August 2013 - Security-news - lists.drupal.org

SA-CONTRIB-2013-072 - Node View Permissions - Access Bypass
by security-news＠drupal.org 28 Aug '13

28 Aug '13

View online: https://drupal.org/node/2076315 * Advisory ID: DRUPAL-SA-CONTRIB-2013-072 * Project: Node View Permissions [1] (third-party module) * Version: 7.x * Date: 2013-August-28 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- The Node View Permissions module adds permissions "View own content" and "View any content" for each content type on the permissions page. However, it only implements hook_node_access() and not hook_query_alter(), which means any listing of nodes does not respect the node view permission. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Node View Permissions 7.x-1.0. Drupal core is not affected. If you do not use the contributed Node View Permissions [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Node View Permissions module for Drupal 7.x, upgrade to Node View Permissions 7.x-1.2 [5] Also see the Node View Permissions [6] project page. -------- REPORTED BY --------------------------------------------------------- * Mark Theunissen [7] -------- FIXED BY ------------------------------------------------------------ * hoter [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Michael Hess [9] of the Drupal Security Team * Mark Ferree [10] provisional member of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/node_view_permissions [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/node_view_permissions [5] https://drupal.org/node/2031621 [6] http://drupal.org/project/node_view_permissions [7] https://drupal.org/user/108606 [8] http://drupal.org/user/1677790 [9] https://drupal.org/user/102818 [10] http://drupal.org/user/76245 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-071 - Flag - Cross Site Scripting
by security-news＠drupal.org 28 Aug '13

28 Aug '13

View online: https://drupal.org/node/2076221 * Advisory ID: DRUPAL-SA-CONTRIB-2013-071 * Project: Flag [1] (third-party module) * Version: 7.x * Date: 2013-August-28 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Flag module allows creation of customizable flags on entities. Flag does not properly sanitize the name of a flag on the main flag administration page, allowing a malicious user to embed scripts within a page, resulting in a Cross-site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have the 'Administer flags' permission. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Flag 7.x-3.x versions prior to 7.x-3.0. Drupal core is not affected. If you do not use the contributed Flag [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Flag module for Drupal 7.x, upgrade to Flag 7.x-3.1 [5] Also see the Flag [6] project page. -------- REPORTED BY --------------------------------------------------------- * Justin_KleinKeane [7] -------- FIXED BY ------------------------------------------------------------ * Justin_KleinKeane [8] * Joachim Noreiko [9] the module co-maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/flag [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/flag [5] https://drupal.org/node/2075287 [6] http://drupal.org/project/flag [7] http://drupal.org/user/302225 [8] http://drupal.org/user/302225 [9] http://drupal.org/user/107701 [10] http://drupal.org/user/36762 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-070 - Zen - Cross Site Scripting
by security-news＠drupal.org 21 Aug '13

21 Aug '13

View online: https://drupal.org/node/2071157 * Advisory ID: DRUPAL-SA-CONTRIB-2013-070 * Project: Zen [1] (third-party module) * Version: 7.x * Date: 2013-August-21 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Zen theme is a very popular base/starter theme. Zen doesn't sufficiently escape the breadcrumb separator field, allowing a possible XSS exploit. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer themes". -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Zen 7.x-3.x versions prior to 7.x-3.2. * Zen 7.x-5.x versions prior to 7.x-5.4. Drupal core is not affected. If you do not use the contributed Zen [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Zen theme for Drupal 7.x, upgrade to Zen 7.x-3.2 [5] or Zen 7.x-5.4 [6]. Also see the Zen [7] project page. -------- REPORTED BY --------------------------------------------------------- * Daniel Nitsche [8] -------- FIXED BY ------------------------------------------------------------ * John Albin Wilkins [9], the theme maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [10] of the Drupal Security Team * Klaus Purer [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/zen [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/zen [5] https://drupal.org/node/2071065 [6] https://drupal.org/node/2071055 [7] http://drupal.org/project/zen [8] http://drupal.org/user/1151108 [9] http://drupal.org/user/32095 [10] http://drupal.org/user/36762 [11] http://drupal.org/user/262198 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-069 - Password Policy - XSS
by security-news＠drupal.org 14 Aug '13

