Security-news September 2013

security-news@drupal.org

1 participants
6 discussions

SA-CONTRIB-2013-077 - Google Site Search - Cross Site Scripting (XSS)
by security-news＠drupal.org 18 Sep '13

18 Sep '13

View online: https://drupal.org/node/2092395 * Advisory ID: DRUPAL-SA-CONTRIB-2013-077 * Project: Google Site Search [1] (third-party module) * Version: 6.x, 7.x * Date: 2013-September-18 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- This module enables you to use the Google API to search one or more sites and show the result in your Drupal site, with your custom styling. The module doesn't sufficiently sanitize the data retrieved from the Google API. This vulnerability is mitigated by the fact that an attack must come from the API which requires either compromising Google or spoofing DNS. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Google Site Search 6.x-1.x versions before 6.x-1.4. * Google Site Search 7.x-1.x versions before 7.x-1.10. Drupal core is not affected. If you do not use the contributed Google Site Search [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Google Site Search module for Drupal 6.x, upgrade to 6.x-1.4 [5] * If you use the Google Site Search module for Drupal 7.x, upgrade to 7.x-1.10 [6] Also see the Google Site Search [7] project page. -------- REPORTED BY --------------------------------------------------------- * Philip Hornig [8] -------- FIXED BY ------------------------------------------------------------ * Dhavyd Vanderlei [9] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * pwolanin [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/gss [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/gss [5] https://drupal.org/node/2091745 [6] https://drupal.org/node/2091753 [7] http://drupal.org/project/gss [8] http://drupal.org/user/611674 [9] http://drupal.org/user/1483950 [10] http://drupal.org/user/49851 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-076 - jQuery Countdown - Cross Site Scripting (XSS)
by security-news＠drupal.org 11 Sep '13

11 Sep '13

View online: https://drupal.org/node/2087095 * Advisory ID: DRUPAL-SA-CONTRIB-2013-076 * Project: jQuery Countdown [1] (third-party module) * Version: 7.x * Date: 2013-September-11 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- This jQuery Countdown Module enables you to display a countdown block based upon date settings. The jQuery Countdown Module does not properly sanitize the settings, allowing a malicious user to embed scripts within a page, resulting in a Cross-site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have the "access administration pages" permission. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * jquery_countdown 7.x-1.x versions prior to 7.x-1.0. Drupal core is not affected. If you do not use the contributed jQuery Countdown [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the jQuery Countdown module, upgrade to jQuery Countdown 7.x-1.1 [5] Also see the jQuery Countdown [6] project page. -------- REPORTED BY --------------------------------------------------------- * Joachim Noreiko [7] -------- FIXED BY ------------------------------------------------------------ * Dennis Brücke [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] and Lee Rowlands [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/jquery_countdown [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/jquery_countdown [5] https://drupal.org/node/2087089 [6] http://drupal.org/project/jquery_countdown [7] https://drupal.org/user/107701 [8] https://drupal.org/user/413429 [9] http://drupal.org/user/36762 [10] https://drupal.org/user/395439 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-075 - Click2Sell - Multiple Vulnerabilities (XSS and CSRF)
by security-news＠drupal.org 11 Sep '13

11 Sep '13

View online: https://drupal.org/node/2087055 * Advisory ID: DRUPAL-SA-CONTRIB-2013-075 * Project: Click2Sell Suite [1] (third-party module) * Version: 6.x * Date: 2013-September-11 * Security risk: Highly critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting, Cross Site Request Forgery -------- DESCRIPTION --------------------------------------------------------- Click2Sell is an Affiliate Marketing Network which lets you sell your products through their marketplace or on your website with buy it now buttons, and which also allows you to access hundreds of affiliates who want to sell your product for you and earn commission. .... Reflected Cross Site Scripting (XSS) The module doesn't sufficiently filter user supplied data when presenting a confirmation form. .... Cross Site Request Forgery (CSRF) The module doesn't properly use Drupal's Form API which allows a malicious user to trick an admin into accidentally deleting information from Click2Sell's database. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * All Click2Sell Suite 6.x-1.x versions. Drupal core is not affected. If you do not use the contributed Click2Sell Suite [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ * If you use the Click2Sell Suite module for Drupal 6.x you should disable it. Also see the Click2Sell Suite [5] project page. -------- REPORTED BY --------------------------------------------------------- * Greg Knaddison [6] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ Not applicable. -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [7]. Learn more about the Drupal Security team and their policies [8], writing secure code for Drupal [9], and securing your site [10]. [1] http://drupal.org/project/click2sell [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/click2sell [5] http://drupal.org/project/click2sell [6] http://drupal.org/user/36762 [7] http://drupal.org/contact [8] http://drupal.org/security-team [9] http://drupal.org/writing-secure-code [10] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-074 - MediaFront - Cross Site Scripting (XSS)
by security-news＠drupal.org 11 Sep '13

