Security-news May 2014

security-news@drupal.org

1 participants
11 discussions

SA-CONTRIB-2014-058 - Webserver Auth - Access Bypass
by security-news＠drupal.org 28 May '14

28 May '14

View online: https://drupal.org/node/2275675 * Advisory ID: DRUPAL-SA-CONTRIB-2014-058 * Project: Webserver authentication [1] (third-party module) * Version: 7.x * Date: 2014-May-28 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This module allows you to delegate user authentication to the web server. The module can be configured to automatically create users that have been authenticated by the web server. There was an issue where a configuration variable did not have consistent default values in the code meaning that in a new install users would be created by default even though the config screen would suggest otherwise. This vulnerability is mitigated by the fact that the issue is only present if the site owner has not saved the configuration page and it is very common to configure a module after installing it. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Webserver authentication before version 7.x-1.4 Drupal core is not affected. If you do not use the contributed Webserver authentication [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the webserver_auth module for Drupal 7.x, upgrade to webserver_auth 7.x-1.4 [5] Also see the Webserver authentication [6] project page. -------- REPORTED BY --------------------------------------------------------- * Monika Danielsson [7] -------- FIXED BY ------------------------------------------------------------ * Tom Dean [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [14] [1] http://drupal.org/project/webserver_auth [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/webserver_auth [5] https://drupal.org/node/2274401 [6] http://drupal.org/project/webserver_auth [7] http://drupal.org/user/77563 [8] http://drupal.org/user/77568 [9] http://drupal.org/user/36762 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration [14] https://twitter.com/drupalsecurity

1 0

DRUPAL-PSA-2014-002 - Drupal core - Information disclosure
by security-news＠drupal.org 21 May '14

21 May '14

View online: https://drupal.org/PSA-2014-002 * Advisory ID: DRUPAL-PSA-2014-002 * Project: Drupal core [1] * Version: 6.x, 7.x * Date: 2014-May-21 * Security risk: Not critical [2] * Exploitable from: Remote * Vulnerability: Information Disclosure -------- DESCRIPTION --------------------------------------------------------- This is a public service announcement regarding the "access site reports" permission (labeled as "View site reports" in the Drupal 7 administrative interface) provided by Drupal 6 and 7 core. This permission allows users to see logs (for example, those provided by the core Database Logging module) and other reports via the administrative interface of a Drupal site. Due to the nature of the data logged by various core and contributed modules, users with this permission can see information in the logs that they otherwise may not have access to (for example, the titles of nodes that are restricted by node access). As such: * This permission should be granted to trusted site administrators only. It is now listed as an advanced permission at https://drupal.org/security-advisory-policy [3], and a future release of Drupal 7 core will mark it as restricted on the permissions page as well. * Developers may freely use Drupal's watchdog() function to log relevant information about the actions they are performing (without worrying about minor information disclosure or access bypass issues). However, care should still be taken to only log what is necessary. For example, logging extremely sensitive information such as plain-text user passwords (see SA-CONTRIB-2010-091 [4]) would still be considered a security issue because plain-text passwords should never be saved or displayed anywhere on the site. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [5] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- All versions of Drupal 6 and Drupal 7 core. -------- SOLUTION ------------------------------------------------------------ Only grant trusted site administrators the "access site reports"/"View site reports" permission. Also see the Drupal core [6] project page. -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [7]. Learn more about the Drupal Security team and their policies [8], writing secure code for Drupal [9], and securing your site [10]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [11] [1] http://drupal.org/project/drupal [2] http://drupal.org/security-team/risk-levels [3] https://drupal.org/security-advisory-policy [4] https://drupal.org/node/912412 [5] http://cve.mitre.org/ [6] http://drupal.org/project/drupal [7] http://drupal.org/contact [8] http://drupal.org/security-team [9] http://drupal.org/writing-secure-code [10] http://drupal.org/security/secure-configuration [11] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2014-057 - Password policy - General logic error
by security-news＠drupal.org 21 May '14

