Security-news September 2014

security-news@drupal.org

1 participants
12 discussions

SA-CONTRIB-2014-095 - Safeword - Cross Site Scripting (XSS)
by security-news＠drupal.org 24 Sep '14

24 Sep '14

View online: https://www.drupal.org/node/2344383 * Advisory ID: DRUPAL-SA-CONTRIB-2014-095 * Project: Safeword [1] (third-party module) * Version: 7.x * Date: 2014-September-23 * Security risk: 7/25 ( Less Critical) AC:Basic/A:Admin/CI:None/II:None/E:Theoretical/TD:All [2] * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The safeword module provides an automatically generated 'Machine Name' when text is entered into a human-readable field. The module doesn't sufficiently sanitize the field description that can be used as help text under the machine name editing field. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer taxonomy". -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Safeword 7.x-1.x versions prior to 7.x-1.9. Drupal core is not affected. If you do not use the contributed Safeword [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Safeword module for Drupal 7.x, upgrade to Safeword 7.x-1.10 [5] Also see the Safeword [6] project page. -------- REPORTED BY --------------------------------------------------------- * Matt Vance [7] -------- FIXED BY ------------------------------------------------------------ * Matt Vance [8] provisional member the Drupal Security Team * Francisco José Cruz Romanos [9] provisional member the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Rick Manelius [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] https://www.drupal.org/project/safeword [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/safeword [5] https://www.drupal.org/node/2344323 [6] https://www.drupal.org/project/safeword [7] https://www.drupal.org/user/88338 [8] https://www.drupal.org/user/88338 [9] https://www.drupal.org/user/848238 [10] https://www.drupal.org/user/680072 [11] https://www.drupal.org/contact [12] https://www.drupal.org/security-team [13] https://www.drupal.org/writing-secure-code [14] https://www.drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2014-094 - Webform Patched - Cross Site Scripting (XSS)
by security-news＠drupal.org 24 Sep '14

24 Sep '14

View online: https://www.drupal.org/node/2344369 * Advisory ID: DRUPAL-SA-CONTRIB-2014-094 * Project: Webform Patched [1] (third-party module) * Version: 6.x, 7.x * Date: 2014-September-24 * Security risk: 13/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2] * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Webform Patched module is a fork of the Webform module with Token support added. The module enables you to create forms which can be used for surveys, contact forms or other data collection throughout your site. The module doesn't sufficiently sanitize field label titles when two fields have the same form_key, which can only be managed by carefully crafting the webform structure via a specific set of circumstances. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "create webform content". -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Webform Patched 6.x-3.x versions prior to 6.x-3.20. * Webform Patched 7.x-3.x versions prior to 7.x-3.20. Drupal core is not affected. If you do not use the contributed Webform Patched [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the webform module for Drupal 6.x, upgrade to webform_patched 6.x-3.20 [5] * If you use the webform module for Drupal 7.x-3.x, upgrade to webform_patched 7.x-3.20 [6] Also see the Webform Patched [7] project page. -------- REPORTED BY --------------------------------------------------------- * Maurits Lawende [8] * Matt Vance [9] -------- FIXED BY ------------------------------------------------------------ * Nate Haug [10] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [11], Dan Smith [12] and Lee Rowlands [13] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [14]. Learn more about the Drupal Security team and their policies [15], writing secure code for Drupal [16], and securing your site [17]. [1] https://www.drupal.org/project/webform_patched [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/webform_patched [5] http://drupal.org/node/2241675 [6] http://drupal.org/node/2241685 [7] https://www.drupal.org/project/webform_patched [8] http://drupal.org/user/243897 [9] https://www.drupal.org/user/10269 [10] http://drupal.org/user/35821 [11] http://drupal.org/user/36762 [12] http://drupal.org/user/241220 [13] https://drupal.org/user/395439 [14] https://www.drupal.org/contact [15] https://www.drupal.org/security-team [16] https://www.drupal.org/writing-secure-code [17] https://www.drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2014-093 - Twilio - Information Disclosure
by security-news＠drupal.org 24 Sep '14

