Security-news February 2013

security-news@drupal.org

1 participants
20 discussions

SA-CORE-2013-002 - Drupal core - Denial of service
by security-news＠drupal.org 20 Feb '13

20 Feb '13

View online: http://drupal.org/SA-CORE-2013-002 * Advisory ID: DRUPAL-SA-CORE-2013-002 * Project: Drupal core [1] * Version: 7.x * Date: 2013-February-20 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Denial of service -------- DESCRIPTION --------------------------------------------------------- Drupal core's Image module allows for the on-demand generation of image derivatives. This capability can be abused by requesting a large number of new derivatives which can fill up the server disk space, and which can cause a very high CPU load. Either of these effects may lead to the site becoming unavailable or unresponsive. Please see the Drupal 7.20 release notes [3] for important notes about the changes which were made to fix this issue, since some sites will require extra testing and care when deploying this Drupal core release. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [4] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Drupal core 7.x versions prior to 7.20. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Drupal 7.x, upgrade to Drupal core 7.20 [5]. Also see the Drupal core [6] project page. -------- REPORTED BY --------------------------------------------------------- * Bèr Kessels [7] * aBrookland [8] * Chad Fennell [9] -------- FIXED BY ------------------------------------------------------------ * Damien Tournoud [10] of the Drupal Security Team * Peter Wolanin [11] of the Drupal Security Team * David Rothstein [12] of the Drupal Security Team * Heine Deelstra [13] of the Drupal Security Team * Bèr Kessels [14] -------- COORDINATED BY ------------------------------------------------------ * David Rothstein [15] of the Drupal Security Team * Stéphane Corlosquet [16] of the Drupal Security Team * Peter Wolanin [17] of the Drupal Security Team * Greg Knaddison [18] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [19]. Learn more about the Drupal Security team and their policies [20], writing secure code for Drupal [21], and securing your site [22]. [1] http://drupal.org/project/drupal [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/drupal-7.20-release-notes [4] http://cve.mitre.org/ [5] http://drupal.org/drupal-7.20-release-notes [6] http://drupal.org/project/drupal [7] http://drupal.org/user/2663 [8] http://drupal.org/user/2274988 [9] http://drupal.org/user/10297 [10] http://drupal.org/user/22211 [11] http://drupal.org/user/49851 [12] http://drupal.org/user/124982 [13] http://drupal.org/user/17943 [14] http://drupal.org/user/2663 [15] http://drupal.org/user/124982 [16] http://drupal.org/user/52142 [17] http://drupal.org/user/49851 [18] http://drupal.org/user/36762 [19] http://drupal.org/contact [20] http://drupal.org/security-team [21] http://drupal.org/writing-secure-code [22] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-023 - Varnish module - Cross Site Scripting (XSS)
by security-news＠drupal.org 20 Feb '13

20 Feb '13

View online: http://drupal.org/node/1922756 * Advisory ID: DRUPAL-SA-CONTRIB-2013-023 * Project: Varnish HTTP Accelerator Integration [1] (third-party module) * Version: 6.x, 7.x * Date: 2013-February-20 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- This module provides integration between your Drupal site and the Varnish HTTP Accelerator, an advanced and very fast reverse-proxy system. The module doesn't sufficiently filter user-supplied text provided in the configuration settings. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer Varnish". -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Varnish 6.x-1.x versions prior to 6.x-1.2. * Varnish 7.x-1.x versions prior to 7.x-1.2. Drupal core is not affected. If you do not use the contributed Varnish HTTP Accelerator Integration [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Varnish module for Drupal 6.x, upgrade to Varnish 6.x-1.2 [5] * If you use the Varnish module for Drupal 7.x, upgrade to Varnish 7.x-1.0-beta2 [6] Also see the Varnish HTTP Accelerator Integration [7] project page. -------- REPORTED BY --------------------------------------------------------- * Ivo Van Geertruyen [8] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Josh Koenig [9] the module maintainer * Fabian Sörqvist [10] the module maintainer * Ivo Van Geertruyen [11] of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [12] of the Drupal Security Team * Ben Jeavons [13] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [14]. Learn more about the Drupal Security team and their policies [15], writing secure code for Drupal [16], and securing your site [17]. [1] http://drupal.org/project/varnish [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/varnish [5] http://drupal.org/node/1922730 [6] http://drupal.org/node/1922726 [7] http://drupal.org/project/varnish [8] http://drupal.org/user/383424 [9] http://drupal.org/user/3313 [10] http://drupal.org/user/255704 [11] http://drupal.org/user/383424 [12] http://drupal.org/user/36762 [13] http://drupal.org/user/91990 [14] http://drupal.org/contact [15] http://drupal.org/security-team [16] http://drupal.org/writing-secure-code [17] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-021 - Display Suite - Cross Site Scripting (XSS)
by security-news＠drupal.org 20 Feb '13

