Security-news October 2014

security-news@drupal.org

1 participants
13 discussions

SA-CONTRIB-2014-106 - Commerce Authorize.Net SIM/DPM Payment Methods - Access Bypass
by security-news＠drupal.org 29 Oct '14

29 Oct '14

View online: https://www.drupal.org/node/2365809 * Advisory ID: DRUPAL-SA-CONTRIB-2014-106 * Project: Commerce Authorize.Net SIM/DPM Payment Methods [1] (third-party module) * Version: 7.x * Date: 2014-October-29 * Security risk: 12/25 ( Moderately Critical) AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:All [2] * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This module provides payment methods for the Drupal Commerce [3] package to permit the use of the Authorize.Net payment gateway's SIM and DPM payment protocols. .... Access Bypass The module doesn't sufficiently protect the Drupal Commerce order number passed to the Authorize.Net payment gateway, allowing a specially modified payment POST transaction to Authorize.Net to be applied to a previous order still in the checkout state. This could allow the previous transaction to be marked as paid despite the fact that the payment applied was smaller than its outstanding balance. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [4] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Commerce Authorize.Net SIM/DPM Payment Methods 7.x-1.x versions prior to 7.x-1.1. Drupal core is not affected. If you do not use the contributed Commerce Authorize.Net SIM/DPM Payment Methods [5] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Commerce Authorize.Net SIM/DPM Payment Methods module for Drupal 7.x, upgrade to Commerce Authorize.Net SIM/DPM Payment Methods 7.x-1.1 [6] Also see the Commerce Authorize.Net SIM/DPM Payment Methods [7] project page. -------- REPORTED BY --------------------------------------------------------- * Vadim Mirgorod [8] -------- FIXED BY ------------------------------------------------------------ * Vadim Mirgorod [9] * Jerry Hudgins [10] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Lee Rowlands [11] of the Drupal Security Team * Rick Manelius [12] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. [1] https://www.drupal.org/project/commerce_authnet_simdpm [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/commerce [4] http://cve.mitre.org/ [5] https://www.drupal.org/project/commerce_authnet_simdpm [6] https://www.drupal.org/node/2361849 [7] https://www.drupal.org/project/commerce_authnet_simdpm [8] https://www.drupal.org/user/243418 [9] https://www.drupal.org/user/243418 [10] https://www.drupal.org/user/96266 [11] https://www.drupal.org/u/larowlan [12] https://www.drupal.org/user/680072 [13] https://www.drupal.org/contact [14] https://www.drupal.org/security-team [15] https://www.drupal.org/writing-secure-code [16] https://www.drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2014-105 - OG Menu - Access Bypass
by security-news＠drupal.org 29 Oct '14

29 Oct '14

View online: https://www.drupal.org/node/2365685 * Advisory ID: DRUPAL-SA-CONTRIB-2014-105 * Project: OG Menu [1] (third-party module) * Version: 7.x * Date: 2014-October-29 * Security risk: 13/25 ( Moderately Critical) AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2] * Vulnerability: Access bypass, Information Disclosure -------- DESCRIPTION --------------------------------------------------------- OG Menu allows using menus within Organic Groups. The permissions for accessing the module settings were to broad, possibly granting access to users who would normally not be able to change the OG Menu configuration. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access administration pages". -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * OG Menu 7.x-2.x versions prior to 7.x-2.2. Drupal core is not affected. If you do not use the contributed OG Menu [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version of the 7.x-2.x branch: * If you use the OG Menu module for Drupal 7.x, upgrade to OG Menu 7.x-2.2 [5] The OG Menu 7.x-3.x branch is not affected. Also see the OG Menu [6] project page. -------- REPORTED BY --------------------------------------------------------- * Lucas D Hedding [7] -------- FIXED BY ------------------------------------------------------------ * Wim Vanheste [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] https://www.drupal.org/project/og_menu [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/og_menu [5] https://www.drupal.org/node/2365259 [6] https://www.drupal.org/project/og_menu [7] https://www.drupal.org/user/1463982 [8] https://www.drupal.org/user/655596 [9] https://www.drupal.org/user/36762 [10] https://www.drupal.org/contact [11] https://www.drupal.org/security-team [12] https://www.drupal.org/writing-secure-code [13] https://www.drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2014-104 - Addressfield Tokens - Cross Site Scripting
by security-news＠drupal.org 29 Oct '14

