Security-news May 2013

security-news@drupal.org

1 participants
5 discussions

SA-CONTRIB-2013-050 - Webform - Cross Site Scripting (XSS)
by security-news＠drupal.org 29 May '13

29 May '13

View online: https://drupal.org/node/2007460 * Advisory ID: DRUPAL-SA-CONTRIB-2013-050 * Project: Webform [1] (third-party module) * Version: 6.x * Date: 2013-May-29 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Webform module allows the creation of custom webforms and surveys. Webform module does not sanitize the labels of created components (fields) when displaying a list of components to be used in e-mails or downloaded CSV files. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "edit own webform content" or "edit all webform content". -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Webform 6.x-3.x versions prior to 6.x-3.19. Drupal core is not affected. If you do not use the contributed Webform [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ If you use the Webform module for Drupal 6, install the latest version, Webform 6.x-3.19 [5]. Drupal 7 versions of this module are not affected. Also see the Webform [6] project page. -------- REPORTED BY --------------------------------------------------------- * Justin C. Klein Keane [7] -------- FIXED BY ------------------------------------------------------------ * Nate Haug [8] the module maintainer * Justin C. Klein Keane [9] -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/webform [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/webform [5] http://drupal.org/node/2007390 [6] http://drupal.org/project/webform [7] http://drupal.org/user/302225 [8] http://drupal.org/user/35821 [9] http://drupal.org/user/302225 [10] https://drupal.org/user/36762 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-049 - Node access user reference - Access Bypass
by security-news＠drupal.org 29 May '13

29 May '13

View online: http://drupal.org/node/2007122 * Advisory ID: DRUPAL-SA-CONTRIB-2013-049 * Project: Node access user reference [1] (third-party module) * Version: 6.x, 7.x * Date: 2013-May-29 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This module allows different access permissions to be given to authors, referenced users and non-referenced users. When an author has created content containing a user reference field (with author update/delete grants enabled) and the author's user account is later deleted, content created by them can be edited by anonymous users. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * nodeaccess_userreference 6.x-3.x versions prior to 6.x-3.5. * nodeaccess_userreference 7.x-3.x versions prior to 7.x-3.10. Drupal core is not affected. If you do not use the contributed Node access user reference [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the nodeaccess_userreference module for Drupal 6.x, upgrade to nodeaccess_userreference 6.x-3.5 [5] * If you use the nodeaccess_userreference module for Drupal 7.x, upgrade to nodeaccess_userreference 7.x-3.10 [6] Also see the Node access user reference [7] project page. -------- REPORTED BY --------------------------------------------------------- * Jamie Wiseman [8] -------- FIXED BY ------------------------------------------------------------ * Jamie Wiseman [9] * Dan Smith [10] provisional member of the Drupal Security Team * Chris Hales [11] and Greg Knaddison [12] of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Dan Smith [13] provisional member of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [14]. Learn more about the Drupal Security team and their policies [15], writing secure code for Drupal [16], and securing your site [17]. [1] http://drupal.org/project/nodeaccess_userreference [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/nodeaccess_userreference [5] http://drupal.org/node/2007072 [6] http://drupal.org/node/2007078 [7] http://drupal.org/project/nodeaccess_userreference [8] http://drupal.org/user/16327 [9] http://drupal.org/user/16327 [10] http://drupal.org/user/241220 [11] http://drupal.org/user/347249 [12] http://drupal.org/user/36762 [13] http://drupal.org/user/241220 [14] http://drupal.org/contact [15] http://drupal.org/security-team [16] http://drupal.org/writing-secure-code [17] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-048 - Edit Limit - Access Bypass
by security-news＠drupal.org 29 May '13

29 May '13

View online: http://drupal.org/node/2007048 * Advisory ID: DRUPAL-SA-CONTRIB-2013-048 * Project: Edit Limit [1] (third-party module) * Version: 7.x * Date: 2013-May-29 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- Edit Limit enables you to set time and count-based limits on how and when a user can edit nodes or comments. The module doesn't sufficiently check user access when editing comments to see if the user has the necessary permissions to edit a comment outside of the limits applied by this module. This makes it possible for a user who can edit their own comments to edit the comments of any other user. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "edit comments". -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Edit Limit 7.x-1.x versions prior to 7.x-1.3. Drupal core is not affected. If you do not use the contributed Edit Limit [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Edit Limit module for Drupal 7.x, upgrade to Edit Limit 7.x-1.3 [5] Also see the Edit Limit [6] project page. -------- REPORTED BY --------------------------------------------------------- * Morten Fangel [7] -------- FIXED BY ------------------------------------------------------------ * Quade [8] the module maintainer * Morten Fangel [9] -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/edit_limit [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/edit_limit [5] http://drupal.org/node/2006188 [6] http://drupal.org/project/edit_limit [7] http://drupal.org/user/376055 [8] http://drupal.org/user/71791 [9] http://drupal.org/user/376055 [10] http://drupal.org/user/36762 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-047 - Google Authenticator login - Access Bypass
by security-news＠drupal.org 15 May '13

