Security-news April 2013

security-news@drupal.org

1 participants
6 discussions

SA-CONTRIB-2013-045 - Autocomplete Widgets for Text and Number Fields (autocomplete_widgets) - Access bypass
by security-news＠drupal.org 17 Apr '13

17 Apr '13

View online: http://drupal.org/node/1972976 * Advisory ID: DRUPAL-SA-CONTRIB-2013-045 * Project: Autocomplete Widgets for Text and Number Fields [1] (third-party module) * Version: 6.x, 7.x * Date: 2013-April-17 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- Autocomplete Widgets module adds autocomplete widgets for Text and Number fields. The autocomplete callback implemented by this module does not honor node permissions to access existing fields, allowing users to see field values even though they are not authorized to access that information. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create or edit content. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Autocomplete Widgets 6.x-1.x versions prior to 6.x-1.4. * Autocomplete Widgets 7.x-1.x versions prior to 7.x-1.0-rc1. Drupal core is not affected. If you do not use the contributed Autocomplete Widgets for Text and Number Fields [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Autocomplete Widgets module for Drupal 6.x, upgrade to Autocomplete Widgets 6.x-1.4 [5] * If you use the Autocomplete Widgets module for Drupal 7.x, upgrade to Autocomplete Widgets 7.x-1.0-rc1 [6] Also see the Autocomplete Widgets for Text and Number Fields [7] project page. -------- REPORTED BY --------------------------------------------------------- * James [8] * Cash Williams [9] -------- FIXED BY ------------------------------------------------------------ * Alexander Ross [10] the module maintainer * Cash Williams [11] -------- COORDINATED BY ------------------------------------------------------ * Stéphane Corlosquet [12] of the Drupal Security Team * David Rothstein [13] of the Drupal Security Team * Owen Barton [14] of the Drupal Security Team * Greg Knaddison [15] of the Drupal Security Team * Ben Jeavons [16] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [17]. Learn more about the Drupal Security team and their policies [18], writing secure code for Drupal [19], and securing your site [20]. [1] http://drupal.org/project/autocomplete_widgets [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/autocomplete_widgets [5] http://drupal.org/node/1971848 [6] http://drupal.org/node/1971856 [7] http://drupal.org/project/autocomplete_widgets [8] http://drupal.org/user/693536 [9] http://drupal.org/user/421070 [10] http://drupal.org/user/8274 [11] http://drupal.org/user/421070 [12] http://drupal.org/user/52142 [13] http://drupal.org/user/124982 [14] http://drupal.org/user/19668 [15] http://drupal.org/user/36762 [16] http://drupal.org/user/91990 [17] http://drupal.org/contact [18] http://drupal.org/security-team [19] http://drupal.org/writing-secure-code [20] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-044 - elFinder file manager - Cross Site Request Forgery (CSRF)
by security-news＠drupal.org 17 Apr '13

17 Apr '13

View online: http://drupal.org/node/1972942 * Advisory ID: DRUPAL-SA-CONTRIB-2013-044 * Project: elFinder file manager [1] (third-party module) * Version: 6.x, 7.x * Date: 2013-April-17 * Security risk: Highly critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Request Forgery -------- DESCRIPTION --------------------------------------------------------- The elfinder module provides an AJAX-based file manager based on the elFinder javascript library. The module doesn't sufficiently verify requests thereby exposing a Cross Site Request Forgery (CSRF) vulnerability. This would enable an attacker to create, modify, or delete files on the server. There are no mitigating factors. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * elfinder 6.x-0.x versions prior to 6.x-0.8. * elfinder 7.x-0.x versions prior to 7.x-0.8. Drupal core is not affected. If you do not use the contributed elFinder file manager [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the elfinder module 0.x for Drupal 6.x, upgrade to elfinder 6.x-0.8 [5] (requires elFinder 1.2 [6] library) * If you use the elfinder module 0.x for Drupal 7.x, upgrade to elfinder 7.x-0.8 [7] (requires elFinder 1.2 [8] library) Also see the elFinder file manager [9] project page. -------- REPORTED BY --------------------------------------------------------- * Greg Knaddison [10] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Alexey Sukhotin [11] the module maintainer * Greg Knaddison [12] of the Drupal Security Team * Fox [13] of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Fox [14] of the Drupal Security Team * David Stoline [15] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [16]. Learn more about the Drupal Security team and their policies [17], writing secure code for Drupal [18], and securing your site [19]. [1] http://drupal.org/project/elfinder [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/elfinder [5] http://drupal.org/node/1972082 [6] http://sourceforge.net/projects/elfinder/files/ [7] http://drupal.org/node/1972084 [8] http://sourceforge.net/projects/elfinder/files/ [9] http://drupal.org/project/elfinder [10] http://drupal.org/user/36762 [11] http://drupal.org/user/771642 [12] http://drupal.org/user/36762 [13] http://drupal.org/user/426416 [14] http://drupal.org/user/426416 [15] http://drupal.org/user/329570 [16] http://drupal.org/contact [17] http://drupal.org/security-team [18] http://drupal.org/writing-secure-code [19] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-043 - MP3 Player - Cross Site Scripting (XSS)
by security-news＠drupal.org 17 Apr '13