29 Oct '14

View online: https://www.drupal.org/node/2365673 * Advisory ID: DRUPAL-SA-CONTRIB-2014-104 * Project: Addressfield Tokens [1] (third-party module) * Version: 7.x * Date: 2014-October-29 * Security risk: 14/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2] * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Addressfield Tokens module extends the Addressfield module by adding full token support. The module doesn't sufficiently filter malicious user input, opening a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "create content" or "edit content". -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Addressfield Tokens 7.x-1.x versions prior to 7.x-1.5. Drupal core is not affected. If you do not use the contributed Addressfield Tokens [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Addressfield Tokens module for Drupal 7.x, upgrade to Addressfield Tokens 7.x-1.5 [5] Also see the Addressfield Tokens [6] project page. -------- REPORTED BY --------------------------------------------------------- * Markus Sipilä [7] -------- FIXED BY ------------------------------------------------------------ * Markus Sipilä [8] * Stéphane Corlosquet [9] * Mark Casias [10] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Stéphane Corlosquet [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] https://www.drupal.org/project/addressfield_tokens [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/addressfield_tokens [5] https://www.drupal.org/node/2365663 [6] https://www.drupal.org/project/addressfield_tokens [7] https://www.drupal.org/user/109674 [8] https://www.drupal.org/user/109674 [9] https://www.drupal.org/user/52142 [10] https://www.drupal.org/user/206687 [11] https://www.drupal.org/user/52142 [12] https://www.drupal.org/contact [13] https://www.drupal.org/security-team [14] https://www.drupal.org/writing-secure-code [15] https://www.drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2014-103 - Passwordless - Cross Site Scripting (XSS)
by security-news＠drupal.org 29 Oct '14

29 Oct '14

View online: https://www.drupal.org/node/2365645 * Advisory ID: DRUPAL-SA-CONTRIB-2014-103 * Project: Passwordless [1] (third-party module) * Version: 7.x * Date: 2014-October-29 * Security risk: 13/25 ( Moderately Critical) AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2] * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- This module replaces the regular Drupal login form with a modification of the password-request form, to give the possibility to log in without using a password. The module doesn't sufficiently sanitize user-generated text entered in the module's configuration form. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "configure passwordless settings". -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Passwordless 7.x-1.x versions up to 7.x-1.8. Drupal core is not affected. If you do not use the contributed Passwordless [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * Upgrade to Passwordless 7.x-1.8 [5] Also see the Passwordless [6] project page. -------- REPORTED BY --------------------------------------------------------- * Ubani Balogun [7] -------- FIXED BY ------------------------------------------------------------ * Antonio Savorelli [8] the module maintainer * Ubani Balogun [9] -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] https://www.drupal.org/project/passwordless [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/passwordless [5] https://www.drupal.org/node/2361665 [6] https://www.drupal.org/project/passwordless [7] https://www.drupal.org/user/2858707 [8] https://www.drupal.org/user/121829 [9] https://www.drupal.org/user/2858707 [10] https://www.drupal.org/user/36762 [11] https://www.drupal.org/contact [12] https://www.drupal.org/security-team [13] https://www.drupal.org/writing-secure-code [14] https://www.drupal.org/security/secure-configuration

1 0

Drupal Core - Highly Critical - Public Service announcement - PSA-2014-003
by security-news＠drupal.org 29 Oct '14

