View online: https://www.drupal.org/SA-CORE-2016-001
* Advisory ID: SA-CORE-2016-001
* Project: Drupal core [1]
* Version: 6.x, 7.x, 8.x
* Date: 2016-February-24
* Security risk: 15/25 ( Critical)
AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All [2]
* Vulnerability: Multiple vulnerabilities
-------- DESCRIPTION
---------------------------------------------------------
.... File upload access bypass and denial of service (File module - Drupal 7
and 8 - Moderately Critical)
A vulnerability exists in the File module that allows a malicious user to
view, delete or substitute a link to a file that the victim has uploaded to a
form while the form has not yet been submitted and processed. If an attacker
carries out this attack continuously, all file uploads to a site could be
blocked by deleting all temporary files before they can be saved.
This vulnerability is mitigated by the fact that the attacker must have
permission to create content or comment and upload files as part of that
process.
.... Brute force amplification attacks via XML-RPC (XML-RPC server - Drupal 6
and 7 - Moderately Critical)
The XML-RPC system allows a large number of calls to the same method to be
made at once, which can be used as an enabling factor in brute force attacks
(for example, attempting to determine user passwords by submitting a large
number of password variations at once).
This vulnerability is mitigated by the fact that you must have enabled a
module that provides an XML-RPC method that is vulnerable to brute-forcing.
There are no such modules in Drupal 7 core, but Drupal 6 core is vulnerable
via the Blog API module. It is additionally mitigated if flood control
protection is in place for the method in question.
.... Open redirect via path manipulation (Base system - Drupal 6, 7 and 8 -
Moderately Critical)
In Drupal 6 and 7, the current path can be populated with an external URL.
This can lead to Open Redirect vulnerabilities.
This vulnerability is mitigated by the fact that it would only occur in
combination with custom code, or in certain cases if a user submits a form
shown on a 404 page with a specially crafted URL.
For Drupal 8 this is a hardening against possible browser flaws handling
certain redirect paths.
.... Form API ignores access restrictions on submit buttons (Form API -
Drupal 6 - Critical)
An access bypass vulnerability was found that allows input to be submitted,
for example using JavaScript, for form button elements that a user is not
supposed to have access to because the button was blocked by setting #access
to FALSE in the server-side form definition.
This vulnerability is mitigated by the fact that the attacker must have
access to submit a form that has such buttons defined for it (for example, a
form that both administrators and non-administrators can access, but where
administrators have additional buttons available to them).
.... HTTP header injection using line breaks (Base system - Drupal 6 -
Moderately Critical)
A vulnerability in the drupal_set_header() function allows an HTTP header
injection attack to be performed if user-generated content is passed as a
header value on sites running PHP versions older than 5.1.2. If the content
contains line breaks the user may be able to set arbitrary headers of their
own choosing.
This vulnerability is mitigated by the fact that most hosts have newer
versions of PHP installed, and that it requires a module to be installed on
the site that allows user-submitted data to appear in HTTP headers.
.... Open redirect via double-encoded 'destination' parameter (Base system -
Drupal 6 - Moderately Critical)
The drupal_goto() function in Drupal 6 improperly decodes the contents of
$_REQUEST['destination'] before using it, which allows the function's open
redirect protection to be bypassed and allows an attacker to initiate a
redirect to an arbitrary external URL.
This vulnerability is mitigated by that fact that the attack is not possible
for sites running on PHP 5.4.7 or greater.
.... Reflected file download vulnerability (System module - Drupal 6 and 7 -
Moderately Critical)
Drupal core has a reflected file download vulnerability that could allow an
attacker to trick a user into downloading and running a file with arbitrary
JSON-encoded content.
This vulnerability is mitigated by the fact that the victim must be a site
administrator and that the full version of the attack only works with certain
web browsers.
.... Saving user accounts can sometimes grant the user all roles (User module
- Drupal 6 and 7 - Less Critical)
Some specific contributed or custom code may call Drupal's user_save() API in
a manner different than Drupal core. Depending on the data that has been
added to a form or the array prior to saving, this can lead to a user gaining
all roles on a site.
This issue is mitigated by the fact that it requires contributed or custom
code that calls user_save() with an explicit category and code that loads all
roles into the array.
.... Email address can be matched to an account (User module - Drupal 7 and 8
- Less Critical)
In certain configurations where a user's email addresses could be used to log
in instead of their username, links to "have you forgotten your password"
could reveal the username associated with a particular email address, leading
to an information disclosure vulnerability.
