Security-news February 2014

security-news@drupal.org

1 participants
18 discussions

SA-CONTRIB-2014-026 - Mime Mail - Access bypass
by security-news＠drupal.org 26 Feb '14

26 Feb '14

View online: https://drupal.org/node/2205991 * Advisory ID: DRUPAL-SA-CONTRIB-2014-026 * Project: Mime Mail [1] (third-party module) * Version: 6.x, 7.x * Date: 2014-February-26 * Security risk: Not critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- The MIME Mail module allows processing of incoming MIME-encoded e-mail messages with embedded images and attachments. The default key for the authentication of incoming messages is generated from a random number. On some platforms (such as Windows) the maximum value of this number is only 32767 which makes the generated key particularly vulnerable to a brute force attack. This vulnerability is mitigated by the fact that the processing of incoming messages needs to be enabled on the site and the default key can be arbitrary changed by the site administrator. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Mime Mail 6.x-1.x versions prior to 6.x-1.3. * Mime Mail 7.x-1.x versions prior to 7.x-1.0-beta2. Drupal core is not affected. If you do not use the contributed Mime Mail [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Mime Mail module for Drupal 6.x, upgrade to Mime Mail 6.x-1.3 [5] * If you use the Mime Mail module for Drupal 7.x, upgrade to Mime Mail 7.x-1.0-beta2 [6] These releases include a stronger authentication process for incoming messages which is backward incompatible. If you are using this feature, make sure to use the HMAC method with the new key generated during the update process to authenticate your messages. Also see the Mime Mail [7] project page. -------- REPORTED BY --------------------------------------------------------- * Heine Deelstra [8] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Gabor Seljan [9] the module maintainer * Rick Manelius [10]provisional Drupal Security Team member -------- COORDINATED BY ------------------------------------------------------ * Hunter Fox [11] of the Drupal Security Team * Rick Manelius [12] provisional Drupal Security Team member. -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [17] [1] http://drupal.org/project/mimemail [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/mimemail [5] https://drupal.org/node/2205939 [6] https://drupal.org/node/2205949 [7] http://drupal.org/project/mimemail [8] http://drupal.org/user/17943 [9] http://drupal.org/user/232117 [10] http://drupal.org/user/680072 [11] http://drupal.org/user/426416 [12] https://drupal.org/user/680072 [13] http://drupal.org/contact [14] http://drupal.org/security-team [15] http://drupal.org/writing-secure-code [16] http://drupal.org/security/secure-configuration [17] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2014-024 - Content Lock - CSRF
by security-news＠drupal.org 26 Feb '14

26 Feb '14

View online: https://drupal.org/node/2205807 * Advisory ID: DRUPAL-SA-CONTRIB-2014-024 * Project: Content locking (anti-concurrent editing) [1] (third-party module) * Version: 6.x, 7.x * Date: 2014-February-26 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Request Forgery -------- DESCRIPTION --------------------------------------------------------- This module prevents people from editing the same content at the same time. It adds a locking layer to nodes. It does not protect from CSRF. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * All 6.x Versions * All 7.x Versions Drupal core is not affected. If you do not use the contributed Content locking (anti-concurrent editing) [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Uninstall the module, it is no longer maintained . Also see the Content locking (anti-concurrent editing) [5] project page. -------- REPORTED BY --------------------------------------------------------- * Eugen Mayer [6] -------- FIXED BY ------------------------------------------------------------ There is no fix for this issue. -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [7]. Learn more about the Drupal Security team and their policies [8], writing secure code for Drupal [9], and securing your site [10]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [11] [1] http://drupal.org/project/content_lock [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/content_lock [5] http://drupal.org/project/content_lock [6] https://drupal.org/user/108406 [7] http://drupal.org/contact [8] http://drupal.org/security-team [9] http://drupal.org/writing-secure-code [10] http://drupal.org/security/secure-configuration [11] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2014-025 - Open Omega - Access Bypass
by security-news＠drupal.org 26 Feb '14