15 May '13

View online: http://drupal.org/node/1995706 * Advisory ID: DRUPAL-SA-CONTRIB-2013-047 * Project: Google Authenticator login [1] (third-party module) * Version: 6.x, 7.x * Date: 2013-May-15 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This module will allow you to add Time-based One-time Password Algorithm (also called "Two Step Authentication" or "Multi-Factor Authentication") support to user logins. It works with Google's Authenticator app system and support most (if not all) OATH based HOTP/TOTP systems. .... Accidental removal of account configuration. In certain scenarios, Google Authenticator login incorrectly determines the user's account name. The change in account name could cause the two-factor authentication for existing accounts to be lost, allowing users to log in using just username and password. This vulnerability is mitigated by the fact while Google Authenticator login's additional verification is by-passed, a username and password are still required to log in. .... One Time Password (OTP) replay If an attacker can intercept a login request with a username, password and OTP, an attacker could use this same data again to login to the website. This vulnerability is mitigated by the fact that an attacker who can intercept a login request with this level of detail can usually also intercept the ongoing session identifying token. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Google Authenticator login 6.x-1.x versions prior to 6.x-1.2. * Google Authenticator login 7.x-1.x versions prior to 7.x-1.4. Drupal core is not affected. If you do not use the contributed Google Authenticator login [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Google Authenticator login module for Drupal 6.x, upgrade to Google Authenticator login module 6.x-1.2 [5] * If you use the Google Authenticator login module for Drupal 7.x, upgrade to Google Authenticator login module 7.x-1.4 [6] Also see the Google Authenticator login [7] project page. -------- REPORTED BY --------------------------------------------------------- * Ivo Van Geertruyen [8] of the Drupal Security Team * Lode Vanstechelman [9] -------- FIXED BY ------------------------------------------------------------ * Peter Droogmans [10] the module maintainer * Jelle Sebreghts [11] the module maintainer * Ivo Van Geertruyen [12] of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Ivo Van Geertruyen [13] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [14]. Learn more about the Drupal Security team and their policies [15], writing secure code for Drupal [16], and securing your site [17]. [1] http://drupal.org/project/ga_login [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/ga_login [5] http://drupal.org/node/1995634 [6] http://drupal.org/node/1995482 [7] http://drupal.org/project/ga_login [8] http://drupal.org/user/383424 [9] http://drupal.org/user/657472 [10] http://drupal.org/user/105002 [11] http://drupal.org/user/829198 [12] http://drupal.org/user/383424 [13] http://drupal.org/user/383424 [14] http://drupal.org/contact [15] http://drupal.org/security-team [16] http://drupal.org/writing-secure-code [17] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-046 - Filebrowser - Reflected Cross Site Scripting (XSS)
by security-news＠drupal.org 01 May '13

01 May '13

View online: http://drupal.org/node/1984212 * Advisory ID: DRUPAL-SA-CONTRIB-2013-046 * Project: Filebrowser [1] (third-party module) * Version: 6.x * Date: 2013-May-1 * Security risk: Highly critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Filebrowser module allows site administrators to expose a particular file system folder and all of its subfolders with an FTP-like interface to site visitors. The module doesn't sufficiently sanitize user input when presenting lists of files. Because the vulnerability is /Reflected/ Cross Site Scripting, the only mitigating factor is that an authenticated user must be tricked into visiting a specially crafted malicious url. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Filebrowser 6.x-2.x versions prior to 6.x-2.2. Drupal core is not affected. If you do not use the contributed Filebrowser [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Filebrowser module for Drupal 6.x, upgrade to Filebrowser 6.x-2.2 [5] Also see the Filebrowser [6] project page. -------- REPORTED BY --------------------------------------------------------- * Paweł Krawczyk [7] -------- FIXED BY ------------------------------------------------------------ * Yoran Brault [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Lee Rowlands [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/filebrowser [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/filebrowser [5] http://drupal.org/node/1983356 [6] http://drupal.org/project/filebrowser [7] http://drupal.org/user/243792 [8] http://drupal.org/user/46153 [9] http://drupal.org/user/395439 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news May 2013