Security-news June 2015

security-news@drupal.org

1 participants
16 discussions

The eXtensible Catalog (XC) Drupal Toolkit - Critical - Cross Site Request Forgery (CSRF) - Unsupported - SA-CONTRIB-2015-121
by security-news＠drupal.org 17 Jun '15

17 Jun '15

View online: https://www.drupal.org/node/2507619 * Advisory ID: DRUPAL-SA-CONTRIB-2015-121 * Project: The eXtensible Catalog (XC) Drupal Toolkit [1] (third-party module) * Version: 6.x, 7.x * Date: 2015-June-17 * Security risk: 15/25 ( Critical) AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2] * Vulnerability: Cross Site Request Forgery -------- DESCRIPTION --------------------------------------------------------- The eXtensible Catalog Drupal Toolkit is a set of Drupal modules to harvest records of the XC Schema format from a Metadata Services Toolkit (MST). The XC NCIP Provider module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause a user with "administer ncip providers" permission to alter NCIP providers by getting their browser to make a request to a specially-crafted URL. This vulnerability is mitigated by the fact that only sites that have the XC NCIP Provider module enabled are affected. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * All versions of The eXtensible Catalog (XC) Drupal Toolkit Drupal core is not affected. If you do not use the contributed The eXtensible Catalog (XC) Drupal Toolkit [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ If you use The eXtensible Catalog (XC) Drupal Toolkit you should uninstall it. Also see the The eXtensible Catalog (XC) Drupal Toolkit [5] project page. -------- REPORTED BY --------------------------------------------------------- * Pere Orga [6] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ Not applicable. -------- COORDINATED BY ------------------------------------------------------ * Pere Orga [7] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [8]. Learn more about the Drupal Security team and their policies [9], writing secure code for Drupal [10], and securing your site [11]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [12] [1] https://www.drupal.org/project/xc [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/xc [5] https://www.drupal.org/project/xc [6] https://www.drupal.org/user/2301194 [7] https://www.drupal.org/user/2301194 [8] https://www.drupal.org/contact [9] https://www.drupal.org/security-team [10] https://www.drupal.org/writing-secure-code [11] https://www.drupal.org/security/secure-configuration [12] https://twitter.com/drupalsecurity

1 0

Inline Entity Form - Less critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-120
by security-news＠drupal.org 17 Jun '15

17 Jun '15

View online: https://www.drupal.org/node/2507605 * Advisory ID: DRUPAL-SA-CONTRIB-2015-120 * Project: Inline Entity Form [1] (third-party module) * Version: 7.x * Date: 2015-June-17 * Security risk: 7/25 ( Less Critical) AC:Basic/A:Admin/CI:None/II:None/E:Theoretical/TD:All [2] * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Inline Entity Form module provides a field widget for inline management (creation, modification, removal) of referenced entities. The module doesn't sufficiently sanitize user supplied text, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with permission to create/edit fields. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Inline Entity Form 7.x-1.x versions prior to 7.x-1.6. Drupal core is not affected. If you do not use the contributed Inline Entity Form [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Inline Entity Form module for Drupal 7.x, upgrade to Inline Entity Form 7.x-1.6 [5] Also see the Inline Entity Form [6] project page. -------- REPORTED BY --------------------------------------------------------- * Matt Vance [7], provisional member of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Matt Vance [8], provisional member of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [13] [1] https://www.drupal.org/project/inline_entity_form [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/inline_entity_form [5] https://www.drupal.org/node/2507593 [6] https://www.drupal.org/project/inline_entity_form [7] https://www.drupal.org/user/88338 [8] https://www.drupal.org/user/88338 [9] https://www.drupal.org/contact [10] https://www.drupal.org/security-team [11] https://www.drupal.org/writing-secure-code [12] https://www.drupal.org/security/secure-configuration [13] https://twitter.com/drupalsecurity

1 0

Apache Solr Real-Time - Critical - Access Bypass - SA-CONTRIB-2015-119
by security-news＠drupal.org 17 Jun '15