21 May '14

View online: https://drupal.org/node/2271839 * Advisory ID: DRUPAL-SA-CONTRIB-2014-057 * Project: Password policy [1] (third-party module) * Version: 7.x * Date: 2014-May-21 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: General logic error -------- DESCRIPTION --------------------------------------------------------- This module enables you to define password policies with various constraints on allowable user passwords. The history constraint, when enabled, disallows a user's password from being changed to match a specified number of their previous passwords. Beginning with Password Policy 7.x-1.4, the history constraint had no effect when enabled, and user passwords could be changed to match any previous passwords beyond the most recent. Therefore, passwords of users that were changed since Password Policy 7.x-1.4 or later was installed may match previous passwords in violation of the history constraint. This vulnerability is mitigated by the fact that it only affects users covered by a password policy with the history constraint enabled. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Password policy 7.x-1.x versions prior to 7.x-1.6. Drupal core is not affected. If you do not use the contributed Password policy [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ 1) Install the latest version: * If you use the Password policy module for Drupal 7.x, upgrade to Password policy 7.x-1.6 [5] 2) Force a password change for all users covered by a password policy with the history constraint enabled. Also see the Password policy [6] project page. -------- REPORTED BY --------------------------------------------------------- * AohRveTPV [7] -------- FIXED BY ------------------------------------------------------------ * Alberto García Lamela [8] -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [14] [1] http://drupal.org/project/password_policy [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/password_policy [5] https://drupal.org/node/2271835 [6] http://drupal.org/project/password_policy [7] https://drupal.org/user/2760115 [8] https://drupal.org/user/1205082 [9] http://drupal.org/user/36762 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration [14] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2014-056 - Commerce Moneris - Information Disclosure
by security-news＠drupal.org 21 May '14

21 May '14

View online: https://drupal.org/node/2271823 * Advisory ID: DRUPAL-SA-CONTRIB-2014-056 * Project: Commerce Moneris [1] (third-party module) * Version: 7.x * Date: 2014-May-21 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Information Disclosure -------- DESCRIPTION --------------------------------------------------------- Commerce Moneris is a payment module that integrates the Moneris payment system with Drupal Commerce [3]. The module stores credit card data in a commerce order object unnecessarily for the purpose of passing the credit card information to the payment gateway. The credit card information is never removed from the order object and is later saved in the clear as serialized data in the database. This vulnerability is mitigated by the fact that an attacker must have access to the database or the ability to execute PHP to output the raw or unserialized data from the commerce order. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [4] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Commerce Moneris 7.x-1.x versions prior to 7.x-1.4. Drupal core is not affected. If you do not use the contributed Commerce Moneris [5] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Commerce Moneris module for Drupal 7.x, upgrade to Commerce Moneris 7.x-1.4 [6] Also see the Commerce Moneris [7] project page. -------- REPORTED BY --------------------------------------------------------- * Ryan Szrama [8] -------- FIXED BY ------------------------------------------------------------ * Scott Reeves [9], module co-maintainer -------- COORDINATED BY ------------------------------------------------------ * Rick Manelius [10] of the Drupal Security Team * Klaus Purer [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [16] [1] http://drupal.org/project/commerce_moneris [2] http://drupal.org/security-team/risk-levels [3] https://drupal.org/project/commerce [4] http://cve.mitre.org/ [5] http://drupal.org/project/commerce_moneris [6] https://drupal.org/node/2271789 [7] http://drupal.org/project/commerce_moneris [8] https://drupal.org/user/49344 [9] https://drupal.org/user/1167326 [10] https://drupal.org/user/680072 [11] https://drupal.org/user/262198 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration [16] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2014-055 - Require Login - Access bypass
by security-news＠drupal.org 21 May '14

21 May '14

View online: https://drupal.org/node/2271837 * Advisory ID: DRUPAL-SA-CONTRIB-2014-055 * Project: Require Login [1] (third-party module) * Version: 7.x * Date: 2014-May-21 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This module enables you to restrict access to a site for all non-authenticated users. The module does not protect the front page, thereby exposing any sensitive information on the front page to anonymous users. This vulnerability is mitigated by the fact that private/sensitive information must be on the site's front page. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Login Redirect 7.x-1.x versions prior to 7.x-1.1. Drupal core is not affected. If you do not use the contributed Require Login [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Require Login module for Drupal 7.x, upgrade to Require Login 7.x-1.1 [5] Also see the Require Login [6] project page. -------- REPORTED BY --------------------------------------------------------- * Eelke Blok [7] -------- FIXED BY ------------------------------------------------------------ * Eelke Blok [8] * Jeffrey C. [9], the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Klaus Purer [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [15] [1] http://drupal.org/project/require_login [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/require_login [5] https://drupal.org/node/2271413 [6] http://drupal.org/project/require_login [7] https://drupal.org/user/423078 [8] https://drupal.org/user/423078 [9] https://drupal.org/user/1290564 [10] https://drupal.org/user/262198 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration [15] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2014-054 - Views - Access Bypass
by security-news＠drupal.org 21 May '14