17 Apr '13

View online: http://drupal.org/node/1972804 * Advisory ID: DRUPAL-SA-CONTRIB-2013-043 * Project: MP3 Player [1] (third-party module) * Version: 6.x * Date: 2013-April-17 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- This module enables you to easily enable a Flash MP3 Player on a CCK FileField. The module doesn't sufficiently filter user-supplied text from mp3 filenames. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create a node with an mp3 filefield with the MP3 player set as the display widget. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * All MP3 Player versions. Drupal core is not affected. If you do not use the contributed MP3 Player [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Disable the module: * If you use the MP3 Player module for Drupal 6.x you should disable the module. Also see the MP3 Player [5] project page. -------- REPORTED BY --------------------------------------------------------- * Kyle Small [6] -------- FIXED BY ------------------------------------------------------------ Not applicable. -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [7] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [8]. Learn more about the Drupal Security team and their policies [9], writing secure code for Drupal [10], and securing your site [11]. [1] http://drupal.org/project/mp3player [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/mp3player [5] http://drupal.org/project/mp3player [6] http://drupal.org/user/832278 [7] http://drupal.org/user/36762 [8] http://drupal.org/contact [9] http://drupal.org/security-team [10] http://drupal.org/writing-secure-code [11] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-042 - RESTful Web Services (RESTWS) - Denial of Service
by security-news＠drupal.org 10 Apr '13

10 Apr '13

View online: http://drupal.org/node/1966780 * Advisory ID: DRUPAL-SA-CONTRIB-2013-042 * Project: RESTful Web Services [1] (third-party module) * Version: 7.x * Date: 2013-April-10 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Denial of Service -------- DESCRIPTION --------------------------------------------------------- This module enables you to expose Drupal entities as RESTful web services. It provides a machine-readable interface to exchange resources in JSON, XML and RDF. The module interferes with Drupal's page cache and allows an attacker to poison the cache with non-HTML page responses, thereby exposing a denial of service vulnerability. This vulnerability is mitigated by the fact that page caching must be enabled and the anonymous user role must be assigned a RESTWS permission, for example "access resource node". -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * RESTWS 7.x-1.x versions prior to 7.x-1.3. * RESTWS 7.x-2.x versions prior to 7.x-2.0-alpha5. Drupal core is not affected. If you do not use the contributed RESTful Web Services [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the RESTWS 1.x module for Drupal 7.x, upgrade to RESTWS 7.x-1.3 [5] * If you use the RESTWS 2.x module for Drupal 7.x, upgrade to RESTWS 7.x-2.0-alpha5 [6] Also see the RESTful Web Services [7] project page. -------- REPORTED BY --------------------------------------------------------- * Dylan Tack [8] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Klaus Purer [9] the module maintainer * Stéphane Corlosquet [10] of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Klaus Purer [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/restws [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/restws [5] http://drupal.org/node/1966752 [6] http://drupal.org/node/1966758 [7] http://drupal.org/project/restws [8] http://drupal.org/user/96647 [9] http://drupal.org/user/262198 [10] http://drupal.org/user/52142 [11] http://drupal.org/user/262198 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-041 - Chaos tool suite (ctools) - Access bypass
by security-news＠drupal.org 03 Apr '13