This issue is mitigated by the fact that it requires a contributed module to
be installed that permits logging in with an email address, and that it is
only relevant on sites where usernames are typically chosen to hide the
users' real-life identities.
.... Session data truncation can lead to unserialization of user provided
data (Base system - Drupal 6 - Less Critical)
On certain older versions of PHP, user-provided data stored in a Drupal
session may be unserialized leading to possible remote code execution.
This issue is mitigated by the fact that it requires an unusual set of
circumstances to exploit and depends on the particular Drupal code that is
running on the site. It is also believed to be mitigated by upgrading to PHP
5.4.45, 5.5.29, 5.6.13, or any higher version.
-------- CVE IDENTIFIER(S) ISSUED (# [3])
------------------------------------
* /CVE identifiers [4] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Drupal core 6.x with FileField module versions prior to 6.x-3.14. See
SA-CONTRIB-2016-008 - FileField - Denial of Service [5].
* Drupal core 6.x versions prior to 6.38
* Drupal core 7.x versions prior to 7.43
* Drupal core 8.0.x versions prior to 8.0.4
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use Drupal 6.x, upgrade to FileField [6] 6.x-3.14 and Drupal core
6.38 [7]
* If you use Drupal 7.x, upgrade to Drupal core 7.43 [8]
* If you use Drupal 8.0.x, upgrade to Drupal core 8.0.4 [9]
Also see the Drupal core [10] project page.
-------- REPORTED BY
---------------------------------------------------------
File upload access bypass and denial of service:
* fnqgpc [11]
Brute force amplification attacks via XML-RPC:
* Stéphane Corlosquet [12] of the Drupal Security Team
Open redirect via path manipulation:
* Francesco Placella [13]
* Heine Deelstra [14] of the Drupal Security Team
* Pere Orga [15] of the Drupal Security Team
* Peter Wolanin [16] of the Drupal Security Team
Form API ignores access restrictions on submit buttons:
* Gábor Hojtsy [17] of the Drupal Security Team
* Damien Tournoud [18] of the Drupal Security Team
* Daniel Kudwien [19]
HTTP header injection using line breaks:
* Dave Hansen-Lange [20]
Open redirect via double-encoded 'destination' parameter:
* Tarpinder Grewal [21]
* Harry Taheem [22]
* David Rothstein [23] of the Drupal Security Team
Reflected file download vulnerability:
* Juho Nurminen [24]
Saving user accounts can sometimes grant the user all roles:
* Dave Cohen [25]
* Annie Gerard [26]
Email address can be matched to an account:
* FengWen [27]
* Jimmy Henderickx [28]
Session data truncation can lead to unserialization of user provided data:
* David Jardin of the Joomla Security Team
* Damien Tournoud [29] of the Drupal Security Team
* Heine Deelstra [30] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
File upload access bypass and denial of service:
* fnqgpc [31]
* Nathaniel Catchpole [32] of the Drupal Security Team
* Ben Dougherty [33] of the Drupal Security Team
* Lee Rowlands [34] of the Drupal Security Team
* Sascha Grossenbacher [35]
* Gábor Hojtsy [36] of the Drupal Security Team
* Greg Knaddison [37] of the Drupal Security Team
* Klaus Purer [38] of the Drupal Security Team
* David Rothstein [39] of the Drupal Security Team
* Stefan Ruijsenaars [40], provisional member of the Drupal Security Team
* Cathy Theys [41], provisional member of the Drupal Security Team
* Peter Wolanin [42] of the Drupal Security Team
Brute force amplification attacks via XML-RPC:
* Frédéric G. Marand [43], provisional member of the Drupal Security
Team
* Peter Wolanin [44] of the Drupal Security Team
Open redirect via path manipulation:
* Nathaniel Catchpole [45] of the Drupal Security Team
* Ben Dougherty [46] of the Drupal Security Team
* Alan Evans [47]
* Nate Haug [48]
* Gábor Hojtsy [49] of the Drupal Security Team
* Heine Deelstra [50] of the Drupal Security Team
