Security-news

security-news@drupal.org

1 participants
1782 discussions

Drupal Core - Highly Critical - Public Service announcement - PSA-2014-003
by security-news＠drupal.org 29 Oct '14

29 Oct '14

View online: https://www.drupal.org/PSA-2014-003 * Advisory ID: DRUPAL-PSA-2014-003 * Project: Drupal core [1] * Version: 7.x * Date: 2014-October-29 * Security risk: 25/25 ( Highly Critical) AC:None/A:None/CI:All/II:All/E:Exploit/TD:All [2] -------- DESCRIPTION --------------------------------------------------------- This Public Service Announcement is a follow up to SA-CORE-2014-005 - Drupal core - SQL injection [3]. This is not an announcement of a new vulnerability in Drupal. Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 - Drupal core - SQL injection [4]. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement. *Simply updating to Drupal 7.32 will not remove backdoors.* If you have not updated or applied this patch [5], do so immediately, then continue reading this announcement; updating to version 7.32 or applying the patch fixes the vulnerability but does not fix an already compromised website. If you find that your site is already patched but you didn’t do it, that can be a symptom that the site was compromised - some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site. .... Data and damage control Attackers may have copied all data out of your site and could use it maliciously. There may be no trace of the attack. Take a look at our help documentation, ”Your Drupal site got hacked, now what” [6] .... Recovery Attackers may have created access points for themselves (sometimes called “backdoors”) in the database, code, files directory and other locations. Attackers could compromise other services on the server or escalate their access. Removing a compromised website’s backdoors is difficult because it is not possible to be certain all backdoors have been found. The Drupal security team recommends that you consult with your hosting provider. If they did not patch Drupal for you or otherwise block the SQL injection attacks within hours of the announcement of Oct 15th, 4pm UTC, restore your website to a backup from before 15 October 2014: 1) Take the website offline by replacing it with a static HTML page 2) Notify the server’s administrator emphasizing that other sites or applications hosted on the same server might have been compromised via a backdoor installed by the initial attack 3) Consider obtaining a new server, or otherwise remove all the website’s files and database from the server. (Keep a copy safe for later analysis.) 4) Restore the website (Drupal files, uploaded files and database) from backups from before 15 October 2014 5) Update or patch the restored Drupal core code 6) Put the restored and patched/updated website back online 7) Manually redo any desired changes made to the website since the date of the restored backup 8) Audit anything merged from the compromised website, such as custom code, configuration, files or other artifacts, to confirm they are correct and have not been tampered with. While recovery without restoring from backup may be possible, this is not advised because backdoors can be extremely difficult to find. The recommendation is to restore from backup or rebuild from scratch. For more information, please see our FAQ on SA-CORE-2014-005 [7]. -------- WRITTEN BY ---------------------------------------------------------- * Michael Hess [8] of the Drupal Security Team * Bevan Rudge [9] -------- COORDINATED BY ------------------------------------------------------ * Michael Hess [10] of the Drupal Security Team * Stéphane Corlosquet [11] of the Drupal Security Team * Greg Knaddison [12] of the Drupal Security Team * Rick Manelius [13] of the Drupal Security Team * Peter Wolanin [14] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- We've prepared a FAQ on this release. Read more at FAQ on SA-CORE-2014-005 [15]. The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [16]. Learn more about the Drupal Security team and their policies [17], writing secure code for Drupal [18], and securing your site [19]. [1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/SA-CORE-2014-005 [4] https://www.drupal.org/SA-CORE-2014-005 [5] https://www.drupal.org/SA-CORE-2014-005 [6] https://www.drupal.org/node/2365547 [7] https://www.drupal.org/drupalsa05FAQ [8] https://www.drupal.org/u/mlhess [9] https://www.drupal.org/u/Bevan [10] https://www.drupal.org/u/mlhess [11] https://www.drupal.org/u/scor [12] https://www.drupal.org/u/greggles [13] https://www.drupal.org/u/rickmanelius [14] https://www.drupal.org/u/pwolanin [15] https://www.drupal.org/drupalsa05FAQ [16] https://www.drupal.org/contact [17] https://www.drupal.org/security-team [18] https://www.drupal.org/writing-secure-code [19] https://www.drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2014-102 - Document - Cross Site Scripting
by security-news＠drupal.org 22 Oct '14