29 Oct '14

View online: https://www.drupal.org/PSA-2014-003 * Advisory ID: DRUPAL-PSA-2014-003 * Project: Drupal core [1] * Version: 7.x * Date: 2014-October-29 * Security risk: 25/25 ( Highly Critical) AC:None/A:None/CI:All/II:All/E:Exploit/TD:All [2] -------- DESCRIPTION --------------------------------------------------------- This Public Service Announcement is a follow up to SA-CORE-2014-005 - Drupal core - SQL injection [3]. This is not an announcement of a new vulnerability in Drupal. Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 - Drupal core - SQL injection [4]. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement. *Simply updating to Drupal 7.32 will not remove backdoors.* If you have not updated or applied this patch [5], do so immediately, then continue reading this announcement; updating to version 7.32 or applying the patch fixes the vulnerability but does not fix an already compromised website. If you find that your site is already patched but you didn’t do it, that can be a symptom that the site was compromised - some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site. .... Data and damage control Attackers may have copied all data out of your site and could use it maliciously. There may be no trace of the attack. Take a look at our help documentation, ”Your Drupal site got hacked, now what” [6] .... Recovery Attackers may have created access points for themselves (sometimes called “backdoors”) in the database, code, files directory and other locations. Attackers could compromise other services on the server or escalate their access. Removing a compromised website’s backdoors is difficult because it is not possible to be certain all backdoors have been found. The Drupal security team recommends that you consult with your hosting provider. If they did not patch Drupal for you or otherwise block the SQL injection attacks within hours of the announcement of Oct 15th, 4pm UTC, restore your website to a backup from before 15 October 2014: 1) Take the website offline by replacing it with a static HTML page 2) Notify the server’s administrator emphasizing that other sites or applications hosted on the same server might have been compromised via a backdoor installed by the initial attack 3) Consider obtaining a new server, or otherwise remove all the website’s files and database from the server. (Keep a copy safe for later analysis.) 4) Restore the website (Drupal files, uploaded files and database) from backups from before 15 October 2014 5) Update or patch the restored Drupal core code 6) Put the restored and patched/updated website back online 7) Manually redo any desired changes made to the website since the date of the restored backup 8) Audit anything merged from the compromised website, such as custom code, configuration, files or other artifacts, to confirm they are correct and have not been tampered with. While recovery without restoring from backup may be possible, this is not advised because backdoors can be extremely difficult to find. The recommendation is to restore from backup or rebuild from scratch. For more information, please see our FAQ on SA-CORE-2014-005 [7]. -------- WRITTEN BY ---------------------------------------------------------- * Michael Hess [8] of the Drupal Security Team * Bevan Rudge [9] -------- COORDINATED BY ------------------------------------------------------ * Michael Hess [10] of the Drupal Security Team * Stéphane Corlosquet [11] of the Drupal Security Team * Greg Knaddison [12] of the Drupal Security Team * Rick Manelius [13] of the Drupal Security Team * Peter Wolanin [14] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- We've prepared a FAQ on this release. Read more at FAQ on SA-CORE-2014-005 [15]. The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [16]. Learn more about the Drupal Security team and their policies [17], writing secure code for Drupal [18], and securing your site [19]. [1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/SA-CORE-2014-005 [4] https://www.drupal.org/SA-CORE-2014-005 [5] https://www.drupal.org/SA-CORE-2014-005 [6] https://www.drupal.org/node/2365547 [7] https://www.drupal.org/drupalsa05FAQ [8] https://www.drupal.org/u/mlhess [9] https://www.drupal.org/u/Bevan [10] https://www.drupal.org/u/mlhess [11] https://www.drupal.org/u/scor [12] https://www.drupal.org/u/greggles [13] https://www.drupal.org/u/rickmanelius [14] https://www.drupal.org/u/pwolanin [15] https://www.drupal.org/drupalsa05FAQ [16] https://www.drupal.org/contact [17] https://www.drupal.org/security-team [18] https://www.drupal.org/writing-secure-code [19] https://www.drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2014-102 - Document - Cross Site Scripting
by security-news＠drupal.org 22 Oct '14

22 Oct '14

View online: https://www.drupal.org/node/2361617 * Advisory ID: DRUPAL-SA-CONTRIB-2014-102 * Project: Document [1] (third-party module) * Version: 6.x, 7.x * Date: 2014-October-08 * Security risk: 8/25 ( Less Critical) AC:Basic/A:User/CI:None/II:None/E:Theoretical/TD:All [2] * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Document module is a basic Document Management System for Drupal. .... Cross Site Scripting (XSS) The module wasn't sanitizing user input sufficiently in a few use cases. This vulnerability is mitigated by the the fact that a user must have permissions to add or edit documents to be able to exploit the vulnerability. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Document 6.x-1.11 versions prior to 6.x-1.11. * Document 7.x-1.20 versions prior to 7.x-1.20. Drupal core is not affected. If you do not use the contributed Document [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Document module for Drupal 6.x, upgrade to Document 6.x-1.12. [5] * If you use the Document module for Drupal 7.x, upgrade to Document 7.x-1.21. [6] Also see the Document [7] project page. -------- REPORTED BY --------------------------------------------------------- * Matt V. [8] -------- FIXED BY ------------------------------------------------------------ * Rahul S. [9] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Francisco José Cruz Romanos [10] provisional member of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] https://www.drupal.org/project/document [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/document [5] https://www.drupal.org/node/2357387 [6] https://www.drupal.org/node/2357389 [7] https://www.drupal.org/project/document [8] https://www.drupal.org/user/88338 [9] https://www.drupal.org/user/473356 [10] https://www.drupal.org/user/848238 [11] https://www.drupal.org/contact [12] https://www.drupal.org/security-team [13] https://www.drupal.org/writing-secure-code [14] https://www.drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2014-101 - Ubercart - Cross Site Request Forgery
by security-news＠drupal.org 22 Oct '14

