April 2014 - Security-news - lists.drupal.org

SA-CONTRIB-2014-048 - Field API Pane Editor (FAPE) - Access bypass
by security-news＠drupal.org 30 Apr '14

30 Apr '14

View online: https://drupal.org/node/2254943 * Advisory ID: DRUPAL-SA-CONTRIB-2014-048 * Project: Field API Pane Editor (FAPE) [1] (third-party module) * Version: 7.x * Date: 2014-April-30 * Security risk: Highly critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This module adds a contextual menu to fields which are added to an entity display in Panels, allowing individual fields to be directly edited via a separate page or, if it is enabled, the Overlay module. The module doesn't sufficiently verify the user has access to modify the entity the field is attached to. Unless another module was installed which restricted access to edit the fields, any user can edit any field on any entity on the site. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Field API Pane Editor (FAPE) 7.x-1.x versions prior to 7.x-1.2. Drupal core is not affected. If you do not use the contributed Field API Pane Editor (FAPE) [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Field API Pane Editor (FAPE) module for Drupal 7.x, upgrade to Field API Pane Editor (FAPE) 7.x-1.2. [5] Also see the Field API Pane Editor (FAPE) [6] project page. -------- REPORTED BY --------------------------------------------------------- * Andrew Belcher [7]. -------- FIXED BY ------------------------------------------------------------ * David Rothstein [8] of the Drupal Security Team. * Damien McKenna [9], the module maintainer. -------- COORDINATED BY ------------------------------------------------------ * David Snopek [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [15] [1] http://drupal.org/project/fape [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/fape [5] https://drupal.org/node/2254923 [6] http://drupal.org/project/fape [7] http://drupal.org/user/655282 [8] http://drupal.org/user/124982 [9] http://drupal.org/user/108450 [10] https://drupal.org/user/266527 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration [15] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2014-047 - Zen - Cross Site Scripting
by security-news＠drupal.org 30 Apr '14

30 Apr '14

View online: https://drupal.org/node/2254925 * Advisory ID: DRUPAL-SA-CONTRIB-2014-047 * Project: Zen [1] (third-party theme) * Version: 7.x * Date: 2014-April-30 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Zen theme is a powerful, yet simple, HTML5 starting theme with a responsive, mobile-first grid design. The theme does not properly sanitize theme settings before they are used in the output of a page. Custom themes that have copied Zen's template files (e.g. subthemes) may suffer from this same issue. If your theme creates variables in a preprocess using text from a custom theme setting, like this: $variables['skip_link_text'] = theme_get_setting('skip_link_text'); you can prevent malicious XSS attacks by modifying the code to look like this: $variables['skip_link_text'] = check_plain(theme_get_setting('skip_link_text')); This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer theme". -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Zen 7.x-5.x versions prior to 7.x-5.5. * Zen 7.x-3.x versions prior to 7.x-3.3. Drupal core is not affected. If you do not use the contributed Zen [4] theme, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Zen theme for Drupal 7.x, upgrade to Zen 7.x-3.3 [5] or Zen 7.x-5.5 [6] Also see the Zen [7] project page. -------- REPORTED BY --------------------------------------------------------- * Dennis Walgaard [8] -------- FIXED BY ------------------------------------------------------------ * Dennis Walgaard [9] * John Albin Wilkins [10] the theme maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [16] [1] http://drupal.org/project/zen [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/zen [5] https://drupal.org/node/2254835 [6] https://drupal.org/node/2254837 [7] http://drupal.org/project/zen [8] https://drupal.org/user/883702 [9] https://drupal.org/user/883702 [10] http://drupal.org/user/32095 [11] http://drupal.org/user/36762 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration [16] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2014-046 - Context Form Alteration - Cross Site Scripting (XSS)
by security-news＠drupal.org 30 Apr '14

30 Apr '14

View online: https://drupal.org/node/2254853 * Advisory ID: DRUPAL-SA-CONTRIB-2014-046 * Project: Context Form Alteration [1] (third-party module) * Version: 7.x * Date: 2014-April-30 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Context Form Alteration module enables admins to alter forms via Context reactions. The module doesn't sufficiently sanitize user input entered within the Context configuration UI. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer contexts". -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Context Form Alteration 7.x-1.x versions prior to 7.x-1.2. Drupal core is not affected. If you do not use the contributed Context Form Alteration [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Context Form Alteration module for Drupal 7.x, upgrade to Context Form Alteration 7.x-1.2 [5] Also see the Context Form Alteration [6] project page. -------- REPORTED BY --------------------------------------------------------- * Eric Peterson [7] -------- FIXED BY ------------------------------------------------------------ * Josh Lind [8] the module maintainer. -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [14] [1] http://drupal.org/project/context_form_alteration [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/context_form_alteration [5] https://drupal.org/node/2253103 [6] http://drupal.org/project/context_form_alteration [7] http://drupal.org/user/1467594 [8] http://drupal.org/user/199720 [9] http://drupal.org/user/36762 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration [14] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2014-044 - Professional Theme - Cross Site Scripting (XSS)
by security-news＠drupal.org 24 Apr '14

