October 2016 - Security-news - lists.drupal.org

Tripal BLAST UI - Highly Critical - Remote Code Execution - SA-CONTRIB-2016-054
by security-news＠drupal.org 26 Oct '16

26 Oct '16

View online: https://www.drupal.org/node/2822366 * Advisory ID: DRUPAL-SA-CONTRIB-2016-054 * Project: Tripal BLAST UI [1] (third-party module) * Version: 7.x * Date: 2016-October-26 * Security risk: 20/25 ( Highly Critical) AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:All [2] * Vulnerability: Remote code execution -------- DESCRIPTION --------------------------------------------------------- This module enables you to run NCBI BLAST jobs on the host system. The module doesn't sufficiently validate advanced options available to users submitting BLAST jobs, thereby exposing the ability to enter a short snippet of shell code that will be executed when the BLAST job is run. This vulnerability only requires the attacker to have minimal permissions on the site (for example, "View published content") and therefore can be exploited by untrusted or unauthenticated users in most cases. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Tripal BLAST UI 7.x-1.x versions prior to 7.x-1.2 Drupal core is not affected. If you do not use the contributed Tripal BLAST UI [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Tripal BLAST UI module for Drupal 7.x, upgrade to Tripal BLAST UI 7.x-1.2 [5] Also see the Tripal BLAST UI [6] project page. -------- REPORTED BY --------------------------------------------------------- * Nick Booher [7] * David Rothstein [8] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Lacey-Anne Sanderson [9] the module maintainer * Nick Booher [10] * David Rothstein [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [16] [1] https://www.drupal.org/project/tripal_blast [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/tripal_blast [5] https://www.drupal.org/project/tripal_blast/releases/7.x-1.2 [6] https://www.drupal.org/project/tripal_blast [7] https://www.drupal.org/user/809346 [8] https://www.drupal.org/user/124982 [9] https://www.drupal.org/user/781094 [10] https://www.drupal.org/user/809346 [11] https://www.drupal.org/user/124982 [12] https://www.drupal.org/contact [13] https://www.drupal.org/security-team [14] https://www.drupal.org/writing-secure-code [15] https://www.drupal.org/security/secure-configuration [16] https://twitter.com/drupalsecurity

1 0

Webform - Less Critical - Access Bypass - SA-CONTRIB-2016-053
by security-news＠drupal.org 19 Oct '16

19 Oct '16

View online: https://www.drupal.org/node/2820444 * Advisory ID: DRUPAL-SA-CONTRIB-2016-053 * Project: Webform [1] (third-party module) * Version: 7.x * Date: 2016-October-19 * Security risk: 9/25 ( Less Critical) AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:Default [2] * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This module provides a user interface to create and configure forms called Webforms. When using forms with private file uploads, Webform wasn't explicitly denying access to files it managed which could allow access to be granted by other modules. The vulnerability is mitigated by the fact that another module has to explicitly grant access to those files. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Webform 7.x-3.x versions prior to 7.x-3.25. * Webform 7.x-4.x is unaffected. Drupal core is not affected. If you do not use the contributed Webform [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ If you use webform-7.x-3.x you may … * upgrade to webform 7.x-3.25 [5] * upgrade to webform-7.x-4.x but be aware of the backwards incompatible changes [6]. Also see the Webform [7] project page. -------- REPORTED BY --------------------------------------------------------- * DeveloperChris [8] -------- FIXED BY ------------------------------------------------------------ * Dan Chadwick [9] a module maintainer * Roman Zimmermann [10] a module maintainer. -------- COORDINATED BY ------------------------------------------------------ * David Snopek [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [16] [1] https://www.drupal.org/project/webform [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/webform [5] https://www.drupal.org/project/webform/releases/7.x-3.25 [6] https://www.drupal.org/node/1609324 [7] https://www.drupal.org/project/webform [8] https://www.drupal.org/user/2789879 [9] https://www.drupal.org/user/504278 [10] https://www.drupal.org/u/torotil [11] https://www.drupal.org/user/266527 [12] https://www.drupal.org/contact [13] https://www.drupal.org/security-team [14] https://www.drupal.org/writing-secure-code [15] https://www.drupal.org/security/secure-configuration [16] https://twitter.com/drupalsecurity

1 0

Elysia Cron - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-052
by security-news＠drupal.org 12 Oct '16