03 Apr '13

View online: http://drupal.org/node/1960406 * Advisory ID: DRUPAL-SA-CONTRIB-2013-041 * Project: Chaos tool suite (ctools) [1] (third-party module) * Version: 7.x * Date: 2013-April-03 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This CTools module provides a set of APIs and tools to improve the developer experience. The module doesn't sufficiently enforce node access when providing an autocomplete list of suggested node titles, allowing users with the "access content" permission to see the titles of nodes which they should not be able to view. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Chaos tool suite (ctools) 7.x-1.x versions prior to 7.x-1.3. Drupal core is not affected. If you do not use the contributed Chaos tool suite (ctools) [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Ctools module for Drupal 7.x, upgrade to Ctools 7.x-1.3 [5] Also see the Chaos tool suite (ctools) [6] project page. -------- REPORTED BY --------------------------------------------------------- * Greg Knaddison [7] of the Drupal Security Team * Cash Williams [8] -------- FIXED BY ------------------------------------------------------------ * Daniel Wehner [9] the module maintainer. * Cash Williams [10] * Lee Rowlands [11] of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Lee Rowlands [12] of the Drupal Security Team * Greg Knaddison [13] of the Drupal Security Team * Ben Jeavons [14] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [15]. Learn more about the Drupal Security team and their policies [16], writing secure code for Drupal [17], and securing your site [18]. [1] http://drupal.org/project/ctools [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/ctools [5] http://drupal.org/node/1960424 [6] http://drupal.org/project/ctools [7] http://drupal.org/user/36762 [8] http://drupal.org/user/421070 [9] http://drupal.org/user/99340 [10] http://drupal.org/user/421070 [11] http://drupal.org/user/395439 [12] http://drupal.org/user/395439 [13] http://drupal.org/user/36762 [14] http://drupal.org/user/91990 [15] http://drupal.org/contact [16] http://drupal.org/security-team [17] http://drupal.org/writing-secure-code [18] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-040 - Commerce Skrill (Formerly Moneybookers) - Access bypass
by security-news＠drupal.org 03 Apr '13

03 Apr '13

View online: http://drupal.org/node/1960338 * Advisory ID: DRUPAL-SA-CONTRIB-2013-040 * Project: Commerce Skrill (Formerly Moneybookers) [1] (third-party module) * Version: 7.x * Date: 2013-April-03 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This module integrates the Skrill online payment services [3] with Drupal Commerce. When processing Instant payment notifications (IPN), the "Moneybookers enterprise" payment method provided by the Commerce Skrill contributed module does not perform sufficient access checking, potentially allowing forged notifications to be accepted as valid. The vulnerability is mitigated by the fact that it only affects the "Moneybookers enterprise" payment method. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [4] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- The "Moneybookers enterprise" payment method provided by the Commerce Skrill [5] contributed module in all versions prior to 7.x-1.2. Drupal core is not affected. If you do not use the contributed Commerce Skrill (Formerly Moneybookers) [6] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version. The "Moneybookers enterprise" payment method now requires the use of the hash security option. * Upgrade to Commerce Skrill 7.x-1.2 [7] * Go to the backoffice of Skrill and enable the securityHash verification following the Administration > Processing > Processing Settings section. * Get the security token, and paste it in the Secret key field of the payment method configuration form. Also see the Commerce Skrill (Formerly Moneybookers) [8] project page. -------- REPORTED BY --------------------------------------------------------- * Julien Dubreuil [9] the module maintainer -------- FIXED BY ------------------------------------------------------------ * Julien Dubreuil [10] the module maintainer * Jonathan Sacksick [11] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Klaus Purer [12] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. [1] http://drupal.org/project/commerce_moneybookers [2] http://drupal.org/security-team/risk-levels [3] https://www.moneybookers.com/ads/partners/?p=Drupalcommerce [4] http://cve.mitre.org/ [5] http://drupal.org/project/commerce_moneybookers [6] http://drupal.org/project/commerce_moneybookers [7] http://drupal.org/node/1959998 [8] http://drupal.org/project/commerce_moneybookers [9] http://drupal.org/user/519520 [10] http://drupal.org/user/519520 [11] http://drupal.org/user/972218 [12] http://drupal.org/user/262198 [13] http://drupal.org/contact [14] http://drupal.org/security-team [15] http://drupal.org/writing-secure-code [16] http://drupal.org/security/secure-configuration

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news April 2013