Security-news July 2013

security-news@drupal.org

1 participants
7 discussions

SA-CONTRIB-2013-061 - Flippy - Access Bypass
by security-news＠drupal.org 31 Jul '13

31 Jul '13

View online: https://drupal.org/node/2054701 * Advisory ID: DRUPAL-SA-CONTRIB-2013-061 * Project: Flippy [1] (third-party module) * Version: 7.x * Date: 2013-July-31 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This module enables you to generate previous/next links for content types. The module doesn't sufficiently enforce node access when generating previous/next links. A user may be presented with a link (including alias if one is set) but will not be able to view the node content. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to access content. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Flippy 7.x-1.x versions prior to 7.x-1.1 Drupal core is not affected. If you do not use the contributed Flippy [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Flippy module for Drupal 7.x, upgrade to Flippy 7.x-1.2 [5] Also see the Flippy [6] project page. -------- REPORTED BY --------------------------------------------------------- * daviddr [7] -------- FIXED BY ------------------------------------------------------------ * Joshua Li [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/flippy [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/flippy [5] http://drupal.org/node/2050827 [6] http://drupal.org/project/flippy [7] http://drupal.org/user/2471996 [8] http://drupal.org/user/633216 [9] http://drupal.org/user/36762 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-060 - Scald - Cross Site Scripting (XSS)
by security-news＠drupal.org 24 Jul '13

24 Jul '13

View online: https://drupal.org/node/2049415 * Advisory ID: DRUPAL-SA-CONTRIB-2013-060 * Project: Scald [1] (third-party module) * Version: 6.x, 7.x * Date: 2013-July-24 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- This module enables you to handle media assets (atoms) in Drupal with a Views-based library, drag and drop interface and manage content attribution/licensing/distribution. The module doesn't sufficiently filter atom properties such as the atom title when outputting atoms, thereby exposing a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create atoms and the Scald Flash module or the resource management feature (in the MEE submodule) must be enabled. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Scald 6.x-1.x versions prior to 6.x-1.0-beta3. * Scald 7.x-1.x versions prior to 7.x-1.1. Drupal core is not affected. If you do not use the contributed Scald [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Scald module for Drupal 6.x, upgrade to Scald 6.x-1.0-beta3 [5] * If you use the Scald module for Drupal 7.x, upgrade to Scald 7.x-1.1 [6] Also see the Scald [7] project page. -------- REPORTED BY --------------------------------------------------------- * Klaus Purer [8] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Franck Deroche [9] the module maintainer * Hai-Nam Nguyen [10] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Klaus Purer [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/scald [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/scald [5] https://drupal.org/node/2049239 [6] https://drupal.org/node/2049251 [7] http://drupal.org/project/scald [8] http://drupal.org/user/262198 [9] http://drupal.org/user/59710 [10] http://drupal.org/user/210762 [11] http://drupal.org/user/262198 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-059 - Hostmaster (Aegir) - Access Bypass
by security-news＠drupal.org 17 Jul '13

17 Jul '13

View online: https://drupal.org/node/2044299 * Advisory ID: DRUPAL-SA-CONTRIB-2013-059 * Project: Hostmaster (Aegir) [1] (third-party module) * Version: 6.x * Date: 2013-July-17 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This install profile and accompanying suite of modules enables you to install, upgrade, deploy, and backup Drupal sites (among other things.) The module doesn't sufficiently control access to running tasks on sites, under the scenario where a user successfully guesses a sites' path in the Aegir front-end. This vulnerability is mitigated by the fact that an attacker must be authenticated and have a role with one or more permissions that allow the creation of tasks. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Hostmaster 6.x-1.x versions prior to 6.x-1.10. Drupal core is not affected. If you do not use the contributed Hostmaster (Aegir) [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Hostmaster install profile for Drupal 6.x, upgrade to Hostmaster 6.x-1.10 [5] Also see the Hostmaster (Aegir) [6] project page. -------- REPORTED BY --------------------------------------------------------- * Tim Lovelock [7] -------- FIXED BY ------------------------------------------------------------ * Antoine Beaupré [8], the module's lead maintainer; and * Christopher Gervais [9], another of the module's maintainers. -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/hostmaster [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/hostmaster [5] http://community.aegirproject.org/1.10 [6] http://drupal.org/project/hostmaster [7] http://drupal.org/user/1013786 [8] http://drupal.org/user/1274 [9] http://drupal.org/user/368613 [10] http://drupal.org/user/36762 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-058 - MRBS - Abandoned - Mutliple vulnerabilities
by security-news＠drupal.org 17 Jul '13