24 Sep '14

View online: https://www.drupal.org/node/2344363 * Advisory ID: DRUPAL-SA-CONTRIB-2014-093 * Project: Twilio [1] (third-party module) * Version: 7.x * Date: 2014-September-24 * Security risk: 13/25 ( Moderately Critical) AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2] * Vulnerability: Information Disclosure -------- DESCRIPTION --------------------------------------------------------- This module enables you to easily add SMS and VOIP functionality to your website by leveraging the Twilio cloud Voip and SMS service. The module doesn't expose its own permissions for administration including viewing and editing the Twilio authentication tokens. It relies only on "access administration pages" permission which is frequently granted to less-trusted users. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access administration pages". -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Twilio 7.x-1.x versions prior to 7.x-1.9. Drupal core is not affected. If you do not use the contributed Twilio [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Twiliio module for Drupal 7.x, upgrade to Twilio 7.x-1.9 [5] Also see the Twilio [6] project page. -------- REPORTED BY --------------------------------------------------------- * karolrybak [7] -------- FIXED BY ------------------------------------------------------------ * Arvin Singla [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] https://www.drupal.org/project/twilio [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/twilio [5] https://www.drupal.org/node/2337623 [6] https://www.drupal.org/project/twilio [7] https://www.drupal.org/user/251893 [8] https://www.drupal.org/user/61137 [9] https://www.drupal.org/user/36762 [10] https://www.drupal.org/contact [11] https://www.drupal.org/security-team [12] https://www.drupal.org/writing-secure-code [13] https://www.drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2014-092 - Services - Cross Site Scripting, Access bypass
by security-news＠drupal.org 24 Sep '14

24 Sep '14

View online: https://www.drupal.org/node/2344389 * Advisory ID: DRUPAL-SA-CONTRIB-2014-092 * Project: Services [1] (third-party module) * Version: 7.x * Date: 2014-September-24 * Security risk: 11/25 ( Moderately Critical) AC:Complex/A:User/CI:None/II:Some/E:Proof/TD:All [2] * Vulnerability: Cross Site Scripting, Access bypass -------- DESCRIPTION --------------------------------------------------------- The Services module enables you to expose an API to third party systems using REST, XML-RPC or other protocols. .... New user's password set to weak password in _user_resource_create() When creating a new user account via Services, the new user's password was set to a weak password. This issue is mitigated by the fact that the user resource must be enabled (or least have been enabled in the past) and new user registration permitted via Services. *Action required:* This release of Services comes with an interface and a drush command to perform actions in order to secure your site and get rid of this vulnerability. After installing this release and running the regular database updates, make sure to read all the information provided at /admin/config/services/services-security/, and pick the option most suited to your site. For example, you can reset the password of all user accounts that have been created since August 30th, 2013 (recommended). .... Unfiltered JSONP callback parameter (XSS) The JSONP response of a callback parameter is unfiltered and outputs raw HTTP data. This can lead to arbitrary JavaScript execution. This issue is mitigated by the fact that JSONP is not enabled by default in the REST server response formatters and the HTTP client Accept header must be set to text/javascript or application/javascript if the "xml" formatter is enabled. Services module now restricts callback parameters to alphanumeric characters only and a hard limit of 60 characters. .... Flood control for user login bypass Flood control was not properly enforced leaving it vulnerable to brute force attacks. Services now implements flood control just like core Drupal does. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Services 7.x-3.x versions prior to 7.x-3.10. Drupal core is not affected. If you do not use the contributed Services [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: 1) If you use the Services module for Drupal 7.x, upgrade to Services 7.x-3.10 [5] 2) follow the security update instructions at /admin/config/services/services-security/ Also see the Services [6] project page. -------- REPORTED BY --------------------------------------------------------- * Sam Metson [7] reported the user password issue * Régis Leroy [8] reported the XSS issue * Chris Oden [9] reported the flood control issue -------- FIXED BY ------------------------------------------------------------ * Kyle Browning [10] the module maintainer * Stéphane Corlosquet [11] of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [12] of the Drupal Security Team * Stéphane Corlosquet [13] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [14]. Learn more about the Drupal Security team and their policies [15], writing secure code for Drupal [16], and securing your site [17]. [1] https://www.drupal.org/project/services [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/services [5] https://www.drupal.org/node/2344423 [6] https://www.drupal.org/project/services [7] https://www.drupal.org/user/2812719 [8] https://www.drupal.org/user/1367862 [9] https://www.drupal.org/user/896508 [10] https://www.drupal.org/user/211387 [11] https://www.drupal.org/user/52142 [12] https://www.drupal.org/u/greggles [13] https://www.drupal.org/user/52142 [14] https://www.drupal.org/contact [15] https://www.drupal.org/security-team [16] https://www.drupal.org/writing-secure-code [17] https://www.drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2014-091 - Survey Builder - Cross Site Scripting (XSS)
by security-news＠drupal.org 17 Sep '14

