiently subtle so as to avoid suspicion. The module doesn't sufficiently warn about issues that can arise if high values are set on the "delay misery" configuration, which is active by default. Users who are made to suffer "delay missery" can make multiple requests to the site and consume all the web serving processes, causing a denial of service. This vulnerability is mitigated by the fact that an administrator can change these configuration values on a per user basis within the interface. The option can also be turned off. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Misery 6.x-2.x versions prior to 6.x-2.5. * Misery 7.x-2.x versions prior to 7.x-2.2. Drupal core is not affected. If you do not use the contributed Misery [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Misery module for Drupal 6.x, upgrade to Misery 6.x-2.5 [5] * If you use the Misery module for Drupal 7.x, upgrade to Misery 7.x-2.2 [6] And check your misery delay configuration. Also see the Misery [7] project page. -------- REPORTED BY --------------------------------------------------------- * David Norman [8] -------- FIXED BY ------------------------------------------------------------ * Jorge Tutor [9] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [10] of the Drupal Security Team * Laurence Liss [11] provisional member of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/misery [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/misery [5] https://drupal.org/node/2134409 [6] https://drupal.org/node/2134413 [7] http://drupal.org/project/misery [8] http://drupal.org/user/972 [9] http://drupal.org/user/600158 [10] http://drupal.org/user/36762 [11] http://drupal.org/user/724750 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-091 - Groups, Communities and Co (GCC) - Access Bypass
by security-news＠drupal.org 13 Nov '13

13 Nov '13

View online: https://drupal.org/node/2135267 * Advisory ID: DRUPAL-SA-CONTRIB-2013-091 * Project: Groups, Communities and Co (GCC) [1] (third-party module) * Version: 7.x * Date: 2013-November-13 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This module enables you to manage groups and assign content and users to groups. The module doesn't sufficiently check permissions to some of the configuration pages allowing unprivileged users to access the roles and permissions pages of the GCC module. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * GCC 7.x-1.x versions prior to 7.x-1.1. Drupal core is not affected. If you do not use the contributed Groups, Communities and Co (GCC) [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the GCC module for Drupal 7.x, upgrade to GCC 7.x-1.1. [5] Also see the Groups, Communities and Co (GCC) [6] project page. -------- REPORTED BY --------------------------------------------------------- * Jean Jacques Ancel [7] -------- FIXED BY ------------------------------------------------------------ * Edouard Fajnzilberg [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/gcc [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/gcc [5] https://drupal.org/node/2132747 [6] http://drupal.org/project/gcc [7] https://drupal.org/user/361997 [8] https://drupal.org/user/815280 [9] http://drupal.org/user/36762 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-089 - Node Access Keys - Access Bypass
by security-news＠drupal.org 06 Nov '13

06 Nov '13

View online: https://drupal.org/node/2129379 * Advisory ID: DRUPAL-SA-CONTRIB-2013-089 * Project: Node Access Keys [1] (third-party module) * Version: 7.x * Date: 2013-November-06 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- Node Access Keys helps to grant users temporary view permissions to selected content types on a per user role basis. However, it only implements hook_node_access() and not hook_query_alter(), which means any listing of nodes does not respect the node view access. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Node Access Keys 7.x-1.0. Drupal core is not affected. If you do not use the contributed Node Access Keys [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Node Access Keys module for Drupal 7.x, upgrade to Node Access Keys 7.x-1.1 [5] Also see the Node Access Keys [6] project page. -------- REPORTED BY --------------------------------------------------------- * Daniel Korte [7] the module maintainer -------- FIXED BY ------------------------------------------------------------ * Daniel Korte [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] of the Drupal Security Team * Ben Jeavons [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/nodeaccesskeys [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/nodeaccesskeys [5] https://drupal.org/node/2125239 [6] http://drupal.org/project/nodeaccesskeys [7] http://drupal.org/user/453668 [8] http://drupal.org/user/453668 [9] http://drupal.org/user/36762 [10] http://drupal.org/user/91990 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-088 - Secure Pages - Missing Encryption of Sensitive Data
by security-news＠drupal.org 06 Nov '13

06 Nov '13

View online: https://drupal.org/node/2129381 * Advisory ID: DRUPAL-SA-CONTRIB-2013-088 * Project: Secure Pages [1] (third-party module) * Version: 6.x * Date: 2013-November-06 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Missing Encryption of Sensitive Data -------- DESCRIPTION --------------------------------------------------------- The Secure Pages module manages redirects between HTTP and HTTPS pages. A flaw in the URL path matching could lead some pages and forms to be transmitted via plain HTTP, even if the administrator intended those pages to use HTTPS. This flaw may surface either due to a malicious user enticing a user to land on a specially constructed page or through normal interactions with the site. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Secure Pages 6.x-2.x versions prior to 6.x-2.0. Drupal core is not affected. If you do not use the contributed Secure Pages [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Secure Pages module for Drupal 6.x, upgrade to Secure Pages 6.x-2.0 [5] Also see the Secure Pages [6] project page. -------- REPORTED BY --------------------------------------------------------- * Balazs Nagykekesi [7] -------- FIXED BY ------------------------------------------------------------ * Balazs Nagykekesi [8] * Dylan Tack [9] of the Drupal Security Team, module maintainer -------- COORDINATED BY ------------------------------------------------------ * Klaus Purer [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/securepages [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/securepages [5] https://drupal.org/node/2128739 [6] http://drupal.org/project/securepages [7] http://drupal.org/user/21231 [8] http://drupal.org/user/21231 [9] http://drupal.org/user/96647 [10] http://drupal.org/user/262198 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0