21 May '14

View online: https://drupal.org/node/2271809 * Advisory ID: DRUPAL-SA-CONTRIB-2014-054 * Project: Views [1] (third-party module) * Version: 7.x * Date: 2014-May-21 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- The Views module provides a flexible method for Drupal site designers to control how lists and tables of content, users, taxonomy terms and other data are presented. The module doesn't sufficiently check handler access when returning the list of handlers from view_plugin_display::get_handlers(). The most critical code (access plugins and field output) is unaffected - only area handlers, the get_field_labels() method, token replacement, and some relationship handling are susceptible. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Views 7.x-3.x versions prior to 7.x-3.8. Drupal core is not affected. If you do not use the contributed Views [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Views module for Drupal 7.x, upgrade to Views 7.x-3.8 [5] Also see the Views [6] project page. -------- REPORTED BY --------------------------------------------------------- * Tim Plunkett [7] -------- FIXED BY ------------------------------------------------------------ * Tim Plunkett [8] and Daniel Wehner [9], the module maintainers * David Snopek [10] of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * David Snopek [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [16] [1] http://drupal.org/project/views [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/views [5] https://drupal.org/node/2271305 [6] http://drupal.org/project/views [7] https://drupal.org/user/241634 [8] https://drupal.org/user/241634 [9] https://drupal.org/user/99340 [10] https://drupal.org/user/266527 [11] https://drupal.org/user/266527 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration [16] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2014-053 - Field API Tab Editor (FATE) - Access bypass
by security-news＠drupal.org 14 May '14

14 May '14

View online: https://drupal.org/node/2267539 * Advisory ID: DRUPAL-SA-CONTRIB-2014-053 * Project: Field API Tab Editor [1] (third-party module) * Version: 7.x * Date: 2014-May-14 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This module allows each entity field to be individually edited via its own custom page, accessible via a tab on the entity's page. The module returns an incorrect value to hook_menu if the current user does not have access to edit the entity. This allows users who would not normally have access to edit the entity to edit any fields that are enabled via this module. The problem is mitigated by the fact that a site builder must enable the custom edit page for the fields. That configuration is not the default nor automatic. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Field API Tab Editor (FATE) 7.x-1.x versions prior to 7.x-1.1. Drupal core is not affected. If you do not use the contributed Field API Tab Editor [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Field API Tab Editor (FATE) module for Drupal 7.x, upgrade to Field API Tab Editor (FATE) v7.x-1.1 [5]. Also see the Field API Tab Editor [6] project page. -------- REPORTED BY --------------------------------------------------------- * Damien McKenna [7], the module's maintainer. -------- FIXED BY ------------------------------------------------------------ * Damien McKenna [8], the module's maintainer. * Bob Kepford [9], a reviewer. -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [10], of the Drupal Security Team. -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [15] [1] http://drupal.org/project/fate [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/fate [5] https://drupal.org/node/2267527 [6] http://drupal.org/project/fate [7] http://drupal.org/user/108450 [8] http://drupal.org/user/108450 [9] http://drupal.org/user/212517 [10] http://drupal.org/user/36762 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration [15] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2014-052 - AddressField Tokens - Cross Site Scripting (XSS)
by security-news＠drupal.org 14 May '14

14 May '14

View online: https://drupal.org/node/2267485 * Advisory ID: DRUPAL-SA-CONTRIB-2014-052 * Project: Addressfield Tokens [1] (third-party module) * Version: 7.x * Date: 2014-May-14 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The AddressField Tokens module extends the addressfield module by adding token support. It also adds some convenient addressfield formatters and provides Webform addressfield integration. The module does not properly filter address field values, resulting in a Cross Site Scripting (XSS) vulnerability which can be leveraged by any user that can edit an addressfield on a site displaying that field using the "address components" field formatter. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create or edit an AddressField field (e.g. create or edit a node). -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * AddressField Tokens 7.x-1.x versions prior to 7.x-1.4. Drupal core is not affected. If you do not use the contributed Addressfield Tokens [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * Upgrade to addressfield_tokens-7.x-1.4 [5] Also see the Addressfield Tokens [6] project page. -------- REPORTED BY --------------------------------------------------------- * Josh Benner [7] -------- FIXED BY ------------------------------------------------------------ * Mark Casias [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [14] [1] http://drupal.org/project/addressfield_tokens [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/addressfield_tokens [5] https://drupal.org/node/2267475 [6] http://drupal.org/project/addressfield_tokens [7] http://drupal.org/user/150069 [8] http://drupal.org/user/206687 [9] http://drupal.org/user/36762 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration [14] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2014-51 - Realname Registration - Information Disclosure
by security-news＠drupal.org 14 May '14