17 Sep '14

View online: https://www.drupal.org/node/2340069 * Advisory ID: DRUPAL-SA-CONTRIB-2014-091 * Project: Survey Builder [1] (third-party module) * Version: 7.x * Date: 2014-September-17 * Security risk: 9/25 ( Less Critical) AC:Basic/A:User/CI:None/II:None/E:Proof/TD:All [2] * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- This module allows you to use the Form Builder module to provide an intuitive interface for building surveys, along with the back-end for storing surveys and their responses. .... Cross Site Scripting (XSS) When viewing surveys at "/surveys", the survey titles printed out are not sanitized. Any potentially dangerous code in the survey titles is also rendered. This vulnerability is mitigated by the fact that a user must have the "Create Survey" permission to be able to set the survey titles. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * survey_builder 7.x-1.x versions prior to 7.x-1.2. Drupal core is not affected. If you do not use the contributed Survey Builder [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the survey_builder module for Drupal 7.x, upgrade to survey_builder 7.x-1.2 [5] Also see the Survey Builder [6] project page. -------- REPORTED BY --------------------------------------------------------- * Matt Vance [7] -------- FIXED BY ------------------------------------------------------------ * Matt Vance [8] * Francisco José Cruz Romanos [9] provisional member the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Rick Manelius [10] member of Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] https://www.drupal.org/project/survey_builder [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/survey_builder [5] https://www.drupal.org/node/2339427 [6] https://www.drupal.org/project/survey_builder [7] https://www.drupal.org/user/88338 [8] https://www.drupal.org/user/88338 [9] https://www.drupal.org/user/848238 [10] https://www.drupal.org/user/680072 [11] https://www.drupal.org/contact [12] https://www.drupal.org/security-team [13] https://www.drupal.org/writing-secure-code [14] https://www.drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2014-090 Speech recognition - Multiple vulnerabilities
by security-news＠drupal.org 17 Sep '14

17 Sep '14

View online: https://www.drupal.org/node/2340063 * Advisory ID: DRUPAL-SA-CONTRIB-2014-090 * Project: Speech recognition [1] (third-party module) * Version: 7.x * Date: 2014-September-17 * Security risk: 14/25 ( Moderately Critical) AC:None/A:User/CI:None/II:Some/E:Proof/TD:All [2] * Vulnerability: Cross Site Scripting, Cross Site Request Forgery, Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- This module enables you to add speech recognition to forms, allowing site admins to enable experimental Speech Input API features on form inputs through the user interface. .... Cross Site Scripting (XSS) The module incorrectly prints fields without proper sanitization thereby opening a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer speech". .... Cross Site Request Forgery (CSRF) The module enables in-place configuration of form options via AJAX requests, but it doesn't sufficiently check the source of those requests, making possible for an attacker to cause a user to unknowingly make changes to the field configurations. This vulnerability is mitigated by the fact that the attacked administrator must have a role with the permission "administer speech". -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * All versions of Speech recognition. Drupal core is not affected. If you do not use the contributed module, there is nothing you need to do. Drupal core is not affected. If you do not use the contributed Speech recognition [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ If you use the Speech recognition module you should uninstall it. Also see the Speech recognition [5] project page. -------- REPORTED BY --------------------------------------------------------- * Matt Vance [6] (provisional member of the Drupal Security Team) * Francisco José Cruz Romanos [7] (provisional member of the Drupal Security Team) -------- FIXED BY ------------------------------------------------------------ Not applicable. -------- COORDINATED BY ------------------------------------------------------ * Rick Manelius [8] member of Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] https://www.drupal.org/project/speech [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/speech [5] https://www.drupal.org/project/speech [6] https://www.drupal.org/user/88338 [7] https://www.drupal.org/user/848238 [8] https://www.drupal.org/user/680072 [9] https://www.drupal.org/contact [10] https://www.drupal.org/security-team [11] https://www.drupal.org/writing-secure-code [12] https://www.drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2014-089 - Geofield Yandex Maps - Cross Site Scripting (XSS)
by security-news＠drupal.org 17 Sep '14