* David Stoline [51] of the Drupal Security Team
* Damien McKenna [52] Provisional member of the Drupal Security Team
* Pere Orga [53] of the Drupal Security Team
* Francesco Placella [54]
* Dave Reid [55] of the Drupal Security Team
* David Rothstein [56] of the Drupal Security Team
* Lee Rowlands [57] of the Drupal Security Team
* David Snopek [58] of the Drupal Security Team
* Cathy Theys [59], provisional member of the Drupal Security Team
* Peter Wolanin [60] of the Drupal Security Team
Form API ignores access restrictions on submit buttons:
* chx [61]
* Daniel Kudwien [62]
* Alex Bronstein [63] of the Drupal Security Team
* Heine Deelstra [64] of the Drupal Security Team
* Dmitri Gaskin [65]
* Nate Haug [66]
* John Morahan [67]
* David Rothstein [68] of the Drupal Security Team
* Damien Tournoud [69] of the Drupal Security Team
* Peter Wolanin [70] of the Drupal Security Team
HTTP header injection using line breaks:
* Dave Hansen-Lange [71]
* David Rothstein [72] of the Drupal Security Team
* Nathaniel Catchpole [73] of the Drupal Security Team
* Klaus Purer [74] of the Drupal Security Team
Open redirect via double-encoded 'destination' parameter:
* David Rothstein [75] of the Drupal Security Team
* Alex Bronstein [76] of the Drupal Security Team
Reflected file download vulnerability:
* Juho Nurminen [77]
* David Rothstein [78] of the Drupal Security Team
* Damien Tournoud [79] of the Drupal Security Team
* Peter Wolanin [80] of the Drupal Security Team
* Nate Haug [81]
Saving user accounts can sometimes grant the user all roles:
* Dave Cohen [82]
* Greg Knaddison [83] of the Drupal Security Team
* Rick Manelius [84] of the Drupal Security Team
* Balazs Nagykekesi [85]
* David Rothstein [86] of the Drupal Security Team
* Peter Wolanin [87] of the Drupal Security Team
Email address can be matched to an account:
* Klaus Purer [88] of the Drupal Security Team
* David Rothstein [89] of the Drupal Security Team
Session data truncation can lead to unserialization of user provided data:
* Heine Deelstra [90] of the Drupal Security Team
* Damien Tournoud [91] of the Drupal Security Team
* David Rothstein [92] of the Drupal Security Team
* Peter Wolanin [93] of the Drupal Security Team
-------- COORDINATED BY
------------------------------------------------------
* The Drupal Security Team [94]
* Cathy Theys, provisional member of the Drupal Security team [95]
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [96].
Learn more about the Drupal Security team and their policies [97], writing
secure code for Drupal [98], and securing your site [99].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [100]
[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] #cve-identifiers-issued
[4] http://cve.mitre.org/
[5] https://www.drupal.org/node/2674854
[6] https://www.drupal.org/project/filefield
[7] https://www.drupal.org/drupal-6.38-release-notes
[8] https://www.drupal.org/drupal-7.43-release-notes
[9] https://www.drupal.org/drupal-8.0.4-release-notes
[10] https://www.drupal.org/project/drupal
[11] https://www.drupal.org/u/fnqgpc
[12] https://www.drupal.org/u/scor
[13] https://www.drupal.org/u/plach
[14] https://www.drupal.org/u/heine
[15] https://www.drupal.org/u/pere-orga
[16] https://www.drupal.org/u/pwolanin
[17] https://www.drupal.org/u/g%C3%A1bor-hojtsy
[18] https://www.drupal.org/u/damien-tournoud
[19] https://www.drupal.org/u/sun
[20] https://www.drupal.org/u/dalin
[21] https://www.drupal.org/u/tarpinder
[22] https://www.drupal.org/u/htaheem
[23] https://www.drupal.org/u/david_rothstein
[24] https://www.drupal.org/u/juho-nurminen-2ns
[25] https://www.drupal.org/u/dave-cohen
[26] https://www.drupal.org/u/agerard
[27] https://www.drupal.org/u/fengwen
[28] https://www.drupal.org/u/strykaizer
[29] https://www.drupal.org/u/damien-tournoud
[30] https://www.drupal.org/u/heine
[31] https://www.drupal.org/u/fnqgpc
[32] https://www.drupal.org/u/catch