14 Aug '13

View online: https://drupal.org/node/2065387 * Advisory ID: DRUPAL-SA-CONTRIB-2013-069 * Project: Password policy [1] (third-party module) * Version: 6.x, 7.x * Date: 2013-August-14 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- This module enables you to specify a certain level of password complexity (aka. "password hardening") for user passwords in Drupal by defining a password policy. When viewing and editing a password policy, the module doesn't sufficiently filter the form text field input and display for the "Password Expiration Warning" field. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer policies" to create and edit password policies. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Password policy 6.x-1.x versions prior to 6.x-1.5. * Password policy 7.x-1.x versions prior to 7.x-1.4. Drupal core is not affected. If you do not use the contributed Password policy [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Password policy module for Drupal 6.x, upgrade to Password policy 6.x-1.6 [5] * If you use the Password policy 1.x module for Drupal 7.x, upgrade to Password policy 7.x-1.5 [6] Also see the Password policy [7] project page. -------- REPORTED BY --------------------------------------------------------- * Justin C. Klein Keane [8] -------- FIXED BY ------------------------------------------------------------ * Mark Shropshire [9] -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/password_policy [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/password_policy [5] https://drupal.org/node/2065241 [6] https://drupal.org/node/2065247 [7] http://drupal.org/project/password_policy [8] http://drupal.org/user/302225 [9] http://drupal.org/user/14767 [10] http://drupal.org/user/36762 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-068 - Entity API - Access Bypass
by security-news＠drupal.org 14 Aug '13

14 Aug '13

View online: https://drupal.org/node/2065207 * Advisory ID: DRUPAL-SA-CONTRIB-2013-068 * Project: Entity API [1] (third-party module) * Version: 7.x * Date: 2013-August-14 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- The Entity API module extends the entity API of Drupal core in order to provide a unified way to deal with entities and their properties. The module doesn't sufficiently enforce node access restrictions when checking for a user's access to view a comment associated with a particular node. The vulnerability is mitigated by the fact that it only applies to a user's access to view a comment in a situation where access should be restricted with entity access. The Entity API also does not properly restrict access when displaying selected entities using the Views field or area plugins, allowing users to view entities that they do not have access to. The vulnerability is mitigated by the fact that entities are only improperly exposed when a View has been configured to display them in a field, header or footer of a View. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Entity API 7.x-1.x versions prior to 7.x-1.2 Drupal core is not affected. If you do not use the contributed Entity API [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Entity API module for Drupal 7.x, upgrade to Entity API 7.x-1.2 [5] Also see the Entity API [6] project page. -------- REPORTED BY --------------------------------------------------------- The comment access bypass was reported by: * tanius [7] * Ezra Barnett Gildesgame [8] The Views header/footer access bypass was reported by: * Derek Ahmedzai [9] * Daniel Wehner [10] -------- FIXED BY ------------------------------------------------------------ * Devin Carlson [11] * Jakob Perry [12] * Daniel Wehner [13] * Wolfgang Ziegler [14], the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Klaus Purer [15] of the Drupal Security Team * Greg Knaddison [16] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [17]. Learn more about the Drupal Security team and their policies [18], writing secure code for Drupal [19], and securing your site [20]. [1] http://drupal.org/project/entity [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/entity [5] https://drupal.org/node/2065197 [6] http://drupal.org/project/entity [7] https://drupal.org/user/2478456 [8] https://drupal.org/user/69959 [9] https://drupal.org/user/167927 [10] https://drupal.org/user/99340 [11] https://drupal.org/user/290182 [12] https://drupal.org/user/45640 [13] https://drupal.org/user/99340 [14] https://drupal.org/user/16747 [15] http://drupal.org/user/262198 [16] http://drupal.org/user/36762 [17] http://drupal.org/contact [18] http://drupal.org/security-team [19] http://drupal.org/writing-secure-code [20] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-067 - BOTCHA - Information Disclosure (potential Privilege Escalation)
by security-news＠drupal.org 14 Aug '13