17 Sep '14

View online: https://www.drupal.org/node/2340039 * Advisory ID: DRUPAL-SA-CONTRIB-2014-089 * Project: Geofield Yandex Maps [1] (third-party module) * Version: 7.x * Date: 2014-September-17 * Security risk: 5/25 ( Less Critical) AC:Basic/A:Admin/CI:None/II:None/E:Theoretical/TD:Uncommon [2] * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Geofield Yandex Maps module provides a Geofield widget, Geofield formatter, Views handler, Form element and Text filter to allow Yandex maps to be added to a site. The module does not sufficiently filter user-supplied text, resulting in a persistent Cross Site Scripting (XSS) vulnerability. The vulnerability is mitigated by the fact that an attacker would need permission to create nodes or entities using the Geofield widget. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Geofield Yandex Maps 7.x-1.x versions prior to 7.x-1.2. Drupal core is not affected. If you do not use the contributed Geofield Yandex Maps [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Geofield Yandex Maps module for Drupal 7.x, upgrade to Geofield Yandex Maps 7.x-1.2 [5] Also see the Geofield Yandex Maps [6] project page. -------- REPORTED BY --------------------------------------------------------- * Matt V. [7] (provisional member of the Drupal Security Team) -------- FIXED BY ------------------------------------------------------------ * Matt V. [8] (provisional member of the Drupal Security Team) -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] https://www.drupal.org/project/geofield_ymap [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/geofield_ymap [5] https://www.drupal.org/node/2334455 [6] https://www.drupal.org/project/geofield_ymap [7] https://www.drupal.org/user/88338 [8] https://www.drupal.org/user/88338 [9] https://www.drupal.org/u/greggles [10] https://www.drupal.org/contact [11] https://www.drupal.org/security-team [12] https://www.drupal.org/writing-secure-code [13] https://www.drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2014-088 - Mollom - Cross-site scripting (XSS)
by security-news＠drupal.org 17 Sep '14

17 Sep '14

View online: https://www.drupal.org/node/2340029 * Advisory ID: DRUPAL-SA-CONTRIB-2014-088 * Project: Mollom [1] (third-party module) * Version: 6.x, 7.x * Date: 2014-September-17 * Security risk: 11/25 ( Moderately Critical) AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2] * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Mollom is an "intelligent" content moderation web service which determines if a post is potentially spam; not only based on the posted content, but also on the past activity and reputation of the poster across multiple sites. Mollom offers a feature to report submitted content as inappropriate which allows end users to indicate that a piece of site content is objectionable or out of place. When reporting content, the content title is not sufficiently sanitized to prevent cross-site scripting (XSS) attacks. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create content and the content type must be enabled for "Flag as Inappropriate" within the Mollom advanced configuration settings (which is not the default setting). -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Mollom 6.x-2.x versions from 6.x-2.7 to 6.x-2.10 * Mollom 7.x-2.x versions from 7.x-2.9 to 7.x-2.10 Drupal core is not affected. If you do not use the contributed Mollom [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Mollom module for Drupal 6.x, upgrade to Mollom 6.x-2.11 [5] * If you use the Mollom module for Drupal 7.x, upgrade to Mollom 7.x-2.11 [6] Also see the Mollom [7] project page. -------- REPORTED BY --------------------------------------------------------- * Matt Vance [8] -------- FIXED BY ------------------------------------------------------------ * Lisa Backer [9] the module maintainer * Matt Vance [10] -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] https://www.drupal.org/project/mollom [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/mollom [5] https://www.drupal.org/node/2338787 [6] https://www.drupal.org/node/2338789 [7] https://www.drupal.org/project/mollom [8] https://www.drupal.org/user/88338 [9] https://www.drupal.org/user/1951462 [10] https://www.drupal.org/user/88338 [11] https://www.drupal.org/user/36762 [12] https://www.drupal.org/contact [13] https://www.drupal.org/security-team [14] https://www.drupal.org/writing-secure-code [15] https://www.drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2014-087 - Drupal Commerce - Information disclosure
by security-news＠drupal.org 10 Sep '14