24 Apr '14

View online: https://drupal.org/node/2248145 * Advisory ID: DRUPAL-SA-CONTRIB-2014-044 * Project: Professional Theme [1] (third-party module) * Version: 7.x * Date: 2014-April-23 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Professional Theme is a modern and professional Drupal theme. The theme does not sufficiently sanitize theme settings input for custom copyright information This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer themes". -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Professional Theme for 7.x prior to 7.x-2.04 Drupal core is not affected. If you do not use the contributed Professional Theme [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Professional Theme for Drupal 7.x, upgrade to 7.x-2.04 [5] Also see the Professional Theme [6] project page. -------- REPORTED BY --------------------------------------------------------- * Dennis Walgaard [7] -------- FIXED BY ------------------------------------------------------------ * Matt Heinke [8] the theme maintainer * Dennis Walgaard [9] -------- COORDINATED BY ------------------------------------------------------ * Matt Kleve [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [15] [1] http://drupal.org/project/professional_theme [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/professional_theme [5] http://drupal.org/node/2248095 [6] http://drupal.org/project/professional_theme [7] http://drupal.org/user/36463 [8] http://drupal.org/user/615306 [9] http://drupal.org/user/36463 [10] http://drupal.org/user/150473 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration [15] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2014-043 - Custom Search - Cross Site Scripting (XSS)
by security-news＠drupal.org 24 Apr '14

24 Apr '14

View online: https://drupal.org/node/2248077 * Advisory ID: DRUPAL-SA-CONTRIB-2014-043 * Project: Custom Search [1] (third-party module) * Version: 6.x, 7.x * Date: 2014-April-23 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Custom Search module alters the default search box to provide some options like in advanced search, but directly in the search box. The module doesn't sanitize taxonomy vocabulary labels before display leading to a persistent cross site scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that it requires the attacker to have the permission "administer taxonomy." -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Custom Search 6.x-1.x versions prior to 6.x-1.13. * Custom Search 7.x-1.x versions prior to 7.x-1.15. Drupal core is not affected. If you do not use the contributed Custom Search [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Custom Search module for Drupal 6.x, upgrade to Custom Search 6.x-1.13 [5] * If you use the Custom Search module for Drupal 7.x, upgrade to Custom Search 7.x-1.16 [6] Also see the Custom Search [7] project page. -------- REPORTED BY --------------------------------------------------------- * Dennis Walgaard [8] -------- FIXED BY ------------------------------------------------------------ * Dennis Walgaard [9] -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [15] [1] http://drupal.org/project/custom_search [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/custom_search [5] http://drupal.org/node/2247919 [6] http://drupal.org/node/2247921 [7] http://drupal.org/project/custom_search [8] http://drupal.org/user/883702 [9] http://drupal.org/user/883702 [10] http://drupal.org/user/36762 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration [15] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2014-042 - Internationalization - Access Bypass
by security-news＠drupal.org 24 Apr '14

24 Apr '14

View online: https://drupal.org/node/2248073 * Advisory ID: DRUPAL-SA-CONTRIB-2014-042 * Project: Internationalization [1] (third-party module) * Version: 7.x * Date: 2014-April-23 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This module enables you to build multilingual Drupal sites providing missing translation features for Drupal core. The module doesn't sufficiently check content access permissions and under certain circumstances allows users with the "access content" permission to see path aliases from unpublished nodes. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Internationalization 7.x-1.x versions prior to 7.x-1.11. Drupal core is not affected. If you do not use the contributed Internationalization [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Internationalization module for Drupal 7.x, upgrade to Internationalization 7.x-1.11 [5] Also see the Internationalization [6] project page. -------- REPORTED BY --------------------------------------------------------- * Hunter Fox [7] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Jose Reyero [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Hunter Fox [9] of the Drupal Security Team * Mark Ferree [10] provisional member of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [15] [1] http://drupal.org/project/i18n [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/i18n [5] https://drupal.org/node/2242497 [6] http://drupal.org/project/i18n [7] http://drupal.org/user/426416 [8] http://drupal.org/user/4299 [9] http://drupal.org/user/426416 [10] http://drupal.org/user/76245 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration [15] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2014-045 - Drupal Commons - Multiple Vulnerabilities
by security-news＠drupal.org 24 Apr '14

