View online: https://www.drupal.org/node/2328567
* Advisory ID: DRUPAL-SA-CONTRIB-2014-083
* Project: Rules Link [1] (third-party module)
* Version: 7.x
* Date: 2014-August-27
* Security risk: 9/25 ( Less Critical)
AC:Complex/A:Admin/CI:None/II:All/E:Theoretical/TD:25 [2]
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
This module allows you to create links which trigger arbitrary functionality
with the help of the Rules module.
The module doesn't sufficiently sanitize the question and description strings
when confirmation forms are displayed for triggering Rules links.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "administer rules links".
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance
with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Rules Link 7.x-1.x versions prior to 7.x-1.1.
Drupal core is not affected. If you do not use the contributed Rules Link [4]
module,
there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Rules Link module for Drupal 7.x, upgrade to Rules Link
7.x-1.1 [5]
Also see the Rules Link [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Klaus Purer [7] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Klaus Purer [8] of the Drupal Security Team
-------- COORDINATED BY
------------------------------------------------------
* Klaus Purer [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11],
writing secure code for Drupal [12], and securing your site [13].
[1] https://www.drupal.org/project/rules_link
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/rules_link
[5] https://www.drupal.org/node/2328549
[6] https://www.drupal.org/project/rules_link
[7] https://www.drupal.org/user/262198
[8] https://www.drupal.org/user/262198
[9] https://www.drupal.org/user/262198
[10] https://www.drupal.org/contact
[11] https://www.drupal.org/security-team
[12] https://www.drupal.org/writing-secure-code
[13] https://www.drupal.org/security/secure-configuration
View online: https://www.drupal.org/node/2324813
* Advisory ID: DRUPAL-SA-CONTRIB-2014-082
* Project: Marketo MA [1] (third-party module)
* Version: 7.x
* Date: 2014-08-20
* Security risk: 8/25 ( Less Critical)
AC:Basic/A:Admin/CI:None/II:None/E:Proof/TD:100 [2]
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
The Marketo MA module adds Marketo marketing automation tracking capability
to your website as well as the ability to capture lead data during user
registration and via webform integration. It consists of a base module as
well as Marketo MA User Webform and Marketo MA User sub-modules.
-------- CROSS SITE SCRIPTING
------------------------------------------------
The Marketo MA Webform and Marketo MA User modules included with the Marketo
MA module incorrectly print field titles without proper sanitization thereby
opening a Cross Site Scripting (XSS) vulnerability.
The vulnerability in Marketo MA Webform is mitigated by the fact that an
attacker must have a permission which allows them to create Webform fields
("create webform content") and manage their Marketo relationship,
("administer marketo webform settings").
The vulnerability in Marketo MA User is mitigated by the fact that an
attacker must have a permission which allows them to create fields (such as
"administer users") and manage Marketo MA configuration ("administer
marketo").
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance
with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Marketo MA 7.x-1.3 and all earlier version.
Drupal core is not affected. If you do not use the contributed Marketo MA [4]
module,
there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Marketo MA module for Drupal 7.x, upgrade to Marketo MA
7.x-1.5 [5]
Also see the Marketo MA [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Matt Vance [7]
-------- FIXED BY
------------------------------------------------------------
* Matt Vance [8]
* Jeff Yokum [9] the module maintainer
* Francisco José Cruz Romanos [10] provisional member of Drupal Security
Team
-------- COORDINATED BY
------------------------------------------------------
* Francisco José Cruz Romanos [11] provisional member of Drupal Security
Team
* Rick Manelius [12] member of Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [13].
Learn more about the Drupal Security team and their policies [14], writing
secure code for Drupal [15], and securing your site [16].
[1] https://www.drupal.org/project/marketo_ma
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/marketo_ma
[5] https://www.drupal.org/node/2324777
[6] https://www.drupal.org/project/marketo_ma
[7] https://www.drupal.org/user/88338
[8] https://www.drupal.org/user/88338
[9] https://www.drupal.org/user/377457
[10] https://www.drupal.org/user/848238
[11] https://www.drupal.org/user/848238
[12] https://www.drupal.org/user/680072
[13] https://www.drupal.org/contact
[14] https://www.drupal.org/security-team
[15] https://www.drupal.org/writing-secure-code
[16] https://www.drupal.org/security/secure-configuration
View online: https://www.drupal.org/node/2324689
* Advisory ID: DRUPAL-SA-CONTRIB-2014-081
* Project: Site Banner [1] (third-party module)
* Version: 7.x
* Date: 2014-Aug-20
* Security risk: 12/25 ( Moderately Critical)
AC:Complex/A:Admin/CI:Some/II:Some/E:Proof/TD:75 [2]
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
The Site Banner module enables you to display a banner at the top and bottom
of a Drupal site.