[33] https://www.drupal.org/u/benjy
[34] https://www.drupal.org/u/larowlan
[35] https://www.drupal.org/u/berdir
[36] https://www.drupal.org/u/g%C3%A1bor-hojtsy
[37] https://www.drupal.org/u/greggles
[38] https://www.drupal.org/u/klausi
[39] https://www.drupal.org/u/david_rothstein
[40] https://www.drupal.org/u/stefan.r
[41] https://www.drupal.org/u/yesct
[42] https://www.drupal.org/u/pwolanin
[43] https://www.drupal.org/u/fgm
[44] https://www.drupal.org/u/pwolanin
[45] https://www.drupal.org/u/catch
[46] https://www.drupal.org/u/benjy
[47] https://www.drupal.org/u/alan-evans
[48] https://www.drupal.org/u/quicksketch
[49] https://www.drupal.org/u/g%C3%A1bor-hojtsy
[50] https://www.drupal.org/u/heine
[51] https://www.drupal.org/u/dstol
[52] https://www.drupal.org/u/damienmckenna
[53] https://www.drupal.org/u/pere-orga
[54] https://www.drupal.org/u/plach
[55] https://www.drupal.org/u/dave-reid
[56] https://www.drupal.org/u/david_rothstein
[57] https://www.drupal.org/u/larowlan
[58] https://www.drupal.org/u/dsnopek
[59] https://www.drupal.org/u/yesct
[60] https://www.drupal.org/u/pwolanin
[61] https://www.drupal.org/u/chx
[62] https://www.drupal.org/u/sun
[63] https://www.drupal.org/u/effulgentsia
[64] https://www.drupal.org/u/heine
[65] https://www.drupal.org/u/dmitrig01
[66] https://www.drupal.org/u/quicksketch
[67] https://www.drupal.org/u/john-morahan
[68] https://www.drupal.org/u/david_rothstein
[69] https://www.drupal.org/u/damien-tournoud
[70] https://www.drupal.org/u/pwolanin
[71] https://www.drupal.org/u/dalin
[72] https://www.drupal.org/u/david_rothstein
[73] https://www.drupal.org/u/catch
[74] https://www.drupal.org/u/klausi
[75] https://www.drupal.org/u/david_rothstein
[76] https://www.drupal.org/u/effulgentsia
[77] https://www.drupal.org/u/juho-nurminen-2ns
[78] https://www.drupal.org/u/david_rothstein
[79] https://www.drupal.org/u/damien-tournoud
[80] https://www.drupal.org/u/pwolanin
[81] https://www.drupal.org/u/quicksketch
[82] https://www.drupal.org/u/dave-cohen
[83] https://www.drupal.org/u/greggles
[84] https://www.drupal.org/u/rickmanelius
[85] https://www.drupal.org/u/nagba
[86] https://www.drupal.org/u/david_rothstein
[87] https://www.drupal.org/u/pwolanin
[88] https://www.drupal.org/u/klausi
[89] https://www.drupal.org/u/david_rothstein
[90] https://www.drupal.org/u/heine
[91] https://www.drupal.org/u/damien-tournoud
[92] https://www.drupal.org/u/david_rothstein
[93] https://www.drupal.org/u/pwolanin
[94] https://www.drupal.org/security-team
[95] https://www.drupal.org/u/YesCT
[96] https://www.drupal.org/contact
[97] https://www.drupal.org/security-team
[98] https://www.drupal.org/writing-secure-code
[99] https://www.drupal.org/security/secure-configuration
[100] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2674854
* Advisory ID: DRUPAL-SA-CONTRIB-2016-008
* Project: FileField [1] (third-party module)
* Version: 6.x
* Date: 2016-February-24
* Security risk: 11/25 ( Moderately Critical)
AC:Complex/A:User/CI:None/II:Some/E:Proof/TD:All [2]
* Vulnerability: Denial of Service
-------- DESCRIPTION
---------------------------------------------------------
FileField module allows users to upload files in conjunction with the Content
Construction Kit (CCK) module in Drupal 6.
The module doesn't validate that a request to delete a temporary file was
made by the user who uploaded the file. An attacker can use this
vulnerability to delete other user's file uploads while they are in the
process of creating or editing content and attaching files (before it is
saved). This can be used as a denial of service (DoS) attack that can
prevent file uploads from working on the site.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission to create content and upload files using a file (or
image) field.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* FileField module 6.x-3.x versions prior to 6.x-3.14.