20 Feb '13

View online: http://drupal.org/node/1922438 * Advisory ID: DRUPAL-SA-CONTRIB-2013-021 * Project: Display Suite [1] (third-party module) * Version: 7.x * Date: 2013-February-20 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Display Suite allows you to take full control over how your content is displayed using a drag and drop interface. In certain situations, Display Suite does not properly sanitize user-supplied data, allowing a malicious user to embed scripts within a page, resulting in a Cross-site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that the site must use a contributed module that alters usernames such as the realname module and the author field must be displayed as plain text "author". -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Display Suite 7.x-1.x versions prior to 7.x-1.7. * Display Suite 7.x-2.x versions prior to 7.x-2.1. Drupal core is not affected. If you do not use the contributed Display Suite [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Display Suite module for Drupal 7.x-1.x, upgrade to Display Suite 7.x-1.7 [5] * If you use the Display Suite module for Drupal 7.x-2.x, upgrade to Display Suite 7.x-2.1 [6] Also see the Display Suite [7] project page. -------- REPORTED BY --------------------------------------------------------- * Stéphane Corlosquet [8] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Stéphane Corlosquet [9] of the Drupal Security Team * Kristof De Jaeger [10] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Stéphane Corlosquet [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/ds [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/ds [5] http://drupal.org/node/1922430 [6] http://drupal.org/node/1922424 [7] http://drupal.org/project/ds [8] http://drupal.org/user/52142 [9] http://drupal.org/user/52142 [10] http://drupal.org/user/107403 [11] http://drupal.org/user/52142 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-022 - Menu Reference - Cross site scripting (XSS)
by security-news＠drupal.org 20 Feb '13

20 Feb '13

View online: http://drupal.org/node/1922446 * Advisory ID: DRUPAL-SA-CONTRIB-2013-022 * Project: Menu Reference [1] (third-party module) * Version: 7.x * Date: 2013-February-20 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Module Menu Reference doesn't escape HTML that contains menu link title displayed in Menu Reference "Rendered links" formatter. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer menus and menu items" to insert HTML code in menu link title. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Menu Reference 7.x-1.x versions prior to 7.x-1.0. Drupal core is not affected. If you do not use the contributed Menu Reference [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Menu Reference module for Drupal 7.x, upgrade to Menu Reference 7.x-1.1 [5] Also see the Menu Reference [6] project page. -------- REPORTED BY --------------------------------------------------------- * Tamás Demeter-Haludka [7] -------- FIXED BY ------------------------------------------------------------ * Tomáš Barej [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/menu_reference [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/menu_reference [5] http://drupal.org/node/1922434 [6] http://drupal.org/project/menu_reference [7] http://drupal.org/user/372872 [8] http://drupal.org/user/258659 [9] http://drupal.org/user/36762 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-020 - Ubercart - Cross site scripting (XSS)
by security-news＠drupal.org 20 Feb '13

20 Feb '13

View online: http://drupal.org/node/1922418 * Advisory ID: DRUPAL-SA-CONTRIB-2013-020 * Project: Ubercart [1] (third-party module) * Version: 7.x * Date: 2013-February-20 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Ubercart module for Drupal provides a shopping cart and e-commerce features for Drupal. The "full name" field in Views did not properly sanitize output. The vulnerability is mitigated by the fact that an attacker must get far enough in the checkout process to store their name with an order. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Ubercart 7.x-3.x versions prior to 7.x-3.4. Drupal core is not affected. If you do not use the contributed Ubercart [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Ubercart module for Drupal 7.x, upgrade to Ubercart 7.x-3.4 [5] Also see the Ubercart [6] project page. -------- REPORTED BY --------------------------------------------------------- * 20th [7] -------- FIXED BY ------------------------------------------------------------ * 20th [8] * Dave Long [9] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/ubercart [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/ubercart [5] http://drupal.org/node/1922136 [6] http://drupal.org/project/ubercart [7] http://drupal.org/user/486690 [8] http://drupal.org/user/486690 [9] http://drupal.org/user/246492 [10] http://drupal.org/user/36762 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-019 - Ubercart Views - Cross site scripting (XSS)
by security-news＠drupal.org 20 Feb '13

