Security-news February 2014

security-news@drupal.org

1 participants
18 discussions

SA-CONTRIB-2014-016 - Mayo Theme - XSS Vulnerability
by security-news＠drupal.org 12 Feb '14

12 Feb '14

View online: https://drupal.org/node/2194135 * Advisory ID: DRUPAL-SA-CONTRIB-2014-016 * Project: MAYO [1] (third-party theme) * Version: 7.x * Date: 2014-02-12 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The theme settings allow you to link to a header background file. A URL could be entered that was not properly sanitized leading to XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer themes". -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * MAYO Theme 7.x-1.x versions prior to 7.x-1.3. Drupal core is not affected. If you do not use the contributed MAYO [4] theme, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the theme MAYO for Drupal 7.x, upgrade to MAYO 7.x-1.3 [5] Also see the MAYO [6] project page. -------- REPORTED BY --------------------------------------------------------- * Dennis Walgaard [7] -------- FIXED BY ------------------------------------------------------------ * Dennis Walgaard [8] * John Powell [9] the theme maintainer -------- COORDINATED BY ------------------------------------------------------ * Rick Manelius [10] provisional member of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [15] [1] http://drupal.org/project/mayo [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/mayo [5] https://drupal.org/node/2193987 [6] http://drupal.org/project/mayo [7] http://drupal.org/user/883702 [8] http://drupal.org/user/883702 [9] http://drupal.org/user/797068 [10] http://drupal.org/user/680072 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration [15] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2014-013- Chaos tool suite (ctools) - Access Bypass
by security-news＠drupal.org 12 Feb '14

12 Feb '14

View online: https://drupal.org/node/2194589 * Advisory ID: DRUPAL-SA-CONTRIB-2014-013 * Project: Chaos tool suite (ctools) [1] (third-party module) * Version: 6.x, 7.x * Date: 2014-02-12 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This module provides content editors with an autocomplete callback for entity titles, as well as an ability to embed content within the Chaos tool suite (ctools) framework. Prior to this version, ctools did not sufficiently check access grants for various types of content other than nodes. It also didn't sufficiently check access before displaying content with the relationship plugin. These vulnerabilities are mitigated by the fact that you must be using entities other than node or users for the autocomplete callback, or you must be using the relationship plugin and displaying the content (e.g. in panels). -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Chaos tool suite (ctools) 6.x-1.x versions prior to 6.x-1.11. * Chaos tool suite (ctools) 7.x-1.x versions prior to 7.x-1.4. Drupal core is not affected. If you do not use the contributed Chaos tool suite (ctools) [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Chaos tool suite module for Drupal 6.x, upgrade to ctools 6.x-1.11 [5] * If you use the Chaos tool suite module for Drupal 7.x, upgrade to ctools 7.x-1.4 [6] Also see the Chaos tool suite (ctools) [7] project page. -------- REPORTED BY --------------------------------------------------------- * Tim Wood [8] * Heine Deelstra [9] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Jakob Perry [10] the module maintainer * David Snopek [11] -------- COORDINATED BY ------------------------------------------------------ * Peter Wolanin [12] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [17] [1] http://drupal.org/project/ctools [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/ctools [5] https://drupal.org/node/2194547 [6] https://drupal.org/node/2194551 [7] http://drupal.org/project/ctools [8] https://drupal.org/user/457434 [9] https://drupal.org/user/17943 [10] https://drupal.org/user/45640 [11] https://drupal.org/user/266527 [12] http://drupal.org/user/49851 [13] http://drupal.org/contact [14] http://drupal.org/security-team [15] http://drupal.org/writing-secure-code [16] http://drupal.org/security/secure-configuration [17] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2014-015 - FileField - Access Bypass
by security-news＠drupal.org 12 Feb '14

12 Feb '14

View online: https://drupal.org/node/2194639 * Advisory ID: DRUPAL-SA-CONTRIB-2014-015 * Project: FileField [1] (third-party module) * Version: 6.x * Date: 2014-02-12 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- FileField module allows users to upload files with in conjunction with the Content Construction Kit (CCK) module in Drupal 6. The module doesn't sufficiently check permissions on revisions when determining if a user should have access to a particular file attached to that revision. A user could gain access to private files attached to revisions when they don't have access to the corresponding revision. This vulnerability is mitigated by the fact that an attacker must have access to upload files through FileField module while creating content, and the site must be using a non-core workflow module that allows users to create unpublished revisions of content. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * FileField 6.x-3.x versions prior to 6.x-3.12. Drupal core is not affected. If you do not use the contributed FileField [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the FileField module for Drupal 6.x, upgrade to FileField 6.x-3.12 [5] Also see the FileField [6] project page. -------- REPORTED BY --------------------------------------------------------- * Stella Power [7] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Nate Haug [8] the module maintainer * Stella Power [9] of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Lee Rowlands [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [15] [1] http://drupal.org/project/filefield [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/filefield [5] https://drupal.org/node/2194103 [6] http://drupal.org/project/filefield [7] https://drupal.org/user/66894 [8] https://drupal.org/user/35821 [9] https://drupal.org/user/66894 [10] https://drupal.org/user/395439 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration [15] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2014-014 - Webform Validation - Cross Site Scripting (XSS)
by security-news＠drupal.org 12 Feb '14

