View online: https://www.drupal.org/node/2618362
* Advisory ID: DRUPAL-SA-CONTRIB-2015-166
* Project: Encrypt [1] (third-party module)
* Version: 7.x
* Date: 2015-November-18
* Security risk: 11/25 ( Moderately Critical)
AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
* Vulnerability: Weak Encryption
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to encrypt data within Drupal using a
user-configurable encryption method and key provider.
The module did not sufficiently validate good configurations and api usage
resulting in multiple potential weaknesses depending on module usage. The
default encryption method could theoretically leak the key for known
plaintexts. This vulnerability is mitigated by the fact that an attacker
would need to have access to the encrypted data which is generally not
possible without a breach of the database.
The default key provider uses the Drupal private key, which means that it
could potentially be leaked which puts other elements of the site at risk.
This vulnerability is mitigated by requiring the default combination of
encryption method and key provider for the Drupal private key to be
potentially leaked. Users of the module are likely to employ a key of their
own creation, rather than use the Drupal private key.
Another encryption method included with the module uses a cipher that can
leak structural information about the plaintext. This vulnerability is
mitigated by the fact that it would only affect encryptions of large
quantities of data, such as files and data of shorter lengths would not be
affected.
The default key created by the module is generated by a MD5 hash, which is
not as strong as using truly random bytes of data.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Encrypt 7.x-2.x versions prior to 7.x-2.2.
Drupal core is not affected. If you do not use the contributed Encrypt [4]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Encrypt module for Drupal 7.x, upgrade to Encrypt 7.x-2.2
[5]
Once installed, review your settings and alter it to use a key provider and
encryption method that is not deprecated. If data was encrypted with a
deprecated key provider or encryption method then you should also re-encrypt
all that data.
Also see the Encrypt [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Heine Deelstra [7] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Rick Hawkins [8] the module maintainer
* Greg Knaddison [9] of the Drupal Security Team
* Heine Deelstra [10] of the Drupal Security Team
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [11] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [12].
Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [16]
[1] https://www.drupal.org/project/encrypt
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/encrypt
[5] https://www.drupal.org/node/2618254
[6] https://www.drupal.org/project/encrypt
[7] https://www.drupal.org/user/17943
[8] https://www.drupal.org/user/352283
[9] https://www.drupal.org/user/36762
[10] https://www.drupal.org/user/17943
[11] https://www.drupal.org/user/36762
[12] https://www.drupal.org/contact
[13] https://www.drupal.org/security-team
[14] https://www.drupal.org/writing-secure-code
[15] https://www.drupal.org/security/secure-configuration
[16] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2613444
* Advisory ID: DRUPAL-SA-CONTRIB-2015-165
* Project: UC Profile [1] (third-party module)
* Version: 6.x
* Date: 2015-November-11
* Security risk: 11/25 ( Moderately Critical)
AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
* Vulnerability: Information Disclosure
-------- DESCRIPTION
---------------------------------------------------------
UC Profile module enables you to collect profile fields for users during the
checkout process of Ubercart as a checkout pane.
The module doesn't sufficiently check access to profiles under certain
circumstances. Depending on the information being collected, sensitive data
may be exposed.
This vulnerability is mitigated by the fact that only sites that store data
to the anonymous user's profile are affected.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* UC Profile 6.x-1.x versions prior to 6.x-1.3
Drupal core is not affected. If you do not use the contributed UC Profile [4]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the UC Profile module for Drupal 6.x, upgrade to UC Profile
6.x-1.3 [5]
Also see the UC Profile [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Will Long [7]
-------- FIXED BY
------------------------------------------------------------
* Chris Wells [8], module maintainer
* Patrick Corbett [9], module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Pere Orga [10] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [15]
[1] https://www.drupal.org/project/uc_profile
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/uc_profile
[5] https://www.drupal.org/node/2612812
[6] https://www.drupal.org/project/uc_profile
[7] https://www.drupal.org/user/1175666
[8] https://www.drupal.org/user/74392
[9] https://www.drupal.org/user/90604
[10] https://www.drupal.org/u/pere-orga
[11] https://www.drupal.org/contact
[12] https://www.drupal.org/security-team
[13] https://www.drupal.org/writing-secure-code
[14] https://www.drupal.org/security/secure-configuration
[15] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2613424
* Advisory ID: DRUPAL-SA-CONTRIB-2015-164
* Project: MAYO [1] (third-party theme)
* Version: 7.x
* Date: 2015-November-11
* Security risk: 13/25 ( Moderately Critical)
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
MAYO theme enables you to change certain theme settings via the
administration interface.
Some theme settings aren't sufficiently sanitized.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "Administer themes".
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* All MAYO 7.x-2.x versions prior to 7.x-2.6
* All MAYO 7.x-1.x versions prior to 7.x-1.4
Drupal core is not affected. If you do not use the contributed MAYO [4]
theme, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the MAYO theme for Drupal 7.x-2.x, upgrade to MAYO 7.x-2.6 [5]
* If you use the MAYO theme for Drupal 7.x-1.x, upgrade to MAYO 7.x-1.4 [6]
Also see the MAYO [7] project page.