17 Jun '15

View online: https://www.drupal.org/node/2507581 * Advisory ID: DRUPAL-SA-CONTRIB-2015-119 * Project: Apache Solr Real-Time [1] (third-party module) * Version: 7.x * Date: 2015-June-17 * Security risk: 15/25 ( Critical) AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:All [2] * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This module allows content-changes to be committed to Apache Solr in real-time. The module doesn't check the status of an entity being indexed which means that unpublished content will get indexed by Solr and the title and partial content may be exposed to any user who has permission to search site content. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Apache Solr Real-Time 7.x-2.x versions prior to 7.x-2.2. Drupal core is not affected. If you do not use the contributed Apache Solr Real-Time [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Apache Solr Real-Time module for Drupal 7.x, upgrade to Apache Solr Real-Time 7.x-2.2 [5] Also see the Apache Solr Real-Time [6] project page. -------- REPORTED BY --------------------------------------------------------- * Hunter Fox [7] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Marcus Deglos [8] the module maintainer * Steve Williams [9] the module maintainer -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [14] [1] https://www.drupal.org/project/apachesolr_realtime [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/apachesolr_realtime [5] https://www.drupal.org/node/2489890 [6] https://www.drupal.org/project/apachesolr_realtime [7] https://www.drupal.org/user/426416 [8] https://www.drupal.org/user/321496 [9] https://www.drupal.org/user/223023 [10] https://www.drupal.org/contact [11] https://www.drupal.org/security-team [12] https://www.drupal.org/writing-secure-code [13] https://www.drupal.org/security/secure-configuration [14] https://twitter.com/drupalsecurity

1 0

HTTP Strict Transport Security - Moderately Critical - Logical Error - SA-CONTRIB-2015-118
by security-news＠drupal.org 17 Jun '15

17 Jun '15

View online: https://www.drupal.org/node/2507563 * Advisory ID: DRUPAL-SA-CONTRIB-2015-118 * Project: HTTP Strict Transport Security [1] (third-party module) * Version: 6.x, 7.x * Date: 2015-June-17 * Security risk: 12/25 ( Moderately Critical) AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:All [2] * Vulnerability: Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- The contributed HSTS module makes it easy for site administrators to implement HTTP Strict Transport Security (HSTS) by setting the Strict-Transport-Security header on each page generated by Drupal. HSTS module provides a configuration UI for the HSTS "include subdomains" directive, which indicates that the browser should apply the HSTS policy to all subdomains on the site's domain. HSTS module did not implement the "include subdomains" directive correctly (it is misspelled as include_subdomains rather than includeSubDomains). As a result, the HSTS policy was not applied to subdomains as site administrators had expected. This vulnerability is mitigated by the fact that only subdomains where HSTS was expected to be enabled are affected and an attacker would still need to execute a man-in-the-middle attack to exploit the issue. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * HSTS 7.x-1.x versions prior to 7.x-1.2. * HSTS 6.x-1.x versions prior to 6.x-1.1. Drupal core is not affected. If you do not use the contributed HTTP Strict Transport Security [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the HSTS module for Drupal 7.x, upgrade to HSTS 7.x-1.2 [5] * If you use the HSTS module for Drupal 6.x, upgrade to HSTS 6.x-1.1 [6] Also see the HTTP Strict Transport Security [7] project page. -------- REPORTED BY --------------------------------------------------------- * Mark Burdett [8] -------- FIXED BY ------------------------------------------------------------ * Mark Burdett [9] -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [15] [1] https://www.drupal.org/project/hsts [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/hsts [5] https://www.drupal.org/node/2507539 [6] https://www.drupal.org/node/2507543 [7] https://www.drupal.org/project/hsts [8] https://www.drupal.org/user/12302 [9] https://www.drupal.org/user/12302 [10] https://www.drupal.org/user/36762 [11] https://www.drupal.org/contact [12] https://www.drupal.org/security-team [13] https://www.drupal.org/writing-secure-code [14] https://www.drupal.org/security/secure-configuration [15] https://twitter.com/drupalsecurity

