View online: http://drupal.org/node/1972976
* Advisory ID: DRUPAL-SA-CONTRIB-2013-045
* Project: Autocomplete Widgets for Text and Number Fields [1] (third-party
module)
* Version: 6.x, 7.x
* Date: 2013-April-17
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
Autocomplete Widgets module adds autocomplete widgets for Text and Number
fields.
The autocomplete callback implemented by this module does not honor node
permissions to access existing fields, allowing users to see field values
even though they are not authorized to access that information.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission to create or edit content.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Autocomplete Widgets 6.x-1.x versions prior to 6.x-1.4.
* Autocomplete Widgets 7.x-1.x versions prior to 7.x-1.0-rc1.
Drupal core is not affected. If you do not use the contributed Autocomplete
Widgets for Text and Number Fields [4] module, there is nothing you need to
do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Autocomplete Widgets module for Drupal 6.x, upgrade to
Autocomplete Widgets 6.x-1.4 [5]
* If you use the Autocomplete Widgets module for Drupal 7.x, upgrade to
Autocomplete Widgets 7.x-1.0-rc1 [6]
Also see the Autocomplete Widgets for Text and Number Fields [7] project
page.
-------- REPORTED BY
---------------------------------------------------------
* James [8]
* Cash Williams [9]
-------- FIXED BY
------------------------------------------------------------
* Alexander Ross [10] the module maintainer
* Cash Williams [11]
-------- COORDINATED BY
------------------------------------------------------
* Stéphane Corlosquet [12] of the Drupal Security Team
* David Rothstein [13] of the Drupal Security Team
* Owen Barton [14] of the Drupal Security Team
* Greg Knaddison [15] of the Drupal Security Team
* Ben Jeavons [16] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [17].
Learn more about the Drupal Security team and their policies [18], writing
secure code for Drupal [19], and securing your site [20].
[1] http://drupal.org/project/autocomplete_widgets
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/autocomplete_widgets
[5] http://drupal.org/node/1971848
[6] http://drupal.org/node/1971856
[7] http://drupal.org/project/autocomplete_widgets
[8] http://drupal.org/user/693536
[9] http://drupal.org/user/421070
[10] http://drupal.org/user/8274
[11] http://drupal.org/user/421070
[12] http://drupal.org/user/52142
[13] http://drupal.org/user/124982
[14] http://drupal.org/user/19668
[15] http://drupal.org/user/36762
[16] http://drupal.org/user/91990
[17] http://drupal.org/contact
[18] http://drupal.org/security-team
[19] http://drupal.org/writing-secure-code
[20] http://drupal.org/security/secure-configuration
View online: http://drupal.org/node/1972942
* Advisory ID: DRUPAL-SA-CONTRIB-2013-044
* Project: elFinder file manager [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2013-April-17
* Security risk: Highly critical [2]
* Exploitable from: Remote
* Vulnerability: Cross Site Request Forgery
-------- DESCRIPTION
---------------------------------------------------------
The elfinder module provides an AJAX-based file manager based on the elFinder
javascript library.
The module doesn't sufficiently verify requests thereby exposing a Cross Site
Request Forgery (CSRF) vulnerability. This would enable an attacker to
create, modify, or delete files on the server.
There are no mitigating factors.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* elfinder 6.x-0.x versions prior to 6.x-0.8.
* elfinder 7.x-0.x versions prior to 7.x-0.8.
Drupal core is not affected. If you do not use the contributed elFinder file
manager [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the elfinder module 0.x for Drupal 6.x, upgrade to elfinder
6.x-0.8 [5] (requires elFinder 1.2 [6] library)
* If you use the elfinder module 0.x for Drupal 7.x, upgrade to elfinder
7.x-0.8 [7] (requires elFinder 1.2 [8] library)
Also see the elFinder file manager [9] project page.
-------- REPORTED BY
---------------------------------------------------------
* Greg Knaddison [10] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Alexey Sukhotin [11] the module maintainer
* Greg Knaddison [12] of the Drupal Security Team
* Fox [13] of the Drupal Security Team
-------- COORDINATED BY
------------------------------------------------------
* Fox [14] of the Drupal Security Team
* David Stoline [15] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [16].
Learn more about the Drupal Security team and their policies [17], writing
secure code for Drupal [18], and securing your site [19].