14 Aug '13

View online: https://drupal.org/node/2065057 * Advisory ID: DRUPAL-SA-CONTRIB-2013-067 * Project: BOTCHA Spam Prevention [1] (third-party module) * Version: 7.x * Date: 2013-August-14 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Information Disclosure -------- DESCRIPTION --------------------------------------------------------- BOTCHA is a highly configurable non-CAPTCHA spam protection framework. The module includes a debug mode which logs the content of submitted forms including passwords and other sensitive information. An attacker who gains access to the log (i.e. dblog or syslog depending on configuration) could get access to usernames and passwords or other sensitive information. The vulnerability is mitigated by the fact that the debugging level must be set to level 5 or 6 (a high level) and the attacker must gain access to the logs (i.e. "access site reports" permission or access to syslog). If you debug level 5 or 6 enabled on a production site, you should consider expiring passwords and instruct users to change their passwords. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * BOTCHA 7.x-1.x versions prior to 7.x-1.6. * BOTCHA 7.x-2.x versions prior to 7.x-2.1. * BOTCHA 7.x-3.x versions prior to 7.x-3.3. Drupal core is not affected. If you do not use the contributed BOTCHA module, there is nothing you need to do. Drupal core is not affected. If you do not use the contributed BOTCHA Spam Prevention [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the 1.x branch of BOTCHA module for Drupal 7.x, upgrade to BOTCHA 7.x-1.6 [5] * If you use the 2.x branch of BOTCHA module for Drupal 7.x, upgrade to BOTCHA 7.x-2.1 [6] * If you use the 3.x branch of BOTCHA module for Drupal 7.x, upgrade to BOTCHA 7.x-3.3 [7] Also see the BOTCHA Spam Prevention [8] project page. -------- REPORTED BY --------------------------------------------------------- * Rob Hess [9] -------- FIXED BY ------------------------------------------------------------ * Dmitry Danilson [10] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/botcha [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/botcha [5] https://drupal.org/node/2064781 [6] https://drupal.org/node/2064783 [7] https://drupal.org/node/2064785 [8] http://drupal.org/project/botcha [9] http://drupal.org/user/507864 [10] http://drupal.org/user/1209848 [11] http://drupal.org/user/36762 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-066 - Monster Menus - Multiple Vulnerabilities
by security-news＠drupal.org 07 Aug '13

07 Aug '13

View online: https://drupal.org/node/2059823 * Advisory ID: DRUPAL-SA-CONTRIB-2013-066 * Project: Monster Menus [1] (third-party module) * Version: 6.x, 7.x * Date: 2013-August-07 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- Monster Menus enables you to create granular page permissions, and apply them to a hierarchical page structure. The mm_webform submodule enables you to assign permissions derived from Monster Menus to webform forms. The module doesn't sufficiently filter titles entered into page settings and echoes the supplied title back to the next user editing the settings, thereby allowing a Cross Site Scripting attack (XSS). This vulnerability is mitigated by the fact that an attacker must have the ability to add pages to the Monster Menus tree, and must also entice another user to edit the settings of a maliciously-crafted page. The mm_webform submodule doesn't correctly prohibit users with only "Who can read data submitted to this webform" permission from deleting webform submissions leading to an Access Bypass. This vulnerability is mitigated by the fact that an attacker must have an active login which is permitted to read a webform's submissions. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Monster Menus 6.x-6.x versions prior to 6.x-6.61. * Monster Menus 7.x-1.x versions prior to 7.x-1.13. Drupal core is not affected. If you do not use the contributed Monster Menus [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Monster Menus module for Drupal 6.x, upgrade to Monster Menus 6.x-6.61 [5] * If you use the Monster Menus module for Drupal 7.x, upgrade to Monster Menus 7.x-1.13 [6] Also see the Monster Menus [7] project page. -------- REPORTED BY --------------------------------------------------------- * Five Colleges, Inc. -------- FIXED BY ------------------------------------------------------------ * Dan Wilga [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/monster_menus [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/monster_menus [5] https://drupal.org/node/2059807 [6] https://drupal.org/node/2059805 [7] http://drupal.org/project/monster_menus [8] http://drupal.org/user/56892 [9] http://drupal.org/user/36762 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-065 - Organic Groups - Access Bypass
by security-news＠drupal.org 07 Aug '13