12 Oct '16

View online: https://www.drupal.org/node/2817211 * Advisory ID: DRUPAL-SA-CONTRIB-2016-052 * Project: Elysia Cron [1] (third-party module) * Version: 7.x * Date: 2016-October-12 * Security risk: 11/25 ( Moderately Critical) AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Default [2] * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- This module enables you to manage cron jobs. The module doesn't sufficiently sanitize the cron rules which are entered into "Predefined rules" field thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer elysia cron". -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Elysia Cron 7.x-2.x versions prior to 7.x-2.2. Drupal core is not affected. If you do not use the contributed Elysia Cron [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Elysia Cron module for Drupal 7.x, upgrade to Elysia Cron 7.x-2.3 [5] Also see the Elysia Cron [6] project page. -------- REPORTED BY --------------------------------------------------------- * Dan Richards [7] * Michael Hess [8] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Kiselev Dmitry [9] the module co-maintainer -------- COORDINATED BY ------------------------------------------------------ * David Snopek [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [15] [1] https://www.drupal.org/project/elysia_cron [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/elysia_cron [5] https://www.drupal.org/project/elysia_cron/releases/7.x-2.3 [6] https://www.drupal.org/project/elysia_cron [7] https://www.drupal.org/user/3157375 [8] https://www.drupal.org/user/102818 [9] https://www.drupal.org/user/1945174 [10] https://www.drupal.org/user/266527 [11] https://www.drupal.org/contact [12] https://www.drupal.org/security-team [13] https://www.drupal.org/writing-secure-code [14] https://www.drupal.org/security/secure-configuration [15] https://twitter.com/drupalsecurity

1 0

Drupal file upload by anonymous or untrusted users into public file systems -- PSA-2016-003
by security-news＠drupal.org 10 Oct '16

10 Oct '16

View online: https://www.drupal.org/psa-2016-003 * Advisory ID: DRUPAL-PSA-2016-003 * Project: Drupal core [1] * Version: 7.x, 8.x * Date: 2016-October-10 * Security risk: 20/25 ( Critical) AC:None/A:None/CI:Some/II:Some/E:Exploit/TD:All [2] -------- DESCRIPTION --------------------------------------------------------- Recently the Drupal Security Team has seen a trend of attacks utilizing a site mis-configuration. This issue only affects sites that allow file uploads by non-trusted or anonymous visitors, and stores those uploads in a public file system. These files are publically accessible allowing attackers to point search engines and people directly to them on the site. The majority of the reports are based around the webform module, however, other modules are vulnerable to this misconfiguration as well. For example, if a webform configured to allow anonymous visitors to upload an image into the public file system, that image would then be accessible by anyone on the internet. The site could be used by an attacker to host images and other files that the legitimate site maintainers would not want made publicly available through their site. -------- TO RESOLVE THIS ISSUE: ---------------------------------------------- 1) Configure upload fields that non-trusted visitors, including anonymous visitors, can upload files with, to utilize use the private file system [3]. 2) Ensure cron is properly running on the site. Read about setting up cron for for Drupal 7 [4] or or Drupal 8 [5]). 3) Consider forcing users to create accounts before submitting content. 4) Audit your public file space to make sure that files that are uploaded there are valid. -------- AWARENESS ACKNOWLEDGMENT -------------------------------------------- The Drupal Security Team became aware of the existence and exploits of this issue because the community reported this issue to the security team [6]. As always, if your site has been exploited, even if the cause is a mistake in configuration, the security team is interested in hearing about the nature of the issue. We use these reports to look for trends and broader solutions. -------- COORDINATED BY ------------------------------------------------------ * Michael Hess [7] of the Drupal Security Team * Damien McKenna [8] of the Drupal Security Team * Alex Pott [9] of the Drupal Security Team * David Snopek [10] of the Drupal Security Team * Greg Knaddison [11] of the Drupal Security Team * Cash Williams [12] of the Drupal Security Team *This post may be updated as more information is learned.* -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. [1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/documentation/modules/file#access [4] https://www.drupal.org/docs/7/setting-up-cron/overview [5] https://www.drupal.org/docs/8/setting-up-cron/overview [6] https://www.drupal.org//www.drupal.org/node/101494” [7] https://www.drupal.org/u/mlhess [8] https://www.drupal.org/u/damienmcKenna [9] https://www.drupal.org/u/alexpott [10] https://www.drupal.org/u/dsnopek [11] https://www.drupal.org/u/greggles [12] https://www.drupal.org/u/cashwilliams [13] https://www.drupal.org/contact [14] https://www.drupal.org/security-team [15] https://www.drupal.org/writing-secure-code [16] https://www.drupal.org/security/secure-configuration

1 0