Security-news April 2014

security-news@drupal.org

1 participants
16 discussions

SA-CONTRIB-2014-039 - Revisioning - Access Bypass
by security-news＠drupal.org 09 Apr '14

09 Apr '14

View online: https://drupal.org/node/2236807 * Advisory ID: DRUPAL-SA-CONTRIB-2014-039 * Project: Revisioning [1] (third-party module) * Version: 7.x * Date: 2014-April-09 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This module enables you to manage publication workflows whereby new, not publicly visible revisions of existing published content may be created by an author for review, while the current revision remains live to the public. The new revision does not go live until it is approved by a moderator with the necessary privileges to publish the new revision, replacing the old. The module didn't properly invoke access grants introduced by other contributed modules. Instead it gives "view" access to published content and does not enforce view access restrictions imposed by other modules. This vulnerability is mitigated by the fact that this is only an issue when your site uses modules that introduce additional access grants over and above core's access permissions, such as Taxonomy Access or Content Access. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Revisioning version 7.x-1.7 only Drupal core is not affected. If you do not use the contributed Revisioning [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Revisioning module 7.x-1.7, upgrade to 7.x-1.8 [5]. Revisioning 7.x-1.6 does not have the bug, but reverting to 7.x-1.6 naturally also means you miss out on any bug-fixes and features of version 7.x-1.7 Also see the Revisioning [6] project page. -------- REPORTED BY --------------------------------------------------------- * Ryan Jacobs [7] -------- FIXED BY ------------------------------------------------------------ * Rik de Boer [8], the module maintainer * Ryan Jacobs [9] -------- COORDINATED BY ------------------------------------------------------ * Mark Ferree [10] provisional member of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [15] [1] http://drupal.org/project/revisioning [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/revisioning [5] https://drupal.org/node/2235477 [6] http://drupal.org/project/revisioning [7] https://drupal.org/user/422459 [8] http://drupal.org/user/404007 [9] https://drupal.org/user/422459 [10] http://drupal.org/user/76245 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration [15] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2014-038 - SimpleCorp theme - Cross Site Scripting
by security-news＠drupal.org 09 Apr '14

09 Apr '14

View online: https://drupal.org/node/2236811 * Advisory ID: DRUPAL-SA-CONTRIB-2014-038 * Project: SimpleCorp [1] (third-party theme) * Version: 7.x * Date: 2014-April-09 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- SimpleCorp theme is a free responsive Drupal theme. The SimpleCorp theme does not properly sanitize theme settings before they are used in the output of a page. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer themes". -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Simplecorp-7.x-1.0 Drupal core is not affected. If you do not use the contributed SimpleCorp [4] theme, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the SimpleCorp theme 7.x-1.0 for Drupal 7.x, upgrade to SimpleCorp theme 7.x-1.1. [5] Also see the SimpleCorp [6] project page. -------- REPORTED BY --------------------------------------------------------- * Dennis Walgaard [7] -------- FIXED BY ------------------------------------------------------------ * George Tsopouridis [8] the theme maintainer -------- COORDINATED BY ------------------------------------------------------ * Klaus Purer [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [14] [1] http://drupal.org/project/simplecorp [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/simplecorp [5] https://drupal.org/node/2236255 [6] http://drupal.org/project/simplecorp [7] https://drupal.org/user/883702 [8] http://drupal.org/user/829430 [9] https://drupal.org/user/262198 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration [14] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2014-037 - BlueMasters - Cross Site Scripting
by security-news＠drupal.org 09 Apr '14

09 Apr '14

View online: https://drupal.org/node/2236797 * Advisory ID: DRUPAL-SA-CONTRIB-2014-037 * Project: BlueMasters [1] (third-party module) * Version: 7.x * Date: 2014-April-09 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Bluemasters is a responsive layout theme for Drupal 7. The Bluemasters theme does not properly sanitize theme settings before they are used in the output of a page. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer themes". -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Bluemasters 7.x-2.x versions prior to 7.x-2.1. Drupal core is not affected. If you do not use the contributed BlueMasters [4] theme, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Bluemasters theme 7.x-2.0 for Drupal 7.x, upgrade to Bluemasters 7.x-2.1 [5]. Also see the BlueMasters [6] project page. -------- REPORTED BY --------------------------------------------------------- * Dennis Walgaard [7] -------- FIXED BY ------------------------------------------------------------ * George Tsopouridis [8] the theme maintainer -------- COORDINATED BY ------------------------------------------------------ * Klaus Purer [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [14] [1] http://drupal.org/project/bluemasters [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/bluemasters [5] https://drupal.org/node/2236251 [6] http://drupal.org/project/bluemasters [7] https://drupal.org/user/883702 [8] http://drupal.org/user/829430 [9] https://drupal.org/user/262198 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration [14] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2014-035 - CAS Server - Access Bypass
by security-news＠drupal.org 02 Apr '14