14 May '14

View online: https://drupal.org/node/2267481 * Advisory ID: DRUPAL-SA-CONTRIB-2014-051 * Project: Realname registration [1] (third-party module) * Version: 6.x, 7.x * Date: 2014-05-14 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Information Disclosure -------- DESCRIPTION --------------------------------------------------------- This module enables you to generate usernames based on fields filled out by the user during registration. The module doesn't sufficiently restrict access to the settings for determining which user fields are incorporated into usernames, and doesn't properly validate generated user names. Any user with the "access administration pages" permission can change which fields are used to generate this name. This may publicly expose user profile fields intended to be kept private. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access administration pages". In addition, generated user names are not passed through the core function user_validate_name(). This vulnerability is mitigated by the fact that it only impacts custom modules or themes which do not properly filter usernames through check_plain() before displaying them. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Realname Registration 6.x-2.x versions 6.x-2.0-rc5 and prior. * Realname Registration 7.x-1.x and 7.x-2.x versions 7.x-2.0-rc2 and prior. Drupal core is not affected. If you do not use the contributed Realname registration [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ * If you use the Realname Registration module for Drupal 6.x, upgrade to Realname Registration 6.x-2.0 [5] * If you use the Realname Registration module for Drupal 7.x, upgrade to Realname Registration 7.x-2.0 [6] Also see the Realname registration [7] project page. -------- REPORTED BY --------------------------------------------------------- * Matt Corks [8] -------- FIXED BY ------------------------------------------------------------ * Steve Gerbino [9] and Matt Corks [10], the module maintainers -------- COORDINATED BY ------------------------------------------------------ * Beth Binkovitz [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [16] [1] http://drupal.org/project/realname_registration [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/realname_registration [5] https://drupal.org/node/2267419 [6] https://drupal.org/node/2267429 [7] http://drupal.org/project/realname_registration [8] http://drupal.org/user/15016 [9] http://drupal.org/user/877974 [10] http://drupal.org/user/15016 [11] http://drupal.org/user/161263 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration [16] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2014-050 - Commerce Postfinance ePayment - Access Bypass
by security-news＠drupal.org 14 May '14

14 May '14

View online: https://drupal.org/node/2267381 * Advisory ID: DRUPAL-SA-CONTRIB-2014-050 * Project: Commerce Postfinance ePayment [1] (third-party module) * Version: 7.x * Date: 2014-May-14 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- The Commerce Postfinance ePayment module provides commerce payment methods for the Postfinance e-Payment service provider. The module doesn't sufficiently validate incoming payment notification (IPN) messages. Sending a specifically crafted IPN message to an affected site allows an attacker to create transactions and manipulate the status of an order. This has the potential to allow an attacker to complete the purchase of items without actually paying for them. This vulnerability is partially mitigated by the fact that an attack is identifiable by comparing the transaction log from the payment service provider with commerce orders on an affected site. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Commerce Postfinance ePayment 7.x-1.x versions prior to 7.x-1.5. Drupal core is not affected. If you do not use the contributed Commerce Postfinance ePayment [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Commerce Postfinance ePayment module for Drupal 7.x, upgrade to Commerce Postfinance ePayment 7.x-1.5 [5] Also see the Commerce Postfinance ePayment [6] project page. -------- REPORTED BY --------------------------------------------------------- * znerol [7] -------- FIXED BY ------------------------------------------------------------ * Rémy [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [14] [1] http://drupal.org/project/commerce_postfinance [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/commerce_postfinance [5] https://drupal.org/node/2266975 [6] http://drupal.org/project/commerce_postfinance [7] https://drupal.org/user/63999 [8] https://drupal.org/user/1153644 [9] http://drupal.org/user/36762 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration [14] https://twitter.com/drupalsecurity

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news May 2014