26 Feb '14

View online: https://drupal.org/node/2205877 * Advisory ID: DRUPAL-SA-CONTRIB-2014-025 * Project: Open Omega [1] (third-party theme) * Version: 7.x * Date: 2014-February-26 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This theme is a sub theme of omega used as as a sample theme for the open Public Distribution. The theme doesn't sufficiently check the users menu access when building the header and footer menus, so that it can expose the title and path of restricted items in the menu. This vulnerability is mitigated by the fact that that it is only present when this menu has items with restricted access that differ by role. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * openomega 7.x-1.x versions prior to 7.x-1.1. Drupal core is not affected. If you do not use the contributed Open Omega [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use this theme for Drupal 7.x, upgrade to Open Omega 7.x-1.1 [5] Also see the Open Omega [6] project page. -------- REPORTED BY --------------------------------------------------------- * Peter Taylor [7] -------- FIXED BY ------------------------------------------------------------ * Erik Summerfield [8], the theme maintainer -------- COORDINATED BY ------------------------------------------------------ * Hunter Fox [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [14] [1] http://drupal.org/project/openomega [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/openomega [5] https://drupal.org/node/2205859 [6] http://drupal.org/project/openomega [7] http://drupal.org/user/2674141 [8] http://drupal.org/user/189123 [9] http://drupal.org/user/426416 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration [14] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2014-023 - Project Issue File Review - XSS
by security-news＠drupal.org 26 Feb '14

26 Feb '14

View online: https://drupal.org/node/2205767 * Advisory ID: DRUPAL-SA-CONTRIB-2014-023 * Project: Project Issue File Review [1] (third-party module) * Version: 6.x * Date: 2014-February-26 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Project Issue File Review (PIFR) module provides an abstracted client-server model and plugin API for performing distributed operations such as code review and testing, with a focus on supporting Drupal development. Two scenarios were identified where the module does not sufficiently sanitize user provided input, exposing the 'server' component of the module to cross-site scripting vulnerabilities. The first scenario is mitigated by the fact that an attacker must have a role with the 'manage PIFR environments' administrative permission. The second scenario is mitigated by the fact that an attacker must be able to initiate testing of a patch specially crafted to exploit the vulnerability on the PIFR testing environment, have the testing execute successfully on a PIFR client, and have the client provide the testing results back to the PIFR server component. As one common purpose of this module is to provide validation and testing of user-supplied patches, users of the PIFR module should always consider the 'PIFR client' component of this module as insecure and untrusted, by design. The 'PIFR client' component should always be maintained in a separate network environment, isolated from the 'PIFR server' component or other critical infrastructure. There have been no known exploits of this vulnerability observed or reported on any servers running the PIFR module, including those within Drupal.org's automated testing environment. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Project_Issue_File_Review 6.x-2.x versions prior to 6.x-2.17. Drupal core is not affected. If you do not use the contributed Project Issue File Review [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the PIFR module for Drupal 6.x, upgrade to Project Issue File Review 6.x-2.17 [5]. Be sure to review and consider the associated release notes for all intermediary releases when upgrading. Also see the Project Issue File Review [6] project page. -------- REPORTED BY --------------------------------------------------------- * Wim Leers [7] * Jeremy Thorson [8] the module maintainer -------- FIXED BY ------------------------------------------------------------ * Neil Drumm [9] of the Drupal Security Team * Michael Hess [10] of the Drupal Security Team * Jeremy Thorson [11] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Michael Hess [12] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [17] [1] http://drupal.org/project/project_issue_file_review [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/project_issue_file_review [5] https://drupal.org/node/2205755 [6] http://drupal.org/project/project_issue_file_review [7] http://drupal.org/user/99777 [8] http://drupal.org/user/148199 [9] http://drupal.org/user/3064 [10] http://drupal.org/user/102818 [11] http://drupal.org/user/148199 [12] http://drupal.org/user/102818 [13] http://drupal.org/contact [14] http://drupal.org/security-team [15] http://drupal.org/writing-secure-code [16] http://drupal.org/security/secure-configuration [17] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2014-022 - Slickgrid - Access bypass
by security-news＠drupal.org 19 Feb '14

19 Feb '14

View online: https://drupal.org/node/2200491 * Advisory ID: DRUPAL-SA-CONTRIB-2014-22 * Project: Slickgrid [1] (third-party module) * Version: 7.x * Date: 2014-February -22 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- The Slickgrid module is an implementation of the jQuery slickgrid plugin, a lightening fast JavaScript grid/spreadsheet. It defines a slickgrid view style, so all data can be output as an editable grid. The module doesn't check access sufficiently, allowing users to edit and change field values of nodes they should not have access to change. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Slickgrid 7.x-1.x versions Drupal core is not affected. If you do not use the contributed Slickgrid [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Slickgrid module for Drupal 7.x, upgrade to Slickgrid 7.x-2.0 [5] Also see the Slickgrid [6] project page. -------- REPORTED BY --------------------------------------------------------- * Tim Wood [7] -------- FIXED BY ------------------------------------------------------------ * Ben Scott [8] * Simon Rycroft [9] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [10] of the Drupal Security Team * Michael Hess [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [16] [1] http://drupal.org/project/slickgrid [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/slickgrid [5] https://drupal.org/node/2200475 [6] http://drupal.org/project/slickgrid [7] http://drupal.org/user/23373 [8] http://drupal.org/user/149339 [9] http://drupal.org/user/151544 [10] https://drupal.org/user/36762 [11] https://drupal.org/user/102818/ [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration [16] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2014-021 - Maestro - Cross Site Scripting (XSS)
by security-news＠drupal.org 19 Feb '14