Drupal core is not affected. If you do not use the contributed FileField [4]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the File Filed module for Drupal 6.x, upgrade to FileField
6.x-3.14 [5]
Also see the FileField [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* fnqgpc [7]
-------- FIXED BY
------------------------------------------------------------
* Peter Wolanin [8] of the Drupal Security Team
-------- COORDINATED BY
------------------------------------------------------
* Peter Wolanin [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [14]
[1] https://www.drupal.org/project/filefield
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/filefield
[5] https://www.drupal.org/node/2674868
[6] https://www.drupal.org/project/filefield
[7] https://www.drupal.org/user/3250434
[8] https://www.drupal.org/user/49851
[9] https://www.drupal.org/user/49851
[10] https://www.drupal.org/contact
[11] https://www.drupal.org/security-team
[12] https://www.drupal.org/writing-secure-code
[13] https://www.drupal.org/security/secure-configuration
[14] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2670636
* Advisory ID: DRUPAL-SA-CONTRIB-2016-007
* Project: Node.js integration [1] (third-party module)
* Version: 7.x, 8.x
* Date: 2016-February-17
* Security risk: 13/25 ( Moderately Critical)
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:All [2]
* Vulnerability: Information Disclosure
-------- DESCRIPTION
---------------------------------------------------------
This module provides an API that other modules can use to add realtime
capabilities to Drupal, specifically enabling pushing updates to open
connected clients.
The module doesn't disconnect unauthenticated sockets, allowing those sockets
to receive broadcast messages. For sites that only serve authenticated pages,
or only allows Node.js connections from authenticated users, the expectation
is that only authenticated Drupal users will see broadcast messages.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Node.js 7.x-1.x versions prior to 7.x-1.11.
* Node.js 8.x-1.x beta versions prior to 8.x-1.0.
Drupal core is not affected. If you do not use the contributed Node.js
integration [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Node.js module for Drupal 7.x, upgrade to Node.js
7.x-1.11.
[5]
* If you use the beta Node.js module for Drupal 8.x, upgrade to Node.js
8.x-1.0. [6]
Also see the Node.js integration [7] project page.
-------- REPORTED BY
---------------------------------------------------------
* Justin Randell [8].
-------- FIXED BY
------------------------------------------------------------
* Justin Randell [9].
* Gergely Lekli [10].
-------- COORDINATED BY
------------------------------------------------------
* Michael Hess [11] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [12].
Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [16]
[1] https://www.drupal.org/project/nodejs
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/nodejs
[5] https://www.drupal.org/node/2669222
[6] https://www.drupal.org/node/2669224
[7] https://www.drupal.org/project/nodejs
[8] https://www.drupal.org/u/beejeebus
[9] https://www.drupal.org/u/beejeebus
[10] https://www.drupal.org/u/gergely-lekli
[11] https://www.drupal.org/u/mlhess
[12] https://www.drupal.org/contact
[13] https://www.drupal.org/security-team
[14] https://www.drupal.org/writing-secure-code
[15] https://www.drupal.org/security/secure-configuration
[16] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2670632
* Advisory ID: DRUPAL-SA-CONTRIB-2016-006
* Project: Commerce Authorize.Net SIM/DPM Payment Methods [1]
(third-party module)
* Version: 7.x
* Date: 2016-February-17
* Security risk: 15/25 ( Critical)
AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to make credit card payments for Drupal Commerce
orders via the Authorize.Net payment gateway using either their SIM (hosted
payment page) or DPM (direct post method) mechanisms.
The module doesn't sufficiently protect against the premature triggering of
order completion without successful payment by the manual entry of a
specially-constructed URL which contains the correct payment redirect key.
This vulnerability is mitigated by the fact that an attacker must know the
format of the redirect URL and the current payment redirect key. It's also
worth noting that orders prematurely completed in this fashion will *NOT*
record a successful payment and thus show an unpaid balance.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Commerce Authorize.Net SIM/DPM Payment Methods versions prior to 7.x-1.4.