10 Sep '14

View online: https://www.drupal.org/node/2336357 * Advisory ID: DRUPAL-SA-CONTRIB-2014-087 * Project: Drupal Commerce [1] (third-party module) * Version: 7.x * Date: 2014-September-10 * Security risk: 13/25 ( Moderately Critical) AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:All [2] * Vulnerability: Information Disclosure -------- DESCRIPTION --------------------------------------------------------- Drupal Commerce is used to build eCommerce websites and applications of all sizes. The commerce_order module can be used to create new user accounts where email addresses are used as user names. Since user names are not considered private information in Drupal [3] this is an information disclosure of email addresses. This vulnerability is mitigated by the fact that the commerce_checkout module must be enabled with the default rule configuration enabled that creates new user accounts when an anonymous user completes the checkout process. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [4] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Drupal Commerce 7.x-1.x versions prior to 7.x-1.10. Drupal core is not affected. If you do not use the contributed Drupal Commerce [5] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Drupal Commerce 1.10 includes an update function that will change all user names on the site that look like email addresses. *This can be a disruptive process for some sites and therefore must be enabled explicitly by the update administrator.* If you don't run the default update function you need to make sure yourself that user names are not valid email addresses. To enable the username cleaning update function, you must set the commerce_checkout_run_update_7103 variable to TRUE before running update.php or drush updb: You can either use $conf['commerce_checkout_run_update_7103'] = TRUE; in settings.php or drush vset commerce_checkout_run_update_7103 1. Then install the latest version: * If you use the Drupal Commerce module for Drupal 7.x, upgrade to Drupal Commerce 7.x-1.10 [6] In case you don't want to apply the default update function you can just run update.php without the variable and the update function will be skipped. Also see the Drupal Commerce [7] project page. -------- REPORTED BY --------------------------------------------------------- * Damien Tournoud [8] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Klaus Purer [9] of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Klaus Purer [10] of the Drupal Security Team * Greg Knaddison [11] of the Drupal Security Team * Ben Jeavons [12] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. [1] https://www.drupal.org/project/commerce [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/node/1004778 [4] http://cve.mitre.org/ [5] https://www.drupal.org/project/commerce [6] https://www.drupal.org/node/2336327 [7] https://www.drupal.org/project/commerce [8] https://www.drupal.org/user/22211 [9] https://www.drupal.org/user/262198 [10] https://www.drupal.org/user/262198 [11] https://www.drupal.org/user/36762 [12] https://www.drupal.org/user/91990 [13] https://www.drupal.org/contact [14] https://www.drupal.org/security-team [15] https://www.drupal.org/writing-secure-code [16] https://www.drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2014-086 - Custom BreadCrumbs - Cross Site Scripting (XSS)
by security-news＠drupal.org 10 Sep '14

10 Sep '14

View online: https://www.drupal.org/node/2336263 * Advisory ID: DRUPAL-SA-CONTRIB-2014-086 * Project: Custom Breadcrumbs [1] (third-party module) * Version: 6.x, 7.x * Date: 2014-September-10 * Security risk: 16/25 ( Critical) AC:None/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2] * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Custom Breadcrumbs allows administrators to set up parametrized breadcrumb trails for different content types, views, panels, taxonomy vocabularies and terms, paths, and a simple API that allows contributed modules to enable custom breadcrumbs for module pages and theme templates. User input is not properly sanitized in all use cases, opening a Cross Site Scripting (XSS) vulnerability. The vulnerability is only present when the custom breadcrumb is configured with the special identifier so that some of the breadcrumb items are not links. Typical example is that the last breadcrumb element is showing the current page title but is not a link. The XSS vulnerability is not triggered if all items of the breadcrumb are links and special identifier is not used. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Custom Breadcrumbs 6.x-1.x versions prior to 6.x-1.6 * Custom Breadcrumbs 6.x-2.x versions are NOT affected * Custom Breadcrumbs 7.x-2.x versions prior to 7.x-2.0-beta1 Drupal core is not affected. If you do not use the contributed Custom Breadcrumbs [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Custom Breadcrumbs module version 1.x for Drupal 6.x, upgrade to Custom Breadcrumbs 6.x-1.6 [5]. * If you use the Custom Breadcrumbs module version 2.x for Drupal 7.x, upgrade to Custom Breadcrumbs 7.x-2.0-beta1 [6]. Also see the Custom Breadcrumbs [7] project page. -------- REPORTED BY --------------------------------------------------------- * Markus Sipilä [8] -------- FIXED BY ------------------------------------------------------------ * Markus Sipilä [9] * Colan Schwartz [10] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] https://www.drupal.org/project/custom_breadcrumbs [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/custom_breadcrumbs [5] https://www.drupal.org/node/2335705 [6] https://www.drupal.org/node/2335721 [7] https://www.drupal.org/project/custom_breadcrumbs [8] https://www.drupal.org/user/109674 [9] https://www.drupal.org/user/109674 [10] https://www.drupal.org/user/58704 [11] https://www.drupal.org/user/36762 [12] https://www.drupal.org/contact [13] https://www.drupal.org/security-team [14] https://www.drupal.org/writing-secure-code [15] https://www.drupal.org/security/secure-configuration

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news September 2014