19 Feb '14

View online: https://drupal.org/node/2200453 * Advisory ID: DRUPAL-SA-CONTRIB-2014-021 * Project: Maestro [1] (third-party module) * Version: 7.x * Date: 2014-February-19 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Maestro module enables you to create complex workflows, automating business processes. The module doesn't sufficiently filter Role or Organic Group names when displaying them in the workflow details. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create Drupal Roles or Organic Groups. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Maestro 7.x-1.x versions prior to 7.x-1.4. Drupal core is not affected. If you do not use the contributed Maestro [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Maestro module for Drupal 7.x, upgrade to Maestro 7.x-1.4 [5] Also see the Maestro [6] project page. -------- REPORTED BY --------------------------------------------------------- * Aron Novak [7] -------- FIXED BY ------------------------------------------------------------ * Aron Novak [8], the reporter * Randy Kolenko [9] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [10] of the Drupal Security Team * Michael Hess [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [16] [1] http://drupal.org/project/maestro [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/maestro [5] https://drupal.org/node/2013653 [6] http://drupal.org/project/maestro [7] http://drupal.org/user/61864 [8] http://drupal.org/user/61864 [9] http://drupal.org/user/704970 [10] https://drupal.org/user/36762 [11] https://drupal.org/user/102818/ [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration [16] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2014-020 - Drupal Commons - Cross Site Scripting (XSS)
by security-news＠drupal.org 12 Feb '14

12 Feb '14

View online: https://drupal.org/node/2194877 * Advisory ID: DRUPAL-SA-CONTRIB-2014-020 * Project: Drupal Commons [1] (third-party distribution) * Version: 7.x * Date: 2014-02-12 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Drupal Commons is a ready-to-use solution for building either internal or external communities. It provides a complete social business software solution for organizations. Drupal Commons displays an "activity stream" containing messages about actions users take on the site. In some cases, messages about content creation are not properly sanitized, leading to cross site scripting in those messages. The vulnerability is mitigated in that only certain kinds of activity stream messages are affected, and not all arbitrary script can be executed. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Drupal Commons 7.x-3.x versions prior to 7.x-3.9. Drupal core is not affected. If you do not use the contributed Drupal Commons [4] distribution, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Drupal 7 Commons distribution, upgrade to Commons 7.x-3.9 [5] Also see the Drupal Commons [6] project page. -------- REPORTED BY --------------------------------------------------------- * Grant Gaudet [7] * Jakob Perry [8] -------- FIXED BY ------------------------------------------------------------ * Jakob Perry [9] the project maintainer * Ezra Gildesgame [10] -------- COORDINATED BY ------------------------------------------------------ * Peter Wolanin [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [16] [1] http://drupal.org/project/commons [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/commons [5] https://drupal.org/node/2194777 [6] http://drupal.org/project/commons [7] http://drupal.org/user/360002 [8] http://drupal.org/user/45640 [9] http://drupal.org/user/45640 [10] http://drupal.org/user/69959 [11] https://drupal.org/user/49851 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration [16] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2014-017- Image Resize Filter - Denial of Service (DOS)
by security-news＠drupal.org 12 Feb '14