17 Jul '13

View online: https://drupal.org/node/2044173 * Advisory ID: DRUPAL-SA-CONTRIB-2013-058 * Project: MRBS [1] (third-party module) * Version: 6.x, 7.x * Date: 2013-July-17 * Security risk: Highly critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Request Forgery, SQL Injection -------- DESCRIPTION --------------------------------------------------------- MRBS is a free, GPL, web application using PHP and MySQL/pgsql for booking meeting rooms or other resources. The module doesn't sufficiently filter user supplied data when creating queries which leads to a SQL injection vulnerability. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * MRBS module all versions. Drupal core is not affected. If you do not use the contributed MRBS [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Remove the module and all code from your site. * There is no upgraded version available. The module should be disabled and all related code removed from the server. Also see the MRBS [5] project page. -------- REPORTED BY --------------------------------------------------------- * Michael Hess [6] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ Not applicable. -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [7] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [8]. Learn more about the Drupal Security team and their policies [9], writing secure code for Drupal [10], and securing your site [11]. [1] http://drupal.org/project/mrbs [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/mrbs [5] http://drupal.org/project/mrbs [6] http://drupal.org/user/102818 [7] http://drupal.org/user/36762 [8] http://drupal.org/contact [9] http://drupal.org/security-team [10] http://drupal.org/writing-secure-code [11] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-057 - TinyBox - Cross Site Scripting (XSS)
by security-news＠drupal.org 10 Jul '13

10 Jul '13

View online: https://drupal.org/node/2038807 * Advisory ID: DRUPAL-SA-CONTRIB-2013-057 * Project: TinyBox (Simple Splash) [1] (third-party module) * Version: 7.x * Date: 2013-July-10 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- TinyBox module uses TinyBox, a lightweight and standalone modal window script. The main purpose of this module is to provide Splash Screen/Window as simple as possible. The module doesn't filter user-supplied text prior to display. The vulnerability is mitigated by the fact that an attacker must have the permission "administer tinybox." -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * TinyBox 7.x-2.x versions prior to 7.x-2.1. Drupal core is not affected. If you do not use the contributed TinyBox (Simple Splash) [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the TinyBox module for Drupal 7.x, upgrade to TinyBox 7.x-2.2 [5] Also see the TinyBox (Simple Splash) [6] project page. -------- REPORTED BY --------------------------------------------------------- * Daniel Nitscher [7] -------- FIXED BY ------------------------------------------------------------ * Wendy William, S.Kom [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] and Peter Wolanin [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/tinybox [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/tinybox [5] https://drupal.org/node/2031575 [6] http://drupal.org/project/tinybox [7] https://security.drupal.org/user/38183 [8] https://drupal.org/user/75798 [9] http://drupal.org/user/36762 [10] http://drupal.org/user/49851 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-056 - Stage File Proxy - Denial of Service
by security-news＠drupal.org 10 Jul '13

10 Jul '13

View online: https://drupal.org/node/2038801 * Advisory ID: DRUPAL-SA-CONTRIB-2013-056 * Project: Stage File Proxy [1] (third-party module) * Version: 7.x * Date: 2013-July-10th * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- This module saves time and disk space by sending requests to your development environment's files directory to the production environment and making a copy of the production file in your development site. An attacker could make repeated requests to the server, even over a long period, which would degrade the performance of all file handling and potentially prevent certain file operations. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Stage File Proxy 7.x-1.x versions prior to 7.x-1.4. Drupal core is not affected. If you do not use the contributed Stage File Proxy [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Stage File Proxy module for Drupal 7.x, upgrade to Stage File Proxy 7.x-1.4 [5] Also see the Stage File Proxy [6] project page. -------- REPORTED BY --------------------------------------------------------- * Mike Carper [7] -------- FIXED BY ------------------------------------------------------------ * Stefan M. Kudwien [8] * Greg Knaddison [9] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/stage_file_proxy [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/stage_file_proxy [5] https://drupal.org/node/2038799 [6] http://drupal.org/project/stage_file_proxy [7] http://drupal.org/user/282446 [8] http://drupal.org/user/48898 [9] http://drupal.org/user/36762 [10] http://drupal.org/user/36762 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-055 - Hatch - Cross Site Scripting
by security-news＠drupal.org 10 Jul '13

10 Jul '13

View online: https://drupal.org/node/2038363 * Advisory ID: DRUPAL-SA-CONTRIB-2013-055 * Project: Hatch [1] (third-party theme) * Version: 7.x * Date: 2013-July-10 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Hatch theme is a simple and minimal portfolio theme for photographers, illustrators, designers, or photobloggers. The theme didn't sufficiently escape user supplied text prior to printing them. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer content", "Create new article", or "Edit any article type content" . -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Hatch theme 7.x-1.x versions prior to 7.x-1.4. Drupal core is not affected. If you do not use the contributed Hatch [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Hatch theme for Drupal 7.x, upgrade to Hatch 7.x-1.4 [5] Also see the Hatch [6] project page. -------- REPORTED BY --------------------------------------------------------- * Daniel Nitsche [7] -------- FIXED BY ------------------------------------------------------------ * Daniel Nitsche [8] -------- COORDINATED BY ------------------------------------------------------ * Lee Rowlands (larowlan) [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/hatch [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/hatch [5] https://drupal.org/node/2038189 [6] http://drupal.org/project/hatch [7] https://drupal.org/user/1151108 [8] https://drupal.org/user/1151108 [9] http://drupal.org/user/395439 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news July 2013