22 Oct '14

View online: https://www.drupal.org/node/2361617 * Advisory ID: DRUPAL-SA-CONTRIB-2014-102 * Project: Document [1] (third-party module) * Version: 6.x, 7.x * Date: 2014-October-08 * Security risk: 8/25 ( Less Critical) AC:Basic/A:User/CI:None/II:None/E:Theoretical/TD:All [2] * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Document module is a basic Document Management System for Drupal. .... Cross Site Scripting (XSS) The module wasn't sanitizing user input sufficiently in a few use cases. This vulnerability is mitigated by the the fact that a user must have permissions to add or edit documents to be able to exploit the vulnerability. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Document 6.x-1.11 versions prior to 6.x-1.11. * Document 7.x-1.20 versions prior to 7.x-1.20. Drupal core is not affected. If you do not use the contributed Document [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Document module for Drupal 6.x, upgrade to Document 6.x-1.12. [5] * If you use the Document module for Drupal 7.x, upgrade to Document 7.x-1.21. [6] Also see the Document [7] project page. -------- REPORTED BY --------------------------------------------------------- * Matt V. [8] -------- FIXED BY ------------------------------------------------------------ * Rahul S. [9] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Francisco José Cruz Romanos [10] provisional member of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] https://www.drupal.org/project/document [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/document [5] https://www.drupal.org/node/2357387 [6] https://www.drupal.org/node/2357389 [7] https://www.drupal.org/project/document [8] https://www.drupal.org/user/88338 [9] https://www.drupal.org/user/473356 [10] https://www.drupal.org/user/848238 [11] https://www.drupal.org/contact [12] https://www.drupal.org/security-team [13] https://www.drupal.org/writing-secure-code [14] https://www.drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2014-101 - Ubercart - Cross Site Request Forgery
by security-news＠drupal.org 22 Oct '14

22 Oct '14

View online: https://www.drupal.org/node/2361613 * Advisory ID: DRUPAL-SA-CONTRIB-2014-101 * Project: Ubercart [1] (third-party module) * Version: 6.x, 7.x * Date: 2014-October-22 * Security risk: 13/25 ( Moderately Critical) AC:None/A:Admin/CI:None/II:Some/E:Proof/TD:All [2] * Vulnerability: Cross Site Request Forgery -------- DESCRIPTION --------------------------------------------------------- The Ubercart module provides a shopping cart and e-commerce features for Drupal. .... Cross Site Request Forgery (CSRF) The country administration links are not properly protected. A malicious user could trick a store administrator into enabling or disabling a country by getting them to visit a specially-crafted URL. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Ubercart 7.x-3.x versions prior to 7.x-3.8. * Ubercart 6.x-2.x versions prior to 6.x-2.14. Drupal core is not affected. If you do not use the contributed Ubercart [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Ubercart module for Drupal 7.x, upgrade to Ubercart 7.x-3.8 [5] * If you use the Ubercart module for Drupal 6.x, upgrade to Ubercart 6.x-2.14 [6] Also see the Ubercart [7] project page. -------- REPORTED BY --------------------------------------------------------- * Ayesh Karunaratne [8] -------- FIXED BY ------------------------------------------------------------ * Ayesh Karunaratne [9] * Dave Long [10] the module maintainer * Francisco José Cruz Romanos [11] provisional member of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Francisco José Cruz Romanos [12] provisional member of the Drupal Security Team * Rick Manelius [13] member of Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [14]. Learn more about the Drupal Security team and their policies [15], writing secure code for Drupal [16], and securing your site [17]. [1] https://www.drupal.org/project/ubercart [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/ubercart [5] https://www.drupal.org/node/2361321 [6] https://www.drupal.org/node/2361323 [7] https://www.drupal.org/project/ubercart [8] https://www.drupal.org/user/796148 [9] https://www.drupal.org/user/796148 [10] https://www.drupal.org/user/246492 [11] https://www.drupal.org/user/848238 [12] https://www.drupal.org/user/848238 [13] https://www.drupal.org/user/680072 [14] https://www.drupal.org/contact [15] https://www.drupal.org/security-team [16] https://www.drupal.org/writing-secure-code [17] https://www.drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2014-100 - Bad Behavior - Information Disclosure
by security-news＠drupal.org 22 Oct '14

22 Oct '14

View online: https://www.drupal.org/node/2361611 * Advisory ID: DRUPAL-SA-CONTRIB-2014-100 * Project: Bad Behavior [1] (third-party module) * Version: 6.x, 7.x * Date: 2014-October-22 * Security risk: 15/25 ( Critical) AC:Basic/A:Admin/CI:Some/II:All/E:Theoretical/TD:All [2] * Vulnerability: Information Disclosure -------- DESCRIPTION --------------------------------------------------------- This module enables you to to target any malicious software directed at a Web site, whether it be a spambot, ill-designed search engine bot, or system crackers. It blocks such access and then logs their attempts. .... Information Disclosure The module doesn't sufficiently sanitize log data, allowing usernames and passwords to get included in its logs. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer bad behavior". -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * badbehavior 6.x-2.x versions prior to 6.x-2.2216. * badbehavior 7.x-2.x versions prior to 7.x-2.2216. Drupal core is not affected. If you do not use the contributed Bad Behavior [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the badbehavior module for Drupal 6.x, upgrade to badbehavior 6.x-2.2216 [5] * If you use the badbehavior module for Drupal 7.x, upgrade to badbehavior 7.x-2.2216 [6] Also see the Bad Behavior [7] project page. -------- REPORTED BY --------------------------------------------------------- * Hugh Wormington [8] -------- FIXED BY ------------------------------------------------------------ * Hugh Wormington [9] * Sean Robertson [10] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Rick Manelius [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] https://www.drupal.org/project/badbehavior [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/badbehavior [5] https://www.drupal.org/node/2360953 [6] https://www.drupal.org/node/2360955 [7] https://www.drupal.org/project/badbehavior [8] https://www.drupal.org/user/511008 [9] https://www.drupal.org/user/511008 [10] https://www.drupal.org/user/7074 [11] https://www.drupal.org/user/680072 [12] https://www.drupal.org/contact [13] https://www.drupal.org/security-team [14] https://www.drupal.org/writing-secure-code [15] https://www.drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2014-099 - Open Atrium Core - Access bypass
by security-news＠drupal.org 15 Oct '14