12 Feb '14

View online: https://drupal.org/node/2194655 * Advisory ID: DRUPAL-SA-CONTRIB-2014-017 * Project: Image Resize Filter [1] (third-party module) * Version: 6.x, 7.x * Date: 2014-February-12 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Denial of Service (DOS) -------- DESCRIPTION --------------------------------------------------------- This module enables you to resize images based on the HTML contents of a post. Images with specified height and width properties that differ from the original image result in a resized image being created. The module doesn't limit the number of resized images per post or user, which could allow a user to post a large number of images that need to be resized within a single piece of content. This could cause the server to become overwhelmed by requests to resize images. This vulnerability is mitigated by the fact that an attacker must have a role that allows them to post content that utilizes the image resize filter. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Image Resize Filter 6.x-1.x versions prior to 6.x-1.14. * Image Resize Filter 7.x-1.x versions prior to 7.x-1.14. Drupal core is not affected. If you do not use the contributed Image Resize Filter [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Image Resize Filter module for Drupal 6.x, upgrade to Image Resize Filter 6.x-1.14 [5] * If you use the Image Resize Filter module for Drupal 7.x, upgrade to Image Resize Filter 7.x-1.14 [6] Also see the Image Resize Filter [7] project page. -------- REPORTED BY --------------------------------------------------------- * Dave Hansen-Lange [8] -------- FIXED BY ------------------------------------------------------------ * Dave Hansen-Lange [9] * Nate Haug [10] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [16] [1] http://drupal.org/project/image_resize_filter [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/image_resize_filter [5] https://drupal.org/node/2194063 [6] https://drupal.org/node/2194065 [7] http://drupal.org/project/image_resize_filter [8] https://drupal.org/user/18981 [9] https://drupal.org/user/18981 [10] https://drupal.org/user/35821 [11] http://drupal.org/user/36762 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration [16] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2014-019 - Easy Social - Cross Site Scripting (XSS)
by security-news＠drupal.org 12 Feb '14

12 Feb '14

View online: https://drupal.org/node/2194809 * Advisory ID: DRUPAL-SA-CONTRIB-2014-019 * Project: Easy Social [1] (third-party module) * Version: 7.x * Date: 2014-February-12 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- This module enables you to add social sharing widgets to your content and pages. The module doesn't sufficiently validate block titles when a user creates a custom block from within the module's admin interface. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer easy social". -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Easy Social 7.x-2.x versions prior to 7.x-2.11. Drupal core is not affected. If you do not use the contributed Easy Social [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Easy Social module for Drupal 7.x, upgrade to Easy Social 7.x-2.11 [5] Also see the Easy Social [6] project page. -------- REPORTED BY --------------------------------------------------------- * James Davis [7] -------- FIXED BY ------------------------------------------------------------ * Alex Weber [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Lee Rowlands [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [14] [1] http://drupal.org/project/easy_social [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/easy_social [5] https://drupal.org/node/2194401 [6] http://drupal.org/project/easy_social [7] http://drupal.org/user/2766355 [8] http://drupal.org/user/850856 [9] http://drupal.org/user/395439 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration [14] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2014-018 - Webform - Cross Site Scripting (XSS)
by security-news＠drupal.org 12 Feb '14

12 Feb '14

View online: https://drupal.org/node/2194671 * Advisory ID: DRUPAL-SA-CONTRIB-2014-018 * Project: Webform [1] (third-party module) * Version: 6.x, 7.x * Date: 2014-February-12 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Webform module enables you to create forms which can be used for surveys, contact forms or other data collection throughout your site. The module doesn't sufficiently sanitize field label titles when two fields have the same form_key, which can only be managed by carefully crafting the webform structure via a specific set of circumstances. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "create webform content". -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Webform 6.x-3.x versions prior to 6.x-3.19. * Webform 7.x-3.x versions prior to 7.x-3.19. * Webform 7.x-4.x versions prior to 7.x-4.0-beta2. Drupal core is not affected. If you do not use the contributed Webform [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the webform module for Drupal 6.x, upgrade to webform 6.x-3.20 [5] * If you use the webform module for Drupal 7.x-3.x, upgrade to webform 7.x-3.20 [6] * If you use the webform module for Drupal 7.x-4.x, upgrade to webform 7.x-4.0-beta2 [7] Also see the Webform [8] project page. -------- REPORTED BY --------------------------------------------------------- * Maurits Lawende [9] -------- FIXED BY ------------------------------------------------------------ * Nate Haug [10] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Dan Smith [11] and Lee Rowlands [12] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [17] [1] http://drupal.org/project/webform [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/webform [5] http://drupal.org/node/2194181 [6] http://drupal.org/node/2194183 [7] http://drupal.org/node/2194175 [8] http://drupal.org/project/webform [9] http://drupal.org/user/243897 [10] http://drupal.org/user/35821 [11] http://drupal.org/user/241220 [12] https://drupal.org/user/395439 [13] http://drupal.org/contact [14] http://drupal.org/security-team [15] http://drupal.org/writing-secure-code [16] http://drupal.org/security/secure-configuration [17] https://twitter.com/drupalsecurity

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news February 2014