-------- REPORTED BY
---------------------------------------------------------
* Kisugi Ai [8] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* John Powell [9] the theme maintainer
* Kisugi Ai [10] of the Drupal Security Team
-------- COORDINATED BY
------------------------------------------------------
* Pere Orga [11] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [12].
Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [16]
[1] https://www.drupal.org/project/mayo
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/mayo
[5] https://www.drupal.org/node/2613048
[6] https://www.drupal.org/node/2613046
[7] https://www.drupal.org/project/mayo
[8] https://www.drupal.org/user/1284976
[9] https://www.drupal.org/user/797068
[10] https://www.drupal.org/user/1284976
[11] https://www.drupal.org/u/pere-orga
[12] https://www.drupal.org/contact
[13] https://www.drupal.org/security-team
[14] https://www.drupal.org/writing-secure-code
[15] https://www.drupal.org/security/secure-configuration
[16] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2608414
* Advisory ID: DRUPAL-SA-CONTRIB-2015-163
* Project: Monster Menus [1] (third-party module)
* Version: 7.x
* Date: 2015-November-04
* Security risk: 12/25 ( Moderately Critical)
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
Monster Menus is a hierarchical menu tree, which provides highly scalable,
granular permissions for all pages within a site.
The module includes an option to remove nodes from view (add them to a
"recycle bin") rather than deleting them outright. When a node has been put
into a bin using an affected version of the module, it remains visible via a
seldom-used URL pattern to the users to whom it had been visible previously,
when it was outside of the recycle bin.
This vulnerability is mitigated by the facts that:
1) Sites which do not use the recycle bin feature are not vulnerable.
2) The exposed node is no more accessible than it had been before being
placed into the recycle bin. If the node could not be read by a
particular user while it was on the regular page, it would still be
unreadable by that user when in the recycle bin.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Monster Menus versions 7.x-1.21 through 7.x-1.23.
Drupal core is not affected. If you do not use the contributed Monster Menus
[4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Monster Menus module for Drupal 7.x, upgrade to Monster
Menus 7.x-1.24 [5].
Also see the Monster Menus [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Dan Wilga [7]
-------- FIXED BY
------------------------------------------------------------
* Dan Wilga [8] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [14]
[1] https://www.drupal.org/project/monster_menus
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/monster_menus
[5] https://www.drupal.org/node/2608382
[6] https://www.drupal.org/project/monster_menus
[7] https://www.drupal.org/u/gribnif
[8] https://www.drupal.org/u/gribnif
[9] https://www.drupal.org/u/greggles
[10] https://www.drupal.org/contact
[11] https://www.drupal.org/security-team
[12] https://www.drupal.org/writing-secure-code
[13] https://www.drupal.org/security/secure-configuration
[14] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2608356
* Advisory ID: DRUPAL-SA-CONTRIB-2015-162
* Project: Login Disable [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2015-November-04
* Security risk: 12/25 ( Moderately Critical)
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to prevent existing users from logging in to your
Drupal site unless they know the secret key to add to the end of the ?q=user
login form page.
The Login Disable module doesn't support other contributed user
authentication modules like CAS or URL Login. When combined with those
modules, the protection preventing a user from logging in does not work.
This vulnerability is mitigated by the fact that an attacker must already
have a user account to log in. This bug therefore allows users to log in even
if they do not have permission to login.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Login Disable 6.x-1.x versions prior to 6.x-1.1.
* Login Disable 7.x-1.x versions prior to 7.x-1.2.
Drupal core is not affected. If you do not use the contributed Login Disable
[4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Login Disable module for Drupal 6.x, upgrade to Login
Disable 6.x-1.1 [5]
* If you use the Login Disable module for Drupal 7.x, upgrade to Login
Disable 7.x-1.2 [6]
Also see the Login Disable [7] project page.
-------- REPORTED BY
---------------------------------------------------------
* Gunnar Mathisen [8]
-------- FIXED BY
------------------------------------------------------------
* Bryan Heisler [9]
* Brian Gilbert [10] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [11] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [12].
Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [16]
[1] https://www.drupal.org/project/login_disable
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/login_disable
[5] https://www.drupal.org/node/2587641
[6] https://www.drupal.org/node/2587643
[7] https://www.drupal.org/project/login_disable
[8] https://www.drupal.org/user/117629
[9] https://www.drupal.org/u/geekygnr
[10] https://www.drupal.org/u/realityloop
[11] https://www.drupal.org/u/greggles
[12] https://www.drupal.org/contact
[13] https://www.drupal.org/security-team
[14] https://www.drupal.org/writing-secure-code
[15] https://www.drupal.org/security/secure-configuration
[16] https://twitter.com/drupalsecurity