11 Sep '13

View online: https://drupal.org/node/2087051 * Advisory ID: DRUPAL-SA-CONTRIB-2013-074 * Project: MediaFront [1] (third-party module) * Version: 6.x, 7.x * Date: 2013-September-11 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The MediaFront module provides a front-end media presentation layer for Drupal The module doesn't sufficiently filter user input from MediaFront preset settings. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer mediafront" to exploit this bug. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * MediaFront 6.x-1.x versions prior to 6.x-1.6. * MediaFront 7.x-1.x versions prior to 7.x-1.6. * MediaFront 7.x-2.x versions prior to 7.x-2.1. Drupal core is not affected. If you do not use the contributed MediaFront [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the MediaFront module for Drupal 6.x, upgrade to MediaFront 6.x-1.6 [5] * If you use the MediaFront module version 1.x for Drupal 7.x, upgrade to MediaFront 7.x-1.6 [6] * If you use the MediaFront module version 2.x for Drupal 7.x, upgrade to MediaFront 7.x-2.1 [7] Also see the MediaFront [8] project page. -------- REPORTED BY --------------------------------------------------------- * Justin KleinKeane [9] -------- FIXED BY ------------------------------------------------------------ * Justin KleinKeane [10] * Travis Tidwell [11] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [12] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. [1] http://drupal.org/project/mediafront [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/mediafront [5] https://drupal.org/node/2086187 [6] https://drupal.org/node/2086189 [7] https://drupal.org/node/2086191 [8] http://drupal.org/project/mediafront [9] https://drupal.org/user/302225 [10] https://drupal.org/user/302225 [11] http://drupal.org/user/98581 [12] http://drupal.org/user/36762 [13] http://drupal.org/contact [14] http://drupal.org/security-team [15] http://drupal.org/writing-secure-code [16] http://drupal.org/security/secure-configuration

1 0

PSA-2013-001: Drupal core - Users can insert hidden text and links
by security-news＠drupal.org 04 Sep '13

04 Sep '13

View online: https://drupal.org/node/2081887 * Advisory ID: PSA-2013-001 * Project: Drupal core [1] * Version: 6.x, 7.x * Date: 2013-September-04 * Security risk: Not critical [2] * Exploitable from: Remote * Vulnerability: Information Disclosure -------- DESCRIPTION --------------------------------------------------------- This is a public service announcement regarding possible insertion of hidden links in comments using core CSS selectors within filtered HTML Text formats ("Input formats" in Drupal 6). Drupal core provides several CSS selectors that, by design, hide elements on the page. Using these selectors it is possible to create links to third-party websites that are hidden within a comment. This technique has been observed on live production websites. Drupal core provides mechanisms that sanitize user submitted links by adding a rel="nofollow" attribute. This feature can be enabled for Drupal 7 sites at admin/config/content/formats/filtered_html and for Drupal 6 sites at admin/settings/filters/1/configure. Note that these paths are for the default formats provided with core. Your site may define custom formats which should be reviewed and updated as well. Careful moderation of user submitted comments is always advised. Additionally, automated comment moderation tools may help to mitigate and flag these malicious comment submissions. -------- SOLUTION ------------------------------------------------------------ Review user-submitted content on your site to see if untrusted users have posted content that includes classes. Review those classes to see if they will hide unwanted content. -------- REPORTED BY --------------------------------------------------------- * Aaron Weiss [3] -------- COORDINATED BY ------------------------------------------------------ * David Stoline [4] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [5]. Learn more about the Drupal Security team and their policies [6], writing secure code for Drupal [7], and securing your site [8]. [1] http://drupal.org/project/drupal [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/user/745366 [4] http://drupal.org/user/329570 [5] http://drupal.org/contact [6] http://drupal.org/security-team [7] http://drupal.org/writing-secure-code [8] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-073 - Make Meeting Scheduler - Access Bypass
by security-news＠drupal.org 04 Sep '13

04 Sep '13

View online: https://drupal.org/node/2081637 * Advisory ID: DRUPAL-SA-CONTRIB-2013-073 * Project: Make Meeting Scheduler [1] (third-party module) * Version: 6.x * Date: 2013-September-04 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This module enables you to create polls accessible by an url with hash (e.g. example.com/makemeeting/sn9028xh3398) so that anonymous users can view and vote on the poll. The module didn't sufficiently check access when a poll is accessed directly via its node url (e.g. node/123). Note: a user with the hashed url can still access and vote on the poll as that is the intention of the module. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Make Meeting Scheduler 6.x-1.x versions prior to 6.x-1.3. Drupal core is not affected. If you do not use the contributed Make Meeting Scheduler [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Make Meeting Scheduler module for Drupal 6.x, upgrade to Make Meeting Scheduler module 6.x-1.3 [5] Also see the Make Meeting Scheduler [6] project page. -------- REPORTED BY --------------------------------------------------------- * rhatto [7] -------- FIXED BY ------------------------------------------------------------ * rhatto [8] * SebCorbin [9] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/makemeeting [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/makemeeting [5] https://drupal.org/node/2081647 [6] http://drupal.org/project/makemeeting [7] http://drupal.org/user/108738 [8] http://drupal.org/user/108738 [9] http://drupal.org/user/412171 [10] http://drupal.org/user/36762 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news September 2013