This module incorrectly prints existing context settings without proper
sanitization, opening a Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "Administer contexts" from the Context UI module.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance
with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Site Banner 7.x-4.x versions prior to 7.x-4.0.
* Site Banner 7.x-1.x versions prior to 7.x-1.1.
Drupal core is not affected. If you do not use the contributed
module,
there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Site Banner module for Drupal 7.x, upgrade to Site Banner
7.x-4.1 [4]
Also see the
project page.
-------- REPORTED BY
---------------------------------------------------------
* Matt Vance [5] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Anthony Joseph [6] the module maintainer
* Matt Vance [7] of the Drupal Security Team
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [8] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [9].
Learn more about the Drupal Security team and their policies [10], writing
secure code for Drupal [11], and securing your site [12].
[1] https://www.drupal.org/project/site_banner
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/node/2324303
[5] https://www.drupal.org/user/88338
[6] https://www.drupal.org/user/2543514
[7] https://www.drupal.org/user/88338
[8] https://www.drupal.org/user/36762
[9] https://www.drupal.org/contact
[10] https://www.drupal.org/security-team
[11] https://www.drupal.org/writing-secure-code
[12] https://www.drupal.org/security/secure-configuration
View online: https://www.drupal.org/node/2324681
* Advisory ID: DRUPAL-SA-CONTRIB-2013-080
* Project: Social Stats [1] (third-party module)
* Version: 7.x
* Date: 2013-August-20
* Security risk: 8/25 ( Less Critical)
AC:Basic/A:User/CI:None/II:None/E:Theoretical/TD:100 [2]
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
The Social Stats module enables you to collect statistics from various social
networks and use that data with the Views module as field data, sort
criteria, or filter criteria.
The module does not sufficiently filter user-supplied text that is stored in
the configuration, resulting in a persistent Cross Site Scripting
vulnerability (XSS).
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "[Content Type]: Create new content".
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance
with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Social Stats 7.x-1.x versions prior to 7.x-1.5.
Drupal core is not affected. If you do not use the contributed Social Stats
[4] module,
there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Social Stats module for Drupal 7.x, upgrade to 7.x-1.5 [5]
Also see the Social Stats [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Matt Vance [7]
-------- FIXED BY
------------------------------------------------------------
* Ajit Shinde [8] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [9] of the Drupal Security Team
* David Stoline [10] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
[1] https://www.drupal.org/project/social_stats
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/social_stats
[5] https://www.drupal.org/node/2323983
[6] https://www.drupal.org/project/social_stats
[7] https://www.drupal.org/user/88338
[8] https://www.drupal.org/user/981944
[9] https://www.drupal.org/user/36762
[10] https://www.drupal.org/user/329570
[11] https://www.drupal.org/contact
[12] https://www.drupal.org/security-team
[13] https://www.drupal.org/writing-secure-code
[14] https://www.drupal.org/security/secure-configuration
View online: https://www.drupal.org/node/2324679
* Advisory ID: DRUPAL-SA-CONTRIB-2013-079
* Project: RedHen CRM [1] (third-party module)
* Version: 7.x
* Date: 2013-August-20
* Security risk: 7/25 ( Less Critical)
AC:Basic/A:Admin/CI:None/II:None/E:Theoretical/TD:100 [2]
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
The RedHen CRM project contains the redhen_dedup module which enables you to
find duplicate contacts in the CRM.
The redhen_dedup module doesn't sufficiently filter administrator-entered
text when deduping contacts as which creates a Cross Site Scripting (XSS)
vulnerability.
The vulnerability is mitigated by the fact that an attacker needs the
permission "administer redhen contacts".
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance
with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* RedHen CRM 7.x-1.x versions prior to 7.x-1.8.