24 Apr '14

View online: https://drupal.org/node/2248171 * Advisory ID: DRUPAL-SA-CONTRIB-2014-045 * Project: Drupal Commons [1] (third-party module) * Version: 7.x * Date: 2014-April-23 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This SA contains two patches against Drupal Commons .... Views Bulk Operations Access Bypass Drupal commons comes with a view to moderate reported content, which is intended for authenticated users to view which content has been reported. Since it has hard coded VBO operations within the view, and Drupal Commons doesn't come with the VBO 'access_permissions' submodule enabled, all views bulk operations can be performed by anyone with access to the view. In its default setting, this allows users to delete content from other users and potentially ban other users from the site. .... Anonymous Users can view Wiki revisions regardless of group privacy Commons allows users of a group to edit a wiki created by anyone, regardless of edit permissions. It is supposed to refer back to the group permissions when creating this edit permission. However, the revisions permission hook allows anyone (anonymous or authenticated) to view revisions and diffs between revisions. This can potentially leak hidden data from groups a user does not otherwise have access to. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Drupal Commons 7.x-3.x versions prior to 7.x-3.10. Drupal core is not affected. If you do not use the contributed Drupal Commons [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Drupal Commons distribution for Drupal 7.x, upgrade to Drupal Commons 7.x-3.10 [5] Also see the Drupal Commons [6] project page. -------- REPORTED BY --------------------------------------------------------- * Ezra Gildesgame [7] * Jakub Suchy [8] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Jakob Perry [9] the module maintainer * Devin Carlson [10] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Ben Jeavons [11] of the Drupal Security Team * David Stoline [12] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [17] [1] http://drupal.org/project/commons [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/commons [5] https://drupal.org/node/2248299 [6] http://drupal.org/project/commons [7] https://drupal.org/user/69959 [8] https://drupal.org/user/31977 [9] https://drupal.org/user/45640 [10] https://drupal.org/user/290182 [11] https://drupal.org/user/91990 [12] https://drupal.org/user/329570 [13] http://drupal.org/contact [14] http://drupal.org/security-team [15] http://drupal.org/writing-secure-code [16] http://drupal.org/security/secure-configuration [17] https://twitter.com/drupalsecurity

1 0

SA-CORE-2014-002 - Drupal core - Information Disclosure
by security-news＠drupal.org 17 Apr '14

17 Apr '14

View online: https://drupal.org/SA-CORE-2014-002 * Advisory ID: DRUPAL-SA-CORE-2014-002 * Project: Drupal core [1] * Version: 6.x, 7.x * Date: 2014-April-16 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Information Disclosure -------- DESCRIPTION --------------------------------------------------------- Drupal's form API has built-in support for temporary storage of form state, for example user input. This is often used on multi-step forms, and is required on Ajax-enabled forms in order to allow the Ajax calls to access and update interim user input on the server. When pages are cached for anonymous users (either by Drupal or by an external system), form state may leak between anonymous users. As a consequence there is a chance that interim form input recorded for one anonymous user (which may include sensitive or private information, depending on the nature of the form) will be disclosed to other users interacting with the same form at the same time. This especially affects multi-step Ajax forms because the window of opportunity (i.e. the time span between user input and final form submission) is indeterminable. This vulnerability is mitigated by the fact that Drupal core does not expose any such forms to anonymous users by default. However, contributed modules or individual sites which leverage the Drupal Form API under the aforementioned conditions might be vulnerable. *Note:* This security release introduces small API changes which may require code updates on sites that expose Ajax or multi-step forms to anonymous users, and where the forms are displayed on pages that are cached (either by Drupal or by an external system). See the Drupal 6.31 release notes [3] and Drupal 7.27 release notes [4] for more information. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [5] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Drupal core 6.x versions prior to 6.31. * Drupal core 7.x versions prior to 7.27. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Drupal 6.x, upgrade to Drupal 6.31 [6] * If you use Drupal 7.x, upgrade to Drupal 7.27 [7] Also see the Drupal core [8] project page. -------- REPORTED BY --------------------------------------------------------- * Daniel F. Kudwien [9] * Rodionov Igor [10] * Ryan Szrama [11] * Roman Zimmermann [12] * znerol [13] -------- FIXED BY ------------------------------------------------------------ * znerol [14] * Roman Zimmermann [15] * Ryan Szrama [16] * Additional assistance and reviews provided by Daniel F. Kudwien [17], Damien Tournoud [18] of the Drupal Security Team, David Rothstein [19] of the Drupal Security Team, and Alex Bronstein [20] -------- COORDINATED BY ------------------------------------------------------ * Michael Hess [21] of the Drupal Security Team * David Rothstein [22] of the Drupal Security Team * Peter Wolanin [23] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [24]. Learn more about the Drupal Security team and their policies [25], writing secure code for Drupal [26], and securing your site [27]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [28] [1] http://drupal.org/project/drupal [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/drupal-6.31-release-notes [4] http://drupal.org/drupal-7.27-release-notes [5] http://cve.mitre.org/ [6] https://drupal.org/drupal-6.31-release-notes [7] https://drupal.org/drupal-7.27-release-notes [8] http://drupal.org/project/drupal [9] https://drupal.org/user/54136 [10] https://drupal.org/user/234004 [11] https://drupal.org/user/49344 [12] https://drupal.org/user/865256 [13] https://drupal.org/user/63999 [14] https://drupal.org/user/63999 [15] https://drupal.org/user/865256 [16] https://drupal.org/user/49344 [17] https://drupal.org/user/54136 [18] https://drupal.org/user/22211 [19] http://drupal.org/user/124982 [20] https://drupal.org/user/78040 [21] http://drupal.org/user/102818 [22] http://drupal.org/user/124982 [23] http://drupal.org/user/49851 [24] http://drupal.org/contact [25] http://drupal.org/security-team [26] http://drupal.org/writing-secure-code [27] http://drupal.org/security/secure-configuration [28] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2014-041 - Block Search - SQL Injection
by security-news＠drupal.org 16 Apr '14