12 Feb '14

View online: https://drupal.org/node/2194621 * Advisory ID: DRUPAL-SA-CONTRIB-2014-014 * Project: Webform Validation [1] (third-party module) * Version: 6.x, 7.x * Date: 2014-February-12 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Webform Validation module enables you to add additional form validation rules to Webforms created by the Webform module. The module doesn't sufficiently filter component name text before display, opening up the possibility of cross site scripting. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to edit Webform content. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Webform Validation 6.x-1.x versions prior to 6.x-1.6. * Webform Validation 7.x-1.x versions prior to 7.x-1.4. Drupal core is not affected. If you do not use the contributed Webform Validation [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Webform Validation module for Drupal 6.x, upgrade to Webform Validation 6.x-1.6 [5]. * If you use the Webform Validation module for Drupal 7.x, upgrade to Webform Validation 7.x-1.4 [6]. The only changes in these new versions are the fixes for this issue. Also see the Webform Validation [7] project page. -------- REPORTED BY --------------------------------------------------------- * Maurits Lawende [8] -------- FIXED BY ------------------------------------------------------------ * Maurits Lawende [9] * Liam Morland [10] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Stella Power [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [16] [1] http://drupal.org/project/webform_validation [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/webform_validation [5] https://drupal.org/node/2194011 [6] https://drupal.org/node/2194013 [7] http://drupal.org/project/webform_validation [8] https://drupal.org/user/243897 [9] https://drupal.org/user/243897 [10] https://drupal.org/user/493050 [11] https://drupal.org/user/66894 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration [16] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2014-012- Modal Frame API - Cross Site Scripting (XSS)
by security-news＠drupal.org 05 Feb '14

05 Feb '14

View online: https://drupal.org/node/2189751 * Advisory ID: DRUPAL-SA-CONTRIB-2014-012 * Project: Modal Frame API [1] (third-party module) * Version: 6.x * Date: 2014-February-05 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- This module enables provides an API to render an iframe within a modal dialog based on the jQuery UI Dialog plugin. You should not install this module unless another module requires you to, or you wish to use it for your own custom modules. The module doesn't sufficiently filter user supplied text. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * modalframe 6.x-1.8 and prior versions Drupal core is not affected. If you do not use the contributed Modal Frame API [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Uninstall the module. It is no longer maintained. Also see the Modal Frame API [5] project page. -------- REPORTED BY --------------------------------------------------------- * Erich Beyrent -------- FIXED BY ------------------------------------------------------------ Not applicable. -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [6]. Learn more about the Drupal Security team and their policies [7], writing secure code for Drupal [8], and securing your site [9]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [10] [1] http://drupal.org/project/modalframe [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/modalframe [5] http://drupal.org/project/modalframe [6] http://drupal.org/contact [7] http://drupal.org/security-team [8] http://drupal.org/writing-secure-code [9] http://drupal.org/security/secure-configuration [10] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2014-011 - Push Notifications - Information Disclosure
by security-news＠drupal.org 05 Feb '14

05 Feb '14

View online: https://drupal.org/node/2189643 * Advisory ID: DRUPAL-SA-CONTRIB-2014-011 * Project: Push Notifications [1] (third-party module) * Version: 7.x * Date: 2014-February-05 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Information Disclosure -------- DESCRIPTION --------------------------------------------------------- This module enables the delivery of push notifications to iOS and Android devices. The module doesn't sufficiently randomize the certificate filenames required for Apple's Push Notification service or protect the files from being publicly accessible, which could allow an attacker to acquire the certificates and broadcast push notifications to the target's user base. This vulnerability primarily affects sites that did not follow the general security best practice of placing certificates into a directory outside of the webroot and did not use password-protected certificate files. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * push_notifications 7.x-1.x versions prior to 7.x-1.1 Drupal core is not affected. If you do not use the contributed Push Notifications [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the push_notifications module for Drupal 7.x and your APNS certificate files are stored in the default directory, upgrade to push_notifications 7.x-1.1 [5] * Navigate to the configuration page for the push_notifications module (admin/config/services/push_notifications/configure) and click the "Generate new certificate string" button to generate a random filename. Then, rename your APNS certificates according to the instructions on the push notification configuration page. Also see the Push Notifications [6] project page. -------- REPORTED BY --------------------------------------------------------- * Graham Bates [7] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Daniel Hanold [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Laurence Liss [9] provisional member of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [14] [1] http://drupal.org/project/push_notifications [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/push_notifications [5] http://drupal.org/node/2188983 [6] http://drupal.org/project/push_notifications [7] http://drupal.org/user/16029 [8] http://drupal.org/user/339733 [9] http://drupal.org/user/724750 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration [14] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2014-010 Services - Access Bypass and Privilege Escalation
by security-news＠drupal.org 05 Feb '14