Drupal core is not affected. If you do not use the contributed RedHen CRM [4]
module,
there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the RedHen CRM module for Drupal 7.x, upgrade to RedHen CRM
7.x-1.8 [5]
Also see the RedHen CRM [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Matt Vance [7] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Lev Tsypin [8] the module maintainer
* Matt Vance [9]
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [10] of the Drupal Security Team
* David Stoline [11] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [12].
Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].
[1] https://www.drupal.org/project/redhen
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/redhen
[5] https://www.drupal.org/node/2324317
[6] https://www.drupal.org/project/redhen
[7] https://www.drupal.org/user/88338
[8] https://www.drupal.org/user/54135
[9] https://www.drupal.org/user/88338
[10] https://www.drupal.org/user/36762
[11] https://www.drupal.org/user/329570
[12] https://www.drupal.org/contact
[13] https://www.drupal.org/security-team
[14] https://www.drupal.org/writing-secure-code
[15] https://www.drupal.org/security/secure-configuration
View online: https://www.drupal.org/node/2320741
* Advisory ID: DRUPAL-SA-CONTRIB-2014-078
* Project: Notify [1] (third-party module)
* Version: 7.x
* Date: 2014-August-13
* Security risk: 10/25 ( Moderately Critical)
AC:Complex/A:User/CI:Some/II:None/E:Proof/TD:75 [2]
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
The notify module allows users to subscribe to periodic emails which include
all new or revised content and/or comments of specific content types, much
like the daily newsletters sent by some websites.
The Notify module does not sufficiently check whether the user has access to
recently added or updated nodes and all the fields within the node before
including the nodes in notification emails to a given user. This will expose
node titles and potentially node teasers and fields to users who should not
see them.
This vulnerability is mitigated by the fact that a site must use some form of
access control and must be configured to include nodes with protected content
in notifications.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance
with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Notify 7.x-1.0.
Drupal core is not affected. If you do not use the contributed Notify [4]
module,
there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Notify module for Drupal 7.x, upgrade to Notify 7.x-1.1
[5]
Also see the Notify [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* John Oltman [7] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Gisle Hannemyr [8] one of the module maintainers
* Matt Chapman [9] of the Drupal Security Team
* John Oltman [10] of the Drupal Security Team
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [11] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [12].
Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].
[1] https://www.drupal.org/project/notify
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/notify
[5] https://www.drupal.org/node/2320693
[6] https://www.drupal.org/project/notify
[7] https://www.drupal.org/user/699926
[8] https://www.drupal.org/user/409554
[9] https://www.drupal.org/user/143172
[10] https://www.drupal.org/user/699926
[11] https://www.drupal.org/user/36762
[12] https://www.drupal.org/contact
[13] https://www.drupal.org/security-team
[14] https://www.drupal.org/writing-secure-code
[15] https://www.drupal.org/security/secure-configuration
View online: https://www.drupal.org/node/2320613
* Advisory ID: DRUPAL-SA-CONTRIB-2014-077
* Project: TableField [1] (third-party module)
* Version: 7.x
* Date: 2014-August-13
* Security risk: 12/25 ( Moderately Critical)
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:25 [2]
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to create a field attached to a entity which stores
tabular data. The module doesn't sufficiently sanitize the field help text
when presented to a privileged user.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "administer content types" or "administer taxonomy".
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance
with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* TableField 7.x-2.x versions prior to 7.x-2.3.
* TableField versions for Drupal 6 are NOT affected.
Drupal core is not affected. If you do not use the contributed TableField [4]
module,
there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the TableField module for Drupal 7.x, upgrade to TableField
7.x-2.3 [5]
Also see the TableField [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Matt V. [7]
-------- FIXED BY
------------------------------------------------------------
* Kevin Hankens [8] the module maintainer
* David Snopek [9] of the Drupal Security Team
* Matt V. [10]
-------- COORDINATED BY
------------------------------------------------------
* David Snopek [11] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [12].
Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].