1 0

Novalnet Payment Module Ubercart - Critical - SQL Injection - Unsupported - SA-CONTRIB-2015-116
by security-news＠drupal.org 03 Jun '15

03 Jun '15

View online: https://www.drupal.org/node/2499787 * Advisory ID: DRUPAL-SA-CONTRIB-2015-116 * Project: Novalnet Payment Module- Ubercart [1] (third-party module) * Version: 6.x, 7.x * Date: 2015-June-03 * Security risk: 15/25 ( Critical) AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2] * Vulnerability: SQL Injection -------- DESCRIPTION --------------------------------------------------------- This module enables you add the Novalnet payment service provider to Ubercart. The module fails to sanitize a database query by not using the database API properly, thereby leading to a SQL Injection vulnerability. Since the affected path is not protected against CSRF, a malicious user can exploit this vulnerability by triggering a request to a specially-crafted URL. This vulnerability is mitigated by the fact that the malicious request must come from a specific Novalnet IP address. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * All versions of Novalnet Payment Module Ubercart module Drupal core is not affected. If you do not use the contributed Novalnet Payment Module Ubercart [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ If you use the Novalnet Payment Module Ubercart module you should uninstall it. Also see the Novalnet Payment Module Ubercart [5] project page. -------- REPORTED BY --------------------------------------------------------- * Pere Orga [6] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ Not applicable. -------- COORDINATED BY ------------------------------------------------------ * Pere Orga [7] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [8]. Learn more about the Drupal Security team and their policies [9], writing secure code for Drupal [10], and securing your site [11]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [12] [1] https://www.drupal.org/project/uc_novalnet_payment [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/uc_novalnet_payment [5] https://www.drupal.org/project/uc_novalnet_payment [6] https://www.drupal.org/user/2301194 [7] https://www.drupal.org/user/2301194 [8] https://www.drupal.org/contact [9] https://www.drupal.org/security-team [10] https://www.drupal.org/writing-secure-code [11] https://www.drupal.org/security/secure-configuration [12] https://twitter.com/drupalsecurity

1 0

Novalnet Payment Module Drupal Commerce - Critical - SQL Injection - Unsupported - SA-CONTRIB-2015-117
by security-news＠drupal.org 03 Jun '15

03 Jun '15

View online: https://www.drupal.org/node/2499791 * Advisory ID: DRUPAL-SA-CONTRIB-2015-117 * Project: Novalnet Payment Module- Drupal Commerce [1] (third-party module) * Version: 7.x * Date: 2015-June-03 * Security risk: 15/25 ( Critical) AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2] * Vulnerability: SQL Injection -------- DESCRIPTION --------------------------------------------------------- This module enables you add the Novalnet payment service provider to Drupal Commerce. The module fails to sanitize a database query by not using the database API properly, thereby leading to a SQL Injection vulnerability. Since the affected path is not protected against CSRF, a malicious user can exploit this vulnerability by triggering a request to a specially-crafted URL. This vulnerability is mitigated by the fact that the malicious request must come from a specific Novalnet IP address. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * All versions of Novalnet Payment Module Drupal Commerce module Drupal core is not affected. If you do not use the contributed Novalnet Payment Module Drupal Commerce [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ If you use the Novalnet Payment Module Drupal Commerce module you should uninstall it. Also see the Novalnet Payment Module Drupal Commerce [5] project page. -------- REPORTED BY --------------------------------------------------------- * Pere Orga [6] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ Not applicable. -------- COORDINATED BY ------------------------------------------------------ * Pere Orga [7] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [8]. Learn more about the Drupal Security team and their policies [9], writing secure code for Drupal [10], and securing your site [11]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [12] [1] https://www.drupal.org/project/Commerce_novalnet [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/Commerce_novalnet [5] https://www.drupal.org/project/Commerce_novalnet [6] https://www.drupal.org/user/2301194 [7] https://www.drupal.org/user/2301194 [8] https://www.drupal.org/contact [9] https://www.drupal.org/security-team [10] https://www.drupal.org/writing-secure-code [11] https://www.drupal.org/security/secure-configuration [12] https://twitter.com/drupalsecurity

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news June 2015