07 Aug '13

View online: https://drupal.org/node/2059765 * Advisory ID: DRUPAL-SA-CONTRIB-2013-065 * Project: Organic groups [1] (third-party module) * Version: 7.x * Date: 2013-August-07 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Access bypass, Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- This module enables users to create and manage their own 'groups'. Each group can have subscribers, and maintains a group home page where subscribers communicate amongst themselves. The module allows any authenticated user to guess the node ID of private groups, and subscribe to them without approval, thus being able to see their content. This vulnerability is mitigated by the fact that the permissions to subscribe are set to allow without approval. Furthermore, misconfiguration of the OG access fields (a.k.a visibility fields) could have lead to nodes not being private even though a site admin would expect them to be private, due to the group default setting. This vulnerability is mitigated by requiring a non-default configuration where the "Group visibility" field was not attached to the group node, and only the "Group content visibility" was attached to the group-content node. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * OG 7.x-2.x versions prior to 7.x-2.3. Drupal core is not affected. If you do not use the contributed Organic groups [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Organic groups module for Drupal 7.x, upgrade to OG 7.x-2.3 [5] Also see the Organic groups [6] project page. -------- REPORTED BY --------------------------------------------------------- * Nic Ivy [7] * Hunter Fox [8] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Amitai Burstein [9] the module maintainer * Roy Segall [10] from Gizra * Hunter Fox [11] of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Hunter Fox [12] of the Drupal Security Team * David Stoline [13] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [14]. Learn more about the Drupal Security team and their policies [15], writing secure code for Drupal [16], and securing your site [17]. [1] http://drupal.org/project/og [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/og [5] https://drupal.org/node/2059755 [6] http://drupal.org/project/og [7] https://drupal.org/user/6194 [8] https://drupal.org/user/426416 [9] https://drupal.org/user/57511 [10] https://drupal.org/user/1812910 [11] https://drupal.org/user/426416 [12] https://drupal.org/user/426416 [13] https://drupal.org/user/329570 [14] http://drupal.org/contact [15] http://drupal.org/security-team [16] http://drupal.org/writing-secure-code [17] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-064 - Persona - Cross site request forgery (CSRF)
by security-news＠drupal.org 07 Aug '13

07 Aug '13

View online: https://drupal.org/node/2059599 * Advisory ID: DRUPAL-SA-CONTRIB-2013-064 * Project: Mozilla Persona [1] (third-party module) * Version: 7.x * Date: 2013-August-07 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Request Forgery -------- DESCRIPTION --------------------------------------------------------- This module enables users to sign into a Drupal website using Mozilla Persona [3]. The module uses a security token to ensure that a sign-in request is made from a web page that is participating in the current session. It was possible for a security token that was not of type "string" to be accepted as correct regardless of it's value, thereby bypassing the protection against cross site request forgery. This vulnerability is mitigated by the fact that an attacker can only cause a victim to become signed in to an account that the attacker already has the ability to sign in to. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [4] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Persona 7.x-1.x versions prior to 7.x-1.11 Drupal core is not affected. If you do not use the contributed Mozilla Persona [5] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Mozilla Persona module for Drupal 7.x, upgrade to Persona 7.x-1.11 [6] Also see the Mozilla Persona [7] project page. -------- REPORTED BY --------------------------------------------------------- * Heine Deelstra [8] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Jonathan Brown [9], the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Heine Deelstra [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/persona [2] http://drupal.org/security-team/risk-levels [3] https://www.mozilla.org/persona/ [4] http://cve.mitre.org/ [5] http://drupal.org/project/persona [6] https://drupal.org/node/2058655 [7] http://drupal.org/project/persona [8] https://drupal.org/user/17943 [9] https://drupal.org/user/46104 [10] https://drupal.org/user/17943 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-063 - Authenticated User Page Caching (Authcache) - Information Disclosure
by security-news＠drupal.org 07 Aug '13

07 Aug '13

View online: https://drupal.org/node/2059589 * Advisory ID: DRUPAL-SA-CONTRIB-2013-063 * Project: Authenticated User Page Caching (Authcache) [1] (third-party module) * Version: 7.x * Date: 2013-August-07 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Information Disclosure -------- DESCRIPTION --------------------------------------------------------- This module enables page caching for authenticated users. A separate version of each cacheable page is stored for each group of users with the same combination of roles. Users having the exact same role-combination like the superuser (uid=1) might access cached pages generated with the superuser. Therefore it might be possible that information is disclosed to those users intended only for the superuser. This vulnerability is mitigated by the fact that an attacker must have the exact same role-combination like the superuser. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * authcache 7.x-1.x versions prior to 7.x-1.5. Drupal core is not affected. If you do not use the contributed Authenticated User Page Caching (Authcache) [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the authcache module for Drupal 7.x, upgrade to authcache 7.x-1.5 [5] Also see the Authenticated User Page Caching (Authcache) [6] project page. -------- REPORTED BY --------------------------------------------------------- * Lorenz Schori [7] the module maintainer -------- FIXED BY ------------------------------------------------------------ * Lorenz Schori [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Ben Jeavons [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/authcache [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/authcache [5] http://drupal.org/node/2058165 [6] http://drupal.org/project/authcache [7] http://drupal.org/user/63999 [8] http://drupal.org/user/63999 [9] http://drupal.org/user/91990 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0