22 Oct '14

View online: https://www.drupal.org/node/2361613 * Advisory ID: DRUPAL-SA-CONTRIB-2014-101 * Project: Ubercart [1] (third-party module) * Version: 6.x, 7.x * Date: 2014-October-22 * Security risk: 13/25 ( Moderately Critical) AC:None/A:Admin/CI:None/II:Some/E:Proof/TD:All [2] * Vulnerability: Cross Site Request Forgery -------- DESCRIPTION --------------------------------------------------------- The Ubercart module provides a shopping cart and e-commerce features for Drupal. .... Cross Site Request Forgery (CSRF) The country administration links are not properly protected. A malicious user could trick a store administrator into enabling or disabling a country by getting them to visit a specially-crafted URL. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Ubercart 7.x-3.x versions prior to 7.x-3.8. * Ubercart 6.x-2.x versions prior to 6.x-2.14. Drupal core is not affected. If you do not use the contributed Ubercart [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Ubercart module for Drupal 7.x, upgrade to Ubercart 7.x-3.8 [5] * If you use the Ubercart module for Drupal 6.x, upgrade to Ubercart 6.x-2.14 [6] Also see the Ubercart [7] project page. -------- REPORTED BY --------------------------------------------------------- * Ayesh Karunaratne [8] -------- FIXED BY ------------------------------------------------------------ * Ayesh Karunaratne [9] * Dave Long [10] the module maintainer * Francisco José Cruz Romanos [11] provisional member of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Francisco José Cruz Romanos [12] provisional member of the Drupal Security Team * Rick Manelius [13] member of Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [14]. Learn more about the Drupal Security team and their policies [15], writing secure code for Drupal [16], and securing your site [17]. [1] https://www.drupal.org/project/ubercart [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/ubercart [5] https://www.drupal.org/node/2361321 [6] https://www.drupal.org/node/2361323 [7] https://www.drupal.org/project/ubercart [8] https://www.drupal.org/user/796148 [9] https://www.drupal.org/user/796148 [10] https://www.drupal.org/user/246492 [11] https://www.drupal.org/user/848238 [12] https://www.drupal.org/user/848238 [13] https://www.drupal.org/user/680072 [14] https://www.drupal.org/contact [15] https://www.drupal.org/security-team [16] https://www.drupal.org/writing-secure-code [17] https://www.drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2014-100 - Bad Behavior - Information Disclosure
by security-news＠drupal.org 22 Oct '14

22 Oct '14

View online: https://www.drupal.org/node/2361611 * Advisory ID: DRUPAL-SA-CONTRIB-2014-100 * Project: Bad Behavior [1] (third-party module) * Version: 6.x, 7.x * Date: 2014-October-22 * Security risk: 15/25 ( Critical) AC:Basic/A:Admin/CI:Some/II:All/E:Theoretical/TD:All [2] * Vulnerability: Information Disclosure -------- DESCRIPTION --------------------------------------------------------- This module enables you to to target any malicious software directed at a Web site, whether it be a spambot, ill-designed search engine bot, or system crackers. It blocks such access and then logs their attempts. .... Information Disclosure The module doesn't sufficiently sanitize log data, allowing usernames and passwords to get included in its logs. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer bad behavior". -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * badbehavior 6.x-2.x versions prior to 6.x-2.2216. * badbehavior 7.x-2.x versions prior to 7.x-2.2216. Drupal core is not affected. If you do not use the contributed Bad Behavior [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the badbehavior module for Drupal 6.x, upgrade to badbehavior 6.x-2.2216 [5] * If you use the badbehavior module for Drupal 7.x, upgrade to badbehavior 7.x-2.2216 [6] Also see the Bad Behavior [7] project page. -------- REPORTED BY --------------------------------------------------------- * Hugh Wormington [8] -------- FIXED BY ------------------------------------------------------------ * Hugh Wormington [9] * Sean Robertson [10] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Rick Manelius [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] https://www.drupal.org/project/badbehavior [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/badbehavior [5] https://www.drupal.org/node/2360953 [6] https://www.drupal.org/node/2360955 [7] https://www.drupal.org/project/badbehavior [8] https://www.drupal.org/user/511008 [9] https://www.drupal.org/user/511008 [10] https://www.drupal.org/user/7074 [11] https://www.drupal.org/user/680072 [12] https://www.drupal.org/contact [13] https://www.drupal.org/security-team [14] https://www.drupal.org/writing-secure-code [15] https://www.drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2014-099 - Open Atrium Core - Access bypass
by security-news＠drupal.org 15 Oct '14

