Security-news October 2014

security-news@drupal.org

1 participants
13 discussions

SA-CORE-2014-005 - Drupal core - SQL injection
by security-news＠drupal.org 15 Oct '14

15 Oct '14

View online: https://www.drupal.org/SA-CORE-2014-005 * Advisory ID: DRUPAL-SA-CORE-2014-005 * Project: Drupal core [1] * Version: 7.x * Date: 2014-Oct-15 * Security risk: 20/25 ( Highly Critical) AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:All [2] * Vulnerability: SQL Injection -------- DESCRIPTION --------------------------------------------------------- Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks. A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks. This vulnerability can be exploited by anonymous users. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * CVE-2014-3704 -------- VERSIONS AFFECTED --------------------------------------------------- * Drupal core 7.x versions prior to 7.32. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Drupal 7.x, upgrade to Drupal core 7.32 [3]. If you are unable to update to Drupal 7.32 you can apply this patch [4] to Drupal's database.inc file to fix the vulnerability until such time as you are able to completely upgrade to Drupal 7.32. Also see the Drupal core [5] project page. -------- REPORTED BY --------------------------------------------------------- * Stefan Horst -------- FIXED BY ------------------------------------------------------------ * Stefan Horst * Greg Knaddison [6] of the Drupal Security Team * Lee Rowlands [7] of the Drupal Security Team * David Rothstein [8] of the Drupal Security Team * Klaus Purer [9] of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * The Drupal Security Team [10] -------- CONTACT AND MORE INFORMATION ---------------------------------------- We've prepared a FAQ on this release. Read more at https://www.drupal.org/node/2357241. The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/drupal-7.32-release-notes [4] http://cgit.drupalcode.org/drupal/patch/?id=26a7752c34321fd9cb889308f507ca6… [5] https://www.drupal.org/project/drupal [6] https://www.drupal.org/u/greggles [7] https://www.drupal.org/u/larowlan [8] https://www.drupal.org/u/david_rothstein [9] https://www.drupal.org/u/klausi [10] https://www.drupal.org/security-team [11] https://www.drupal.org/contact [12] https://www.drupal.org/security-team [13] https://www.drupal.org/writing-secure-code [14] https://www.drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2014-096 - OAuth2 Client - Cross Site Scripting (XSS)
by security-news＠drupal.org 08 Oct '14

08 Oct '14

View online: https://www.drupal.org/node/2352747 * Advisory ID: DRUPAL-SA-CONTRIB-2014-096 * Project: OAuth2 Client [1] (third-party module) * Version: 7.x * Date: 2014-October-08 * Security risk: 10/25 ( Moderately Critical) AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:All [2] * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- OAuth2 Client is an API support module, enabling other modules to connect to services using OAuth2 authentication. Within its API code the Client class exposes variables in an error message, which originate from a third party source without proper sanitisation thus leading to a Cross Site Scripting vulnerability. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * OAuth2 Client 7.x-2.x versions prior to 7.x-1.2. Drupal core is not affected. If you do not use the contributed OAuth2 Client [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the OAuth2 Client module for Drupal 7.x, upgrade to OAuth2 Client 7.x-1.2 [5] Also see the OAuth2 Client [6] project page. -------- REPORTED BY --------------------------------------------------------- * Balazs Dianiska [7] a provisional member of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Dashamir Hoxha [8] the module maintainer * Balazs Dianiska [9] a provisional member of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * David Stoline [10], member of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] https://www.drupal.org/project/oauth2_client [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/oauth2_client [5] https://www.drupal.org/node/2335935 [6] https://www.drupal.org/project/oauth2_client [7] https://www.drupal.org/user/58645 [8] https://www.drupal.org/user/993752 [9] https://www.drupal.org/user/58645 [10] https://www.drupal.org/u/dstol [11] https://www.drupal.org/contact [12] https://www.drupal.org/security-team [13] https://www.drupal.org/writing-secure-code [14] https://www.drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2014-097 - nodeaccess - Access Bypass
by security-news＠drupal.org 08 Oct '14

08 Oct '14

View online: https://www.drupal.org/node/2352757 * Advisory ID: DRUPAL-SA-CONTRIB-2014-097 * Project: Nodeaccess [1] (third-party module) * Version: 6.x, 7.x * Date: 2014-October-08 * Security risk: 13/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:Uncommon [2] * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- Nodeaccess is a Drupal access control module which provides view, edit and delete access to nodes. This module enables you to inadvertently allow an author of a node view/edit/delete the node in question (who may not have access). The module over-eagerly grants read/write/delete access to all authors of nodes. In addition, a node that is unpublished, but is granted node specific permissions will obey the node specific permissions and not the unpublished content permission for the role. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Nodeaccess 6.x-1.x versions prior to 6.x-1.5. * Nodeaccess 7.x-1.x versions prior to 7.x-1.4. Drupal core is not affected. If you do not use the contributed Nodeaccess [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Ensure that you are using the latest version of the Nodeaccess module when installing. For existing nodes, please ensure that the author permissions are correct. * If you use the Nodeaccess module for Drupal 6.x, upgrade to Nodeaccess 6.x-1.5 [5] * If you use the Nodeaccess module for Drupal 7.x, upgrade to Nodeaccess 7.x-1.4 [6] Also see the Nodeaccess [7] project page. -------- REPORTED BY --------------------------------------------------------- * AdamPS [8] * sanette [9] -------- FIXED BY ------------------------------------------------------------ * AdamPS [10] the issue reporter. * Vlad Pavlovic [11] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [12] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. [1] https://www.drupal.org/project/nodeaccess [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/nodeaccess [5] https://www.drupal.org/node/2351755 [6] https://www.drupal.org/node/2351751 [7] https://www.drupal.org/project/nodeaccess [8] https://www.drupal.org/user/2650563 [9] https://www.drupal.org/user/2292392 [10] https://www.drupal.org/user/2650563 [11] https://www.drupal.org/u/vlad.pavlovic [12] https://www.drupal.org/u/greggles [13] https://www.drupal.org/contact [14] https://www.drupal.org/security-team [15] https://www.drupal.org/writing-secure-code [16] https://www.drupal.org/security/secure-configuration

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news October 2014