Drupal core is not affected. If you do not use the contributed Commerce
Authorize.Net SIM/DPM Payment Methods [4] module, there is nothing you need
to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Commerce Authorize.Net SIM/DPM Payment Methods module for
Drupal 7.x, upgrade to Commerce Authorize.Net SIM/DPM Payment Methods
7.x-1.4 [5]
Also see the Commerce Authorize.Net SIM/DPM Payment Methods [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Matt White [7]
-------- FIXED BY
------------------------------------------------------------
* Matt White [8]
* Jerry Hudgins [9] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Rick Manelius [10] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [15]
[1] https://www.drupal.org/project/commerce_authnet_simdpm
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/commerce_authnet_simdpm
[5] https://www.drupal.org/node/2670212
[6] https://www.drupal.org/project/commerce_authnet_simdpm
[7] https://www.drupal.org/user/266840
[8] https://www.drupal.org/user/266840
[9] https://www.drupal.org/user/96266
[10] https://www.drupal.org/user/680072
[11] https://www.drupal.org/contact
[12] https://www.drupal.org/security-team
[13] https://www.drupal.org/writing-secure-code
[14] https://www.drupal.org/security/secure-configuration
[15] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2666448
* Advisory ID: DRUPAL-SA-CONTRIB-2014-0XX
* Project: CAS [1] (third-party module)
* Version: 7.x
* Date: 2016-February-10
* Security risk: 12/25 ( Moderately Critical)
AC:Basic/A:User/CI:Some/II:None/E:Proof/TD:All [2]
* Vulnerability: Information Disclosure
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to use your Drupal site as a client or server for the
single sign on protocol CAS. This vulnerability only affects sites that use
the "CAS Server" sub module.
The module doesn't allow an administrator to restrict which CAS clients are
allowed authenticate with the Drupal CAS server. A malicious CAS client can
trick your users into exposing information about themselves, including:
username, uid, email, account created date, account language, and roles.
This vulnerability is mitigated by the fact that a user must click a
specially formed link from the malicious site and log into your Drupal CAS
server with their credentials. If the user already has an active session with
your Drupal CAS server, then that step is skipped.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* CAS 7.x-1.x versions prior to 7.x-1.5.
Drupal core is not affected. If you do not use the contributed CAS [4]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you are using the CAS Server sub-module, upgrade to CAS 7.x-1.5 [5]
and
configure the "white list" of accepted CAS clients that are allowed to
authenticate with your CAS server.
* If you use the CAS module but NOT the server sub-module, then do nothing.
Also see the CAS [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* GUSTAV0 [7]
-------- FIXED BY
------------------------------------------------------------
* Brian Osborne [8] the module maintainer
* Robert Wohleb [9]
* Olarin [10]
-------- COORDINATED BY
------------------------------------------------------
* Michael Hess [11] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [12].
Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [16]
[1] https://www.drupal.org/project/cas
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/cas
[5] https://drupal.org/node/2665642
[6] https://www.drupal.org/project/cas
[7] https://www.drupal.org/u/gustav0
[8] https://www.drupal.org/user/XXXUID
[9] https://www.drupal.org/u/rwohleb
[10] https://www.drupal.org/u/olarin
[11] https://www.drupal.org/u/mlhess
[12] https://www.drupal.org/contact
[13] https://www.drupal.org/security-team
[14] https://www.drupal.org/writing-secure-code
[15] https://www.drupal.org/security/secure-configuration
[16] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2666446
* Advisory ID: DRUPAL-SA-CONTRIB-2016-pending
* Project: Embedded Media Field [1] (third-party module)
* Version: 6.x
* Date: 2016-February-10
* Security risk: 19/25 ( Critical)
AC:Complex/A:None/CI:All/II:All/E:Theoretical/TD:All [2]
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to to display video, image, and audio files from
various third party providers
The module doesn't sufficiently sanitize path arguments under certain
scenarios.
This vulnerability is mitigated by the fact that an attacker must be able to
trick an administrator into visiting a carefully crafted URL.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Embedded Media Field 6.x-1.x all versions.
* Embedded Media Field 6.x-2.x versions prior to 6.x-2.7.
Versions of Embedded Media Field for Drupal 7 are not affected.
Drupal core is not affected. If you do not use the contributed Embedded Media
Field [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Embedded Media Field module for Drupal 6.x, upgrade to
Embedded Media Field 6.x-2.7 [5]
Also see the Embedded Media Field [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Cash Williams (cashwilliams) [7]
-------- FIXED BY
------------------------------------------------------------
* Dave Hansen-Lange (dalin) [8]
-------- COORDINATED BY
------------------------------------------------------
* Michael Hess [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [14]
[1] https://www.drupal.org/project/emfield
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/emfield
[5] https://www.drupal.org/node/2665632
[6] https://www.drupal.org/project/emfield
[7] https://www.drupal.org/u/cashwilliams
[8] https://www.drupal.org/u/dalin
[9] https://www.drupal.org/u/mlhess
[10] https://www.drupal.org/contact
[11] https://www.drupal.org/security-team
[12] https://www.drupal.org/writing-secure-code
[13] https://www.drupal.org/security/secure-configuration
[14] https://twitter.com/drupalsecurity