20 Feb '13

View online: http://drupal.org/node/1922416 * Advisory ID: DRUPAL-SA-CONTRIB-2013-019 * Project: Ubercart Views [1] (third-party module) * Version: 6.x * Date: 2013-February-20 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Ubercart Views provides Views integration for the Ubercart shopping cart module. The "full name" field in Views is not properly sanitized on output. The vulnerability is mitigated by the fact that an attacker must get far enough in the checkout process to store their name with an order. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * All versions of Ubercart Views for Drupal 6.x prior to 6.x-3.3. Drupal core is not affected. If you do not use the contributed Ubercart Views [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Ubercart Views module for Drupal 6.x, upgrade to Ubercart Views 6.x-3.3 [5] Also see the Ubercart Views [6] project page. -------- REPORTED BY --------------------------------------------------------- * 20th [7] -------- FIXED BY ------------------------------------------------------------ * 20th [8] * Dave Long [9] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/uc_views [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/uc_views [5] http://drupal.org/node/1922128 [6] http://drupal.org/project/uc_views [7] http://drupal.org/user/486690 [8] http://drupal.org/user/486690 [9] http://drupal.org/user/246492 [10] http://drupal.org/user/36762 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-018 - Taxonomy Manager - Cross Site Request Forgery (CSRF)
by security-news＠drupal.org 20 Feb '13

20 Feb '13

View online: http://drupal.org/node/1922410 * Advisory ID: DRUPAL-SA-CONTRIB-2013-018 * Project: Taxonomy Manager [1] (third-party module) * Version: 6.x, 7.x * Date: 2013-February-20 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Request Forgery -------- DESCRIPTION --------------------------------------------------------- The Taxonomy Manager provides an advanced interface for administrating taxonomy vocabularies. The module doesn't sufficiently verify POST requests thereby exposing a Cross Site Request Forgery vulnerability. This vulnerability is mitigated by the fact that an attacker must trick a user with 'administer taxonomy' permissions onto a prepared page with a site-specific malicious HTML form submission. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Taxonomy Manager 6.x-2.x versions prior to 6.x-2.2. * Taxonomy Manager 7.x-1.x versions prior to 7.x-1.0-rc1. Drupal core is not affected. If you do not use the contributed Taxonomy Manager [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Taxonomy Manager module for Drupal 6.x, upgrade to Taxonomy Manager 6.x-2.3 [5] * If you use the Taxonomy Manager module for Drupal 7.x, upgrade to Taxonomy Manager 7.x-1.0-rc2 [6] Also see the Taxonomy Manager [7] project page. -------- REPORTED BY --------------------------------------------------------- * Matthias Hutterer [8] the module maintainer -------- FIXED BY ------------------------------------------------------------ * Matthias Hutterer [9] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Klaus Purer [10] of the Drupal Security Team * Greg Knaddison [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/taxonomy_manager [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/taxonomy_manager [5] http://drupal.org/node/1922170 [6] http://drupal.org/node/1922168 [7] http://drupal.org/project/taxonomy_manager [8] http://drupal.org/user/59747 [9] http://drupal.org/user/59747 [10] http://drupal.org/user/262198 [11] http://drupal.org/user/36762 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-017 - Yandex.Metrics - Cross site scripting (XSS)
by security-news＠drupal.org 20 Feb '13