[1] https://www.drupal.org/project/tablefield
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/tablefield
[5] https://www.drupal.org/node/2320027
[6] https://www.drupal.org/project/tablefield
[7] https://www.drupal.org/user/88338
[8] https://www.drupal.org/u/kevin-hankens
[9] https://www.drupal.org/user/266527
[10] https://www.drupal.org/user/88338
[11] https://www.drupal.org/user/266527
[12] https://www.drupal.org/contact
[13] https://www.drupal.org/security-team
[14] https://www.drupal.org/writing-secure-code
[15] https://www.drupal.org/security/secure-configuration
View online: https://www.drupal.org/node/2316747
* Advisory ID: DRUPAL-SA-CONTRIB-2014-076
* Project: Fasttoggle [1] (third-party module)
* Version: 7.x
* Date: 2014-August-06
* Security risk: 11/25 ( Moderately Critical)
AC:Basic/A:None/CI:None/II:None/E:Exploit/TD:25 [2]
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to quickly toggle various user, node and field
related settings via ajax links.
The recent 7.x-1.3 and 1.4 releases of the module include a rewrite of the
access control which doesn't correctly implement support for the user status
(allow/block) link.
This vulnerability is mitigated by the fact that the administrator must
enable the link in the fasttoggle configuration and allow user profiles to be
viewed by anonymous or logged in users. For user 1 to be affected, the
administrator must also enable the fasttoggle setting that allows that
account to be blocked via fasttoggle.
All uses of the Fasttoggle module are logged, so any invocations of the
exploit will be recorded. Accounts can only be blocked or unblocked via the
exploit.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance
with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
Drupal core is not affected. If you do not use the contributed Fasttoggle [4]
module,
there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Fasttoggle module for Drupal 7.x, upgrade to Fasttoggle
7.x-1.5 [5]
Also see the Fasttoggle [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Laura Hild [7]
-------- FIXED BY
------------------------------------------------------------
* Nigel Cunningham [8] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Neil Drumm [9] of the Drupal Security Team
* David Stoline [10] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
[1] http://drupal.org/project/fasttoggle
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/fasttoggle
[5] https://www.drupal.org/node/2316065
[6] http://drupal.org/project/fasttoggle
[7] https://www.drupal.org/user/760454
[8] https://www.drupal.org/user/250105
[9] https://www.drupal.org/user/3064
[10] https://www.drupal.org/u/dstol
[11] http://drupal.org/contact
[12] http://drupal.org/security-team
[13] http://drupal.org/writing-secure-code
[14] http://drupal.org/security/secure-configuration
View online: https://www.drupal.org/node/2316717
* Advisory ID: DRUPAL-SA-CONTRIB-2014-075
* Project: Biblio Autocomplete [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2014-08-06
* Security risk: 23/25 ( Highly Critical)
AC:Basic/A:None/CI:All/II:All/E:Exploit/TD:100 [2]
* Vulnerability: Access bypass, SQL Injection
-------- DESCRIPTION
---------------------------------------------------------
This module provides functionality for AJAX based auto-completion of fields
in the Biblio node type (provided by the Biblio module) using previously
entered values and third party services.
The submodule "Biblio self autocomplete" for previously entered values
doesn't sufficiently sanitize user input as it is used in a database query.
Additionally, the AJAX autocompletion callback itself was not properly
secured, thus potentially allowing any visitor access to the data, including
the anonymous user.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance
with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
Drupal core is not affected. If you do not use the contributed Biblio
Autocomplete [4] module,
there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Biblio Autocomplete module for Drupal 6.x, upgrade to
Biblio Autocomplete 6.x-1.1 [5].
* If you use the Biblio Autocomplete module for Drupal 7.x, upgrade to
Biblio Autocomplete 7.x-1.5 [6].
Additionally there is a new permission "access biblio autocomplete" for
accessing the search. You need to give this permission to users with write
permissions on Biblio nodes.
Also see the Biblio Autocomplete [7] project page.
-------- REPORTED BY
---------------------------------------------------------
* Carsten Logemann [8]
-------- FIXED BY
------------------------------------------------------------
* Carsten Logemann [9]
* Damien McKenna [10] provisional member of the Drupal Security Team
-------- COORDINATED BY
------------------------------------------------------
* David Stoline [11] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [12].
Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].