[1] http://drupal.org/project/elfinder
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/elfinder
[5] http://drupal.org/node/1972082
[6] http://sourceforge.net/projects/elfinder/files/
[7] http://drupal.org/node/1972084
[8] http://sourceforge.net/projects/elfinder/files/
[9] http://drupal.org/project/elfinder
[10] http://drupal.org/user/36762
[11] http://drupal.org/user/771642
[12] http://drupal.org/user/36762
[13] http://drupal.org/user/426416
[14] http://drupal.org/user/426416
[15] http://drupal.org/user/329570
[16] http://drupal.org/contact
[17] http://drupal.org/security-team
[18] http://drupal.org/writing-secure-code
[19] http://drupal.org/security/secure-configuration
View online: http://drupal.org/node/1972804
* Advisory ID: DRUPAL-SA-CONTRIB-2013-043
* Project: MP3 Player [1] (third-party module)
* Version: 6.x
* Date: 2013-April-17
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to easily enable a Flash MP3 Player on a CCK
FileField.
The module doesn't sufficiently filter user-supplied text from mp3 filenames.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission to create a node with an mp3 filefield with the MP3
player set as the display widget.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* All MP3 Player versions.
Drupal core is not affected. If you do not use the contributed MP3 Player [4]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Disable the module:
* If you use the MP3 Player module for Drupal 6.x you should disable the
module.
Also see the MP3 Player [5] project page.
-------- REPORTED BY
---------------------------------------------------------
* Kyle Small [6]
-------- FIXED BY
------------------------------------------------------------
Not applicable.
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [7] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [8].
Learn more about the Drupal Security team and their policies [9], writing
secure code for Drupal [10], and securing your site [11].
[1] http://drupal.org/project/mp3player
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/mp3player
[5] http://drupal.org/project/mp3player
[6] http://drupal.org/user/832278
[7] http://drupal.org/user/36762
[8] http://drupal.org/contact
[9] http://drupal.org/security-team
[10] http://drupal.org/writing-secure-code
[11] http://drupal.org/security/secure-configuration
View online: http://drupal.org/node/1966780
* Advisory ID: DRUPAL-SA-CONTRIB-2013-042
* Project: RESTful Web Services [1] (third-party module)
* Version: 7.x
* Date: 2013-April-10
* Security risk: Critical [2]
* Exploitable from: Remote
* Vulnerability: Denial of Service
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to expose Drupal entities as RESTful web services. It
provides a machine-readable interface to exchange resources in JSON, XML and
RDF.
The module interferes with Drupal's page cache and allows an attacker to
poison the cache with non-HTML page responses, thereby exposing a denial of
service vulnerability.
This vulnerability is mitigated by the fact that page caching must be enabled
and the anonymous user role must be assigned a RESTWS permission, for example
"access resource node".
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* RESTWS 7.x-1.x versions prior to 7.x-1.3.
* RESTWS 7.x-2.x versions prior to 7.x-2.0-alpha5.
Drupal core is not affected. If you do not use the contributed RESTful Web
Services [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the RESTWS 1.x module for Drupal 7.x, upgrade to RESTWS 7.x-1.3
[5]
* If you use the RESTWS 2.x module for Drupal 7.x, upgrade to RESTWS
7.x-2.0-alpha5 [6]
Also see the RESTful Web Services [7] project page.
-------- REPORTED BY
---------------------------------------------------------
* Dylan Tack [8] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Klaus Purer [9] the module maintainer
* Stéphane Corlosquet [10] of the Drupal Security Team
-------- COORDINATED BY
------------------------------------------------------
* Klaus Purer [11] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [12].
Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].
[1] http://drupal.org/project/restws
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/restws
[5] http://drupal.org/node/1966752
[6] http://drupal.org/node/1966758
[7] http://drupal.org/project/restws
[8] http://drupal.org/user/96647
[9] http://drupal.org/user/262198
[10] http://drupal.org/user/52142
[11] http://drupal.org/user/262198
[12] http://drupal.org/contact
[13] http://drupal.org/security-team
[14] http://drupal.org/writing-secure-code
[15] http://drupal.org/security/secure-configuration
View online: http://drupal.org/node/1960406
* Advisory ID: DRUPAL-SA-CONTRIB-2013-041
* Project: Chaos tool suite (ctools) [1] (third-party module)
* Version: 7.x
* Date: 2013-April-03
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
This CTools module provides a set of APIs and tools to improve the developer
experience.