16 Apr '14

View online: https://drupal.org/node/2242463 * Advisory ID: DRUPAL-SA-CONTRIB-2014-041 * Project: Block Search [1] (third-party module) * Version: 6.x * Date: 2014-April-16 * Security risk: Highly critical [2] * Exploitable from: Remote * Vulnerability: SQL Injection -------- DESCRIPTION --------------------------------------------------------- Block Search module provides an alternative way of managing blocks. The module doesn't properly use Drupal's database API resulting in user-provided strings being passed directly to the database allowing SQL Injection. This vulnerability is mitigated by the fact that an attacker must either use a CSRF attack against a user with sufficient permissions or have a role with the permission "admin blocks" or "set region". -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Block Search All versions. Drupal core is not affected. If you do not use the contributed Block Search [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ No patch nor updated version is available. Site administrators should disable the module. Also see the Block Search [5] project page. -------- REPORTED BY --------------------------------------------------------- * Greg Knaddison [6] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ Not applicable. -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [7] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [8]. Learn more about the Drupal Security team and their policies [9], writing secure code for Drupal [10], and securing your site [11]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [12] [1] http://drupal.org/project/block_search [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/block_search [5] http://drupal.org/project/block_search [6] http://drupal.org/user/36762 [7] http://drupal.org/user/36762 [8] http://drupal.org/contact [9] http://drupal.org/security-team [10] http://drupal.org/writing-secure-code [11] http://drupal.org/security/secure-configuration [12] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2014-040 - Skeleton theme - Cross Site Scripting
by security-news＠drupal.org 09 Apr '14

09 Apr '14

View online: https://drupal.org/node/2236821 * Advisory ID: DRUPAL-SA-CONTRIB-2014-040 * Project: Skeleton [1] (third-party theme) * Version: 7.x * Date: 2014-April-09 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Skeleton theme is a responsive Drupal theme, built upon the Skeleton Boilerplate. The Skeleton theme does not properly sanitize theme settings before they are used in the output of a page. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer themes". -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * skeletontheme-7.x-1.2 * skeletontheme-7.x-1.3 Drupal core is not affected. If you do not use the contributed Skeleton [4] theme, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Skeleton theme 7.x-1.2 or 7.x-1.3 for Drupal 7.x, upgrade to Skeleton theme 7.x-1.4. [5] Also see the Skeleton [6] project page. -------- REPORTED BY --------------------------------------------------------- * Dennis Walgaard [7] -------- FIXED BY ------------------------------------------------------------ * George Tsopouridis [8] the theme maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [14] [1] http://drupal.org/project/skeletontheme [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/skeletontheme [5] https://drupal.org/node/2236259 [6] http://drupal.org/project/skeletontheme [7] https://drupal.org/user/883702 [8] http://drupal.org/user/829430 [9] http://drupal.org/user/36762 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration [14] https://twitter.com/drupalsecurity

1 0