[1] https://www.drupal.org/project/biblio_autocomplete
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/biblio_autocomplete
[5] https://www.drupal.org/node/2316023
[6] https://www.drupal.org/node/2316025
[7] https://www.drupal.org/project/biblio_autocomplete
[8] https://drupal.org/user/218368
[9] https://drupal.org/user/218368
[10] https://www.drupal.org/u/damienmckenna
[11] https://www.drupal.org/u/dstol
[12] http://drupal.org/contact
[13] http://drupal.org/security-team
[14] http://drupal.org/writing-secure-code
[15] http://drupal.org/security/secure-configuration
View online: https://www.drupal.org/SA-CORE-2014-004
* Advisory ID: DRUPAL-SA-CORE-2014-004
* Project: Drupal core [1]
* Version: 6.x, 7.x
* Date: 2014-August-06
* Security risk: 13/25 ( Moderately Critical)
AC:None/A:None/CI:None/II:None/E:Proof/TD:100 [2]
* Exploitable from: Remote
* Vulnerability: Denial of service
-------- DESCRIPTION
---------------------------------------------------------
Drupal 6 and Drupal 7 include an XML-RPC endpoint which is publicly available
(xmlrpc.php). The PHP XML parser used by this XML-RPC endpoint is vulnerable
to an XML entity expansion attack and other related XML payload attacks which
can cause CPU and memory exhaustion and the site's database to reach the
maximum number of open connections. Any of these may lead to the site
becoming unavailable or unresponsive (denial of service).
All Drupal sites are vulnerable to this attack whether XML-RPC is used or
not.
In addition, a similar vulnerability exists in the core OpenID module (for
sites that have this module enabled).
This is a joint release as the XML-RPC vulnerability also affects WordPress
(see the announcement [3]).
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [4] will be requested, and added upon issuance, in
accordance
with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Drupal core 7.x versions prior to 7.31.
* Drupal core 6.x versions prior to 6.33.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use Drupal 7.x, upgrade to Drupal core 7.31 [5].
* If you use Drupal 6.x, upgrade to Drupal core 6.33 [6].
If you are unable to install the latest version of Drupal immediately, you
can alternatively remove the xmlrpc.php file from the root of Drupal core (or
add a rule to .htaccess to prevent access to xmlrpc.php) and disable the
OpenID module. These steps are sufficient to mitigate the vulnerability in
Drupal core if your site does not require the use of XML-RPC or OpenID
functionality. However, this mitigation will not be effective if you are
using a contributed module that exposes Drupal's XML-RPC API at a different
URL (for example, the Services module); updating Drupal core is therefore
strongly recommended.
Also see the Drupal core [7] project page.
-------- REPORTED BY
---------------------------------------------------------
* Willis Vandevanter [8]
* Nir Goldshlager [9]
-------- FIXED BY
------------------------------------------------------------
* Andrew Nacin [10] of the WordPress Security Team
* Michael Adams [11] of the WordPress Security Team
* Frédéric Marand [12]
* David Rothstein [13] of the Drupal Security Team
* Damien Tournoud [14] of the Drupal Security Team
* Greg Knaddison [15] of the Drupal Security Team
* Stéphane Corlosquet [16] of the Drupal Security Team
* Dave Reid [17] of the Drupal Security Team
-------- COORDINATED BY
------------------------------------------------------
* The Drupal Security Team [18] and the WordPress [19] Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [20].
Learn more about the Drupal Security team and their policies [21], writing
secure code for Drupal [22], and securing your site [23].
[1] http://drupal.org/project/drupal
[2] http://drupal.org/security-team/risk-levels
[3] https://wordpress.org/news/2014/08/wordpress-3-9-2/
[4] http://cve.mitre.org/
[5] http://drupal.org/drupal-7.31-release-notes
[6] http://drupal.org/drupal-6.33-release-notes
[7] http://drupal.org/project/drupal
[8] https://www.drupal.org/user/1867894
[9] https://www.drupal.org/user/2891345
[10] http://profiles.wordpress.org/nacin
[11] http://profiles.wordpress.org/mdawaffe
[12] https://www.drupal.org/user/27985
[13] https://www.drupal.org/user/124982
[14] https://www.drupal.org/user/22211
[15] https://www.drupal.org/u/greggles
[16] https://www.drupal.org/user/52142
[17] https://www.drupal.org/user/53892
[18] http://drupal.org/security-team
[19] http://wordpress.org
[20] http://drupal.org/contact
[21] http://drupal.org/security-team
[22] http://drupal.org/writing-secure-code
[23] http://drupal.org/security/secure-configuration