The module doesn't sufficiently enforce node access when providing an
autocomplete list of suggested node titles, allowing users with the "access
content" permission to see the titles of nodes which they should not be able
to view.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Chaos tool suite (ctools) 7.x-1.x versions prior to 7.x-1.3.
Drupal core is not affected. If you do not use the contributed Chaos tool
suite (ctools) [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Ctools module for Drupal 7.x, upgrade to Ctools 7.x-1.3 [5]
Also see the Chaos tool suite (ctools) [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Greg Knaddison [7] of the Drupal Security Team
* Cash Williams [8]
-------- FIXED BY
------------------------------------------------------------
* Daniel Wehner [9] the module maintainer.
* Cash Williams [10]
* Lee Rowlands [11] of the Drupal Security Team
-------- COORDINATED BY
------------------------------------------------------
* Lee Rowlands [12] of the Drupal Security Team
* Greg Knaddison [13] of the Drupal Security Team
* Ben Jeavons [14] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [15].
Learn more about the Drupal Security team and their policies [16], writing
secure code for Drupal [17], and securing your site [18].
[1] http://drupal.org/project/ctools
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/ctools
[5] http://drupal.org/node/1960424
[6] http://drupal.org/project/ctools
[7] http://drupal.org/user/36762
[8] http://drupal.org/user/421070
[9] http://drupal.org/user/99340
[10] http://drupal.org/user/421070
[11] http://drupal.org/user/395439
[12] http://drupal.org/user/395439
[13] http://drupal.org/user/36762
[14] http://drupal.org/user/91990
[15] http://drupal.org/contact
[16] http://drupal.org/security-team
[17] http://drupal.org/writing-secure-code
[18] http://drupal.org/security/secure-configuration
View online: http://drupal.org/node/1960338
* Advisory ID: DRUPAL-SA-CONTRIB-2013-040
* Project: Commerce Skrill (Formerly Moneybookers) [1] (third-party module)
* Version: 7.x
* Date: 2013-April-03
* Security risk: Critical [2]
* Exploitable from: Remote
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
This module integrates the Skrill online payment services [3] with Drupal
Commerce.
When processing Instant payment notifications (IPN), the "Moneybookers
enterprise" payment method provided by the Commerce Skrill contributed module
does not perform sufficient access checking, potentially allowing forged
notifications to be accepted as valid.
The vulnerability is mitigated by the fact that it only affects the
"Moneybookers enterprise" payment method.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [4] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
The "Moneybookers enterprise" payment method provided by the Commerce Skrill
[5] contributed module in all versions prior to 7.x-1.2.
Drupal core is not affected. If you do not use the contributed Commerce
Skrill (Formerly Moneybookers) [6] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version. The "Moneybookers enterprise" payment method now
requires the use of the hash security option.
* Upgrade to Commerce Skrill 7.x-1.2 [7]
* Go to the backoffice of Skrill and enable the securityHash verification
following the Administration > Processing > Processing Settings section.
* Get the security token, and paste it in the Secret key field of the
payment method configuration form.
Also see the Commerce Skrill (Formerly Moneybookers) [8] project page.
-------- REPORTED BY
---------------------------------------------------------
* Julien Dubreuil [9] the module maintainer
-------- FIXED BY
------------------------------------------------------------
* Julien Dubreuil [10] the module maintainer
* Jonathan Sacksick [11] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Klaus Purer [12] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [13].
Learn more about the Drupal Security team and their policies [14], writing
secure code for Drupal [15], and securing your site [16].
[1] http://drupal.org/project/commerce_moneybookers
[2] http://drupal.org/security-team/risk-levels
[3] https://www.moneybookers.com/ads/partners/?p=Drupalcommerce
[4] http://cve.mitre.org/
[5] http://drupal.org/project/commerce_moneybookers
[6] http://drupal.org/project/commerce_moneybookers
[7] http://drupal.org/node/1959998
[8] http://drupal.org/project/commerce_moneybookers
[9] http://drupal.org/user/519520
[10] http://drupal.org/user/519520
[11] http://drupal.org/user/972218
[12] http://drupal.org/user/262198
[13] http://drupal.org/contact
[14] http://drupal.org/security-team
[15] http://drupal.org/writing-secure-code
[16] http://drupal.org/security/secure-configuration