15 Oct '14

View online: https://www.drupal.org/node/2357295 * Advisory ID: DRUPAL-SA-CONTRIB-2014-099 * Project: Open Atrium [1] (third-party module) * Version: 7.x * Date: 2014-10-15 * Security risk: 10/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2] * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- The oa_core module contains the base access control mechanism for the Open Atrium distribution (OA2). In OA2, file attachments are given the same access permission as the node they are attached to. The vulnerability is when an attachment is removed from a node that has Revisions enabled. It allows anonymous users to view the file that is still attached to the previous revision. This vulnerability is mitigated by the fact that it requires using Revisions and removing files attached to revisions. If revisions are disabled or files are not removed from nodes then access works as designed. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * oa_core 7.x-2.x versions prior to 7.x-2.22 [4]. Drupal core is not affected. If you do not use the contributed Open Atrium [5] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the oa_core module for Drupal 7.x, upgrade to oa_core 7.x-2.22 [6]. Also see the Open Atrium [7] project page. -------- REPORTED BY --------------------------------------------------------- * .John [8] -------- FIXED BY ------------------------------------------------------------ * Mike Potter [9] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Hunter Fox [10] of the Drupal Security Team * Greg Knaddison [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] https://www.drupal.org/project/openatrium [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/node/2357279 [5] https://www.drupal.org/project/openatrium [6] https://www.drupal.org/node/2357279 [7] https://www.drupal.org/project/openatrium [8] https://www.drupal.org/user/2659819 [9] https://www.drupal.org/user/616192 [10] https://www.drupal.org/user/426416 [11] https://www.drupal.org/u/greggles [12] https://www.drupal.org/contact [13] https://www.drupal.org/security-team [14] https://www.drupal.org/writing-secure-code [15] https://www.drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2014-098 - CKEditor - Cross Site Scripting (XSS)
by security-news＠drupal.org 15 Oct '14

15 Oct '14

View online: https://www.drupal.org/node/2357029 * Advisory ID: DRUPAL-SA-CONTRIB-2014-098 * Project: CKEditor - WYSIWYG HTML editor [1] (third-party module) * Version: 6.x, 7.x * Date: 2014-October-15 * Security risk: 16/25 ( Critical) AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2] * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The CKEditor module (and its predecessor, FCKeditor module) allows Drupal to replace textarea fields with CKEditor 3.x/4.x (FCKeditor 2.x in case of FCKeditor module) - a visual HTML editor, sometimes called WYSIWYG editor. Both modules define a function, called via an ajax request, that filters text before passing it into the editor, to prevent certain cross site scripting attacks on content edits (that the JavaScript library might not handle). Because the function did not check a CSRF token for anonymous users, it was possible to perform reflected XSS against anonymous users via CSRF. The problem existed in CKEditor/FCKeditor modules for Drupal, not in JavaScript libraries with the same names. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * CKEditor 7.x-1.x versions prior to 7.x-1.15. * CKEditor 6.x-1.x versions prior to 6.x-1.14. * FCKeditor 6.x-2.x versions prior to 6.x-2.3. Drupal core is not affected. If you do not use the contributed CKEditor - WYSIWYG HTML editor [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the CKEditor module for Drupal 7.x, upgrade to CKEditor 7.x-1.16 [5] * If you use the CKEditor module for Drupal 6.x, upgrade to CKEditor 6.x-1.15 [6] * If you use the FCKeditor module for Drupal 6.x, upgrade to FCKeditor 6.x-2.4 [7] Also see the CKEditor - WYSIWYG HTML editor [8] project page. -------- REPORTED BY --------------------------------------------------------- * Antonio Sánchez [9] -------- FIXED BY ------------------------------------------------------------ * Wiktor Walc [10] the module maintainer * Nguyễn Hải Nam [11] the module maintainer * Matt Vance [12] of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [13] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [14]. Learn more about the Drupal Security team and their policies [15], writing secure code for Drupal [16], and securing your site [17]. [1] https://www.drupal.org/project/ckeditor [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/ckeditor [5] https://www.drupal.org/node/2356563 [6] https://www.drupal.org/node/2356565 [7] https://www.drupal.org/node/2356557 [8] https://www.drupal.org/project/ckeditor [9] https://www.drupal.org/user/2957675 [10] https://www.drupal.org/u/wwalc [11] https://www.drupal.org/u/jcisio [12] https://www.drupal.org/u/matt-v. [13] https://www.drupal.org/u/greggles [14] https://www.drupal.org/contact [15] https://www.drupal.org/security-team [16] https://www.drupal.org/writing-secure-code [17] https://www.drupal.org/security/secure-configuration

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news October 2014