20 Feb '13

View online: http://drupal.org/node/1922400 * Advisory ID: DRUPAL-SA-CONTRIB-2013-017 * Project: Yandex.Metrics [1] (third-party module) * Version: 6.x, 7.x * Date: 2013-February-20 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Yandex.Metrics module enables you to install Yandex.Metrica tracking code and watch reports by key indicators of user activity. The module doesn't sufficiently escape Yandex.Metrica service data when being displayed. This vulnerability is mitigated by the fact that it only impacts sites with published content which contains special code and which is indexed by Yandex search engine. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Yandex.Metrics 6.x-1.x versions prior to 6.x-1.6. * Yandex.Metrics 7.x-1.x versions prior to 7.x-1.5. Drupal core is not affected. If you do not use the contributed Yandex.Metrics [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Yandex.Metrics module for Drupal 6.x, upgrade to Yandex.Metrics 6.x-1.6 [5] * If you use the Yandex.Metrics module for Drupal 7.x, upgrade to Yandex.Metrics 7.x-1.5 [6] Also see the Yandex.Metrics [7] project page. -------- REPORTED BY --------------------------------------------------------- * Konstantin Komelin [8] -------- FIXED BY ------------------------------------------------------------ * Konstantin Komelin [9] -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [10] of the Drupal Security Team * Lee Rowlands [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/yandex_metrics [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/yandex_metrics [5] http://drupal.org/node/1921340 [6] http://drupal.org/node/1921342 [7] http://drupal.org/project/yandex_metrics [8] http://drupal.org/user/1195752 [9] http://drupal.org/user/1195752 [10] http://drupal.org/user/36762 [11] http://drupal.org/user/395439 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-016 - Banckle Chat - Access bypass - Unsupported
by security-news＠drupal.org 13 Feb '13

13 Feb '13

View online: http://drupal.org/node/1916370 * Advisory ID: DRUPAL-SA-CONTRIB-2013-016 * Project: Banckle Chat [1] (third-party module) * Version: 7.x * Date: 2013-February-13 * Security risk: Highly critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This module enables you to chat with the visitors of your web site. The module doesn't sufficiently check access to its admin pages. This vulnerability is not mitigated. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * All Banckle Chat 7.x-1.x versions. Drupal core is not affected. If you do not use the contributed Banckle Chat [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Uninstall the module. Also see the Banckle Chat [5] project page. -------- REPORTED BY --------------------------------------------------------- * Wale Adesanya [6] * Lau Futtrup Rasmussen -------- FIXED BY ------------------------------------------------------------ Not applicable. -------- COORDINATED BY ------------------------------------------------------ * Gerhard Killesreiter [7] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [8]. Learn more about the Drupal Security team and their policies [9], writing secure code for Drupal [10], and securing your site [11]. [1] http://drupal.org/project/banckle_live_chat [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/banckle_live_chat [5] http://drupal.org/project/banckle_live_chat [6] http://drupal.org/user/1028156 [7] http://drupal.org/user/83 [8] http://drupal.org/contact [9] http://drupal.org/security-team [10] http://drupal.org/writing-secure-code [11] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-015 - Manager Change for Organic Groups - Cross site scripting (XSS)
by security-news＠drupal.org 13 Feb '13

13 Feb '13

View online: http://drupal.org/node/1916312 * Advisory ID: DRUPAL-SA-CONTRIB-2013-015 * Project: Manager Change for Organic Groups [1] (third-party module) * Version: 7.x * Date: 2013-February-13 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- This module extends Organic Groups to allow the manager of a group to select a new manager for their group (ie if they want to leave the group). The autocomplete field for selecting a new manager didn't properly filter usernames. The vulnerability is mitigated by the fact that Drupal's default registration validation prevents the creation of username that contain cross site scripting attacks. However, a contributed module may bypass that validation or alter the way usernames are loaded in a way that introduces an attack vector. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Manager Change for Organic Groups 7.x-2.x versions prior to 7.x-2.1. Drupal core is not affected. If you do not use the contributed module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the 2.x branch of the Manager Change for Organic Groups module for Drupal 7.x, upgrade to Manager Change for Organic Groups 7.x-2.1 [4] Also see the Manager Change for Organic Groups project page. -------- REPORTED BY --------------------------------------------------------- * Michael Hess [5] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Joe Haskins [6] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Michael Hess [7] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [8]. Learn more about the Drupal Security team and their policies [9], writing secure code for Drupal [10], and securing your site [11]. [1] http://drupal.org/project/og_manager_change [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/node/1915408 [5] http://drupal.org/user/102818 [6] http://drupal.org/user/1358434 [7] http://drupal.org/user/102818 [8] http://drupal.org/contact [9] http://drupal.org/security-team [10] http://drupal.org/writing-secure-code [11] http://drupal.org/security/secure-configuration

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news February 2013