View online: https://drupal.org/node/2092395
* Advisory ID: DRUPAL-SA-CONTRIB-2013-077
* Project: Google Site Search [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2013-September-18
* Security risk: Less critical [2]
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to use the Google API to search one or more sites and
show the result in your Drupal site, with your custom styling.
The module doesn't sufficiently sanitize the data retrieved from the Google
API.
This vulnerability is mitigated by the fact that an attack must come from the
API which requires either compromising Google or spoofing DNS.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Google Site Search 6.x-1.x versions before 6.x-1.4.
* Google Site Search 7.x-1.x versions before 7.x-1.10.
Drupal core is not affected. If you do not use the contributed Google Site
Search [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Google Site Search module for Drupal 6.x, upgrade to
6.x-1.4 [5]
* If you use the Google Site Search module for Drupal 7.x, upgrade to
7.x-1.10 [6]
Also see the Google Site Search [7] project page.
-------- REPORTED BY
---------------------------------------------------------
* Philip Hornig [8]
-------- FIXED BY
------------------------------------------------------------
* Dhavyd Vanderlei [9] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* pwolanin [10] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
[1] http://drupal.org/project/gss
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/gss
[5] https://drupal.org/node/2091745
[6] https://drupal.org/node/2091753
[7] http://drupal.org/project/gss
[8] http://drupal.org/user/611674
[9] http://drupal.org/user/1483950
[10] http://drupal.org/user/49851
[11] http://drupal.org/contact
[12] http://drupal.org/security-team
[13] http://drupal.org/writing-secure-code
[14] http://drupal.org/security/secure-configuration
View online: https://drupal.org/node/2087095
* Advisory ID: DRUPAL-SA-CONTRIB-2013-076
* Project: jQuery Countdown [1] (third-party module)
* Version: 7.x
* Date: 2013-September-11
* Security risk: Less critical [2]
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
This jQuery Countdown Module enables you to display a countdown block based
upon date settings.
The jQuery Countdown Module does not properly sanitize the settings, allowing
a malicious user to embed scripts within a page, resulting in a Cross-site
Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have the
"access administration pages" permission.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* jquery_countdown 7.x-1.x versions prior to 7.x-1.0.
Drupal core is not affected. If you do not use the contributed jQuery
Countdown [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the jQuery Countdown module, upgrade to jQuery Countdown
7.x-1.1 [5]
Also see the jQuery Countdown [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Joachim Noreiko [7]
-------- FIXED BY
------------------------------------------------------------
* Dennis Brücke [8] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [9] and Lee Rowlands [10] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
[1] http://drupal.org/project/jquery_countdown
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/jquery_countdown
[5] https://drupal.org/node/2087089
[6] http://drupal.org/project/jquery_countdown
[7] https://drupal.org/user/107701
[8] https://drupal.org/user/413429
[9] http://drupal.org/user/36762
[10] https://drupal.org/user/395439
[11] http://drupal.org/contact
[12] http://drupal.org/security-team
[13] http://drupal.org/writing-secure-code
[14] http://drupal.org/security/secure-configuration
View online: https://drupal.org/node/2087055
* Advisory ID: DRUPAL-SA-CONTRIB-2013-075
* Project: Click2Sell Suite [1] (third-party module)
* Version: 6.x
* Date: 2013-September-11
* Security risk: Highly critical [2]
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting, Cross Site Request Forgery
-------- DESCRIPTION
---------------------------------------------------------
Click2Sell is an Affiliate Marketing Network which lets you sell your
products through their marketplace or on your website with buy it now
buttons, and which also allows you to access hundreds of affiliates who want
to sell your product for you and earn commission.
.... Reflected Cross Site Scripting (XSS)
The module doesn't sufficiently filter user supplied data when presenting a
confirmation form.
.... Cross Site Request Forgery (CSRF)
The module doesn't properly use Drupal's Form API which allows a malicious
user to trick an admin into accidentally deleting information from
Click2Sell's database.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* All Click2Sell Suite 6.x-1.x versions.
Drupal core is not affected. If you do not use the contributed Click2Sell
Suite [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
* If you use the Click2Sell Suite module for Drupal 6.x you should disable
it.
Also see the Click2Sell Suite [5] project page.
-------- REPORTED BY
---------------------------------------------------------
* Greg Knaddison [6] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
Not applicable.
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [7].
Learn more about the Drupal Security team and their policies [8], writing
secure code for Drupal [9], and securing your site [10].
[1] http://drupal.org/project/click2sell
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/click2sell
[5] http://drupal.org/project/click2sell
[6] http://drupal.org/user/36762
[7] http://drupal.org/contact
[8] http://drupal.org/security-team
[9] http://drupal.org/writing-secure-code
[10] http://drupal.org/security/secure-configuration
View online: https://drupal.org/node/2087051
* Advisory ID: DRUPAL-SA-CONTRIB-2013-074
* Project: MediaFront [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2013-September-11
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
The MediaFront module provides a front-end media presentation layer for
Drupal
The module doesn't sufficiently filter user input from MediaFront preset
settings.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "administer mediafront" to exploit this bug.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* MediaFront 6.x-1.x versions prior to 6.x-1.6.