02 Apr '14

View online: https://drupal.org/node/2231663 * Advisory ID: DRUPAL-SA-CONTRIB-2014-035 * Project: CAS [1] (third-party module) * Version: 6.x, 7.x * Date: 2014-April-02 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- The cas_server module of the CAS project implements the CAS 1.0 and 2.0 specifications for providing a single sign-on to relying party web application (the "service" in CAS specs). The CAS server creates single-use tickets when serving a user's login request, which is subsequently deleted when the relying party validates the ticket. However, this successful validation will be cached if the Drupal page cache is enabled, and subsequent identical validations can be processed even though the single-use ticket has been deleted. A user's session on a relying party can be therefore be re-initialized via a session replay attack involving the cas_server module, even when the user deletes cookies and server-side sessions for both sites. This would require an attacker to sniff the service URL containing the ticket ID, such as with a non-SSL relying party, by protocol downgrade, or by accessing an earlier user's web activity on a public computer. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * CAS Server 6.x-2.x versions prior to 6.x-3.3. * CAS Server 7.x-2.x versions prior to 7.x-1.3. Drupal core is not affected. If you do not use the contributed CAS [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the CAS Server module for Drupal 6.x, upgrade to CAS Server 6.x-3.3 [5] * If you use the CAS Server module for Drupal 7.x, upgrade to CAS Server 7.x-1.3 [6] Also see the CAS [7] project page. -------- REPORTED BY --------------------------------------------------------- * Eric Searcy [8] * Greg Knaddison [9] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Eric Searcy [10] * Tim Yale [11], the module maintainer * Greg Knaddison [12] of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [13] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [14]. Learn more about the Drupal Security team and their policies [15], writing secure code for Drupal [16], and securing your site [17]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [18] [1] http://drupal.org/project/cas [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/cas [5] https://drupal.org/node/2231659 [6] https://drupal.org/node/2231657 [7] http://drupal.org/project/cas [8] http://drupal.org/user/137284 [9] http://drupal.org/user/36762 [10] http://drupal.org/user/137284 [11] http://drupal.org/user/2413764 [12] http://drupal.org/user/36762 [13] http://drupal.org/user/36762 [14] http://drupal.org/contact [15] http://drupal.org/security-team [16] http://drupal.org/writing-secure-code [17] http://drupal.org/security/secure-configuration [18] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2014-034 - Custom Search - Cross Site Scripting
by security-news＠drupal.org 02 Apr '14

02 Apr '14

View online: https://drupal.org/node/2231665 * Advisory ID: DRUPAL-SA-CONTRIB-2014-034 * Project: Custom Search [1] (third-party module) * Version: 6.x, 7.x * Date: 2014-April-02 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Custom Search module alters the default search box to provide additional search filtering options and control. Custom Search contains a persistent cross-site scripting (XSS) vulnerability due to the fact that it fails to sanitize filter labels before display. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer custom search." -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Custom Search 6.x-1.x versions prior to 6.x-1.12. * Custom Search 7.x-1.x versions prior to 7.x-1.14. Drupal core is not affected. If you do not use the contributed Custom Search [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Custom Search module for Drupal 6.x, upgrade to Custom Search 6.x-1.12 [5] * If you use the Custom Search module for Drupal 7.x, upgrade to Custom Search 7.x-1.14 [6] Also see the Custom Search [7] project page. -------- REPORTED BY --------------------------------------------------------- * Justin C. Klein Keane [8] -------- FIXED BY ------------------------------------------------------------ * Justin C. Klein Keane [9] * Jérôme Danthinne [10], module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [11] of the Drupal Security Team * Ben Jeavons [12] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [17] [1] http://drupal.org/project/custom_search [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/custom_search [5] https://drupal.org/node/2231533 [6] https://drupal.org/node/2231531 [7] http://drupal.org/project/custom_search [8] http://drupal.org/user/302225 [9] http://drupal.org/user/302225 [10] https://drupal.org/user/313766 [11] https://drupal.org/user/36762 [12] http://drupal.org/user/91990 [13] http://drupal.org/contact [14] http://drupal.org/security-team [15] http://drupal.org/writing-secure-code [16] http://drupal.org/security/secure-configuration [17] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2014-036 - Print - Cross Site Scripting
by security-news＠drupal.org 02 Apr '14

02 Apr '14

View online: https://drupal.org/node/2231671 * Advisory ID: DRUPAL-SA-CONTRIB-2014-036 * Project: Printer, email and PDF versions [1] (third-party module) * Version: 6.x, 7.x * Date: 2014-April-02 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- This module provides printer-friendly versions of content, including send by e-mail and PDF versions. The module does not sufficiently sanitize user provided input when generating the printed version of a node. This is mitigated by the fact that an attacker must have permission to create a node which offers the print functionality. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Printer, email and PDF versions 6.x-1.x versions prior to 6.x-1.19. * Printer, email and PDF versions 7.x-1.x versions prior to 7.x-1.3. * Printer, email and PDF versions 7.x-2.x versions prior to 7.x-2.0. Drupal core is not affected. If you do not use the contributed Printer, email and PDF versions [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Printer, email and PDF versions module for Drupal 6.x, upgrade to print 6.x-1.19 [5] * If you use the Printer, email and PDF versions module for Drupal 7.x, upgrade to print 7.x-1.3 [6] or print 7.x-2.0 [7] Also see the Printer, email and PDF versions [8] project page. -------- REPORTED BY --------------------------------------------------------- * Dinesh Waghmare [9] -------- FIXED BY ------------------------------------------------------------ * Dinesh Waghmare [10] * Cash Williams [11] provisional member of the Drupal Security Team * João Ventura [12] the module maintainer * Heine Deelstra [13] of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Heine Deelstra [14] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [15]. Learn more about the Drupal Security team and their policies [16], writing secure code for Drupal [17], and securing your site [18]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [19] [1] http://drupal.org/project/print [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/print [5] https://drupal.org/node/2231191 [6] https://drupal.org/node/2231197 [7] https://drupal.org/node/2231199 [8] http://drupal.org/project/print [9] http://drupal.org/user/2279292 [10] http://drupal.org/user/2279292 [11] http://drupal.org/user/421070 [12] http://drupal.org/user/122464 [13] http://drupal.org/user/17943 [14] http://drupal.org/user/17943 [15] http://drupal.org/contact [16] http://drupal.org/security-team [17] http://drupal.org/writing-secure-code [18] http://drupal.org/security/secure-configuration [19] https://twitter.com/drupalsecurity

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news April 2014