05 Feb '14

View online: https://drupal.org/node/2189509 * Advisory ID: DRUPAL-SA-CONTRIB-2014-010 * Project: Services [1] (third-party module) * Version: 7.x * Date: 2014-February-05 * Security risk: Highly critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- The Services module enables you to expose an API to third party systems using REST, XML-RPC or other protocols. .... User update access bypass vulnerability An authenticated user is able to assign additional roles to themselves, which means they can escalate their privileges by assigning an administrative role. This vulnerability is mitigated by the fact that the user must be able to log in on the site, the update operation on the user resource configuration must be enabled, and a site must have an role with more permissions than the authenticated user. .... Comment access bypass vulnerability As an authenticated user an attacker with the permission to post comments is able to update other users' comments. This vulnerability is mitigated by the fact that the update operation on the comment resource configuration must be enabled. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Services 7.x-3.x versions prior to 7.x-3.6. Drupal core is not affected. If you do not use the contributed Services [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Services module for Drupal 7.x, upgrade to Services 7.x-3.7 [5] Also see the Services [6] project page. -------- REPORTED BY --------------------------------------------------------- * The User update access bypass vulnerability was reported by Fredrik Lassen [7]. * The Comment access bypass vulnerability was reported by wedge [8]. -------- FIXED BY ------------------------------------------------------------ * The User update access bypass vulnerability was fixed by Fredrik Lassen [9]. * The Comment access bypass vulnerability was fixed by Kyle Browning [10], the module maintainer. -------- COORDINATED BY ------------------------------------------------------ * Klaus Purer [11] of the Drupal Security Team * Balazs Dianiska [12] a provisional member of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [17] [1] http://drupal.org/project/services [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/services [5] https://drupal.org/node/2186581 [6] http://drupal.org/project/services [7] https://drupal.org/user/243377 [8] https://drupal.org/user/11442 [9] https://drupal.org/user/243377 [10] https://drupal.org/user/211387 [11] http://drupal.org/user/262198 [12] http://drupal.org/user/58645 [13] http://drupal.org/contact [14] http://drupal.org/security-team [15] http://drupal.org/writing-secure-code [16] http://drupal.org/security/secure-configuration [17] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2014-009 - Tagadelic - Information Disclosure
by security-news＠drupal.org 05 Feb '14

05 Feb '14

View online: https://drupal.org/node/2187453 * Advisory ID: DRUPAL-SA-CONTRIB-2014-009 * Project: Tagadelic [1] (third-party module) * Version: 6.x * Date: 2014-February-05 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Information Disclosure -------- DESCRIPTION --------------------------------------------------------- This module provides an API and a few simple turnkey modules, which allows you to easily create tagclouds, weighted lists, search-clouds and such. The 6.x-1.x version does not account for node access modules, thus leading to information being disclosed. This vulnerability is mitigated by the fact that a site must be using a node access module. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Tagadelic 6.x-1.x versions. Drupal core is not affected. If you do not use the contributed Tagadelic [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ If you use the Tagadelic module for Drupal 6.x, upgrade to Tagadelic 6.x-1.5 [5] and then disable node access modules, such as taxonomy_access and content_access. Also see the Tagadelic [6] project page. -------- REPORTED BY --------------------------------------------------------- * Michael Hess [7] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Rick Manelius [8] * Sean T. Walsh [9] -------- COORDINATED BY ------------------------------------------------------ * Rick Manelius [10] provisional member of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [15] [1] http://drupal.org/project/tagadelic [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/tagadelic [5] https://drupal.org/node/2188887 [6] http://drupal.org/project/tagadelic [7] http://drupal.org/user/102818 [8] https://drupal.org/user/680072 [9] http://drupal.org/user/995722 [10] http://drupal.org/user/680072 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration [15] https://twitter.com/drupalsecurity

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news February 2014