* MediaFront 7.x-1.x versions prior to 7.x-1.6.
* MediaFront 7.x-2.x versions prior to 7.x-2.1.
Drupal core is not affected. If you do not use the contributed MediaFront [4]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the MediaFront module for Drupal 6.x, upgrade to MediaFront
6.x-1.6 [5]
* If you use the MediaFront module version 1.x for Drupal 7.x, upgrade to
MediaFront 7.x-1.6 [6]
* If you use the MediaFront module version 2.x for Drupal 7.x, upgrade to
MediaFront 7.x-2.1 [7]
Also see the MediaFront [8] project page.
-------- REPORTED BY
---------------------------------------------------------
* Justin KleinKeane [9]
-------- FIXED BY
------------------------------------------------------------
* Justin KleinKeane [10]
* Travis Tidwell [11] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [12] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [13].
Learn more about the Drupal Security team and their policies [14], writing
secure code for Drupal [15], and securing your site [16].
[1] http://drupal.org/project/mediafront
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/mediafront
[5] https://drupal.org/node/2086187
[6] https://drupal.org/node/2086189
[7] https://drupal.org/node/2086191
[8] http://drupal.org/project/mediafront
[9] https://drupal.org/user/302225
[10] https://drupal.org/user/302225
[11] http://drupal.org/user/98581
[12] http://drupal.org/user/36762
[13] http://drupal.org/contact
[14] http://drupal.org/security-team
[15] http://drupal.org/writing-secure-code
[16] http://drupal.org/security/secure-configuration
View online: https://drupal.org/node/2081887
* Advisory ID: PSA-2013-001
* Project: Drupal core [1]
* Version: 6.x, 7.x
* Date: 2013-September-04
* Security risk: Not critical [2]
* Exploitable from: Remote
* Vulnerability: Information Disclosure
-------- DESCRIPTION
---------------------------------------------------------
This is a public service announcement regarding possible insertion of hidden
links in comments using core CSS selectors within filtered HTML Text formats
("Input formats" in Drupal 6). Drupal core provides several CSS selectors
that, by design, hide elements on the page. Using these selectors it is
possible to create links to third-party websites that are hidden within a
comment. This technique has been observed on live production websites.
Drupal core provides mechanisms that sanitize user submitted links by adding
a rel="nofollow" attribute. This feature can be enabled for Drupal 7 sites at
admin/config/content/formats/filtered_html and for Drupal 6 sites at
admin/settings/filters/1/configure. Note that these paths are for the default
formats provided with core. Your site may define custom formats which should
be reviewed and updated as well.
Careful moderation of user submitted comments is always advised.
Additionally, automated comment moderation tools may help to mitigate and
flag these malicious comment submissions.
-------- SOLUTION
------------------------------------------------------------
Review user-submitted content on your site to see if untrusted users have
posted content that includes classes. Review those classes to see if they
will hide unwanted content.
-------- REPORTED BY
---------------------------------------------------------
* Aaron Weiss [3]
-------- COORDINATED BY
------------------------------------------------------
* David Stoline [4] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [5].
Learn more about the Drupal Security team and their policies [6], writing
secure code for Drupal [7], and securing your site [8].
[1] http://drupal.org/project/drupal
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/user/745366
[4] http://drupal.org/user/329570
[5] http://drupal.org/contact
[6] http://drupal.org/security-team
[7] http://drupal.org/writing-secure-code
[8] http://drupal.org/security/secure-configuration
View online: https://drupal.org/node/2081637
* Advisory ID: DRUPAL-SA-CONTRIB-2013-073
* Project: Make Meeting Scheduler [1] (third-party module)
* Version: 6.x
* Date: 2013-September-04
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to create polls accessible by an url with hash (e.g.
example.com/makemeeting/sn9028xh3398) so that anonymous users can view and
vote on the poll.
The module didn't sufficiently check access when a poll is accessed directly
via its node url (e.g. node/123). Note: a user with the hashed url can still
access and vote on the poll as that is the intention of the module.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Make Meeting Scheduler 6.x-1.x versions prior to 6.x-1.3.
Drupal core is not affected. If you do not use the contributed Make Meeting
Scheduler [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Make Meeting Scheduler module for Drupal 6.x, upgrade to
Make Meeting Scheduler module 6.x-1.3 [5]
Also see the Make Meeting Scheduler [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* rhatto [7]
-------- FIXED BY
------------------------------------------------------------
* rhatto [8]
* SebCorbin [9] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [10] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
[1] http://drupal.org/project/makemeeting
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/makemeeting
[5] https://drupal.org/node/2081647
[6] http://drupal.org/project/makemeeting
[7] http://drupal.org/user/108738
[8] http://drupal.org/user/108738
[9] http://drupal.org/user/412171
[10] http://drupal.org/user/36762
[11] http://drupal.org/contact
[12] http://drupal.org/security-team
[13] http://drupal.org/writing-secure-code
[14] http://drupal.org/security/secure-configuration