15 Oct '14

View online: https://www.drupal.org/node/2357295 * Advisory ID: DRUPAL-SA-CONTRIB-2014-099 * Project: Open Atrium [1] (third-party module) * Version: 7.x * Date: 2014-10-15 * Security risk: 10/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2] * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- The oa_core module contains the base access control mechanism for the Open Atrium distribution (OA2). In OA2, file attachments are given the same access permission as the node they are attached to. The vulnerability is when an attachment is removed from a node that has Revisions enabled. It allows anonymous users to view the file that is still attached to the previous revision. This vulnerability is mitigated by the fact that it requires using Revisions and removing files attached to revisions. If revisions are disabled or files are not removed from nodes then access works as designed. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * oa_core 7.x-2.x versions prior to 7.x-2.22 [4]. Drupal core is not affected. If you do not use the contributed Open Atrium [5] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the oa_core module for Drupal 7.x, upgrade to oa_core 7.x-2.22 [6]. Also see the Open Atrium [7] project page. -------- REPORTED BY --------------------------------------------------------- * .John [8] -------- FIXED BY ------------------------------------------------------------ * Mike Potter [9] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Hunter Fox [10] of the Drupal Security Team * Greg Knaddison [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] https://www.drupal.org/project/openatrium [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/node/2357279 [5] https://www.drupal.org/project/openatrium [6] https://www.drupal.org/node/2357279 [7] https://www.drupal.org/project/openatrium [8] https://www.drupal.org/user/2659819 [9] https://www.drupal.org/user/616192 [10] https://www.drupal.org/user/426416 [11] https://www.drupal.org/u/greggles [12] https://www.drupal.org/contact [13] https://www.drupal.org/security-team [14] https://www.drupal.org/writing-secure-code [15] https://www.drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2014-098 - CKEditor - Cross Site Scripting (XSS)
by security-news＠drupal.org 15 Oct '14

15 Oct '14

View online: https://www.drupal.org/node/2357029 * Advisory ID: DRUPAL-SA-CONTRIB-2014-098 * Project: CKEditor - WYSIWYG HTML editor [1] (third-party module) * Version: 6.x, 7.x * Date: 2014-October-15 * Security risk: 16/25 ( Critical) AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2] * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The CKEditor module (and its predecessor, FCKeditor module) allows Drupal to replace textarea fields with CKEditor 3.x/4.x (FCKeditor 2.x in case of FCKeditor module) - a visual HTML editor, sometimes called WYSIWYG editor. Both modules define a function, called via an ajax request, that filters text before passing it into the editor, to prevent certain cross site scripting attacks on content edits (that the JavaScript library might not handle). Because the function did not check a CSRF token for anonymous users, it was possible to perform reflected XSS against anonymous users via CSRF. The problem existed in CKEditor/FCKeditor modules for Drupal, not in JavaScript libraries with the same names. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * CKEditor 7.x-1.x versions prior to 7.x-1.15. * CKEditor 6.x-1.x versions prior to 6.x-1.14. * FCKeditor 6.x-2.x versions prior to 6.x-2.3. Drupal core is not affected. If you do not use the contributed CKEditor - WYSIWYG HTML editor [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the CKEditor module for Drupal 7.x, upgrade to CKEditor 7.x-1.16 [5] * If you use the CKEditor module for Drupal 6.x, upgrade to CKEditor 6.x-1.15 [6] * If you use the FCKeditor module for Drupal 6.x, upgrade to FCKeditor 6.x-2.4 [7] Also see the CKEditor - WYSIWYG HTML editor [8] project page. -------- REPORTED BY --------------------------------------------------------- * Antonio Sánchez [9] -------- FIXED BY ------------------------------------------------------------ * Wiktor Walc [10] the module maintainer * Nguyễn Hải Nam [11] the module maintainer * Matt Vance [12] of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [13] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [14]. Learn more about the Drupal Security team and their policies [15], writing secure code for Drupal [16], and securing your site [17]. [1] https://www.drupal.org/project/ckeditor [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/ckeditor [5] https://www.drupal.org/node/2356563 [6] https://www.drupal.org/node/2356565 [7] https://www.drupal.org/node/2356557 [8] https://www.drupal.org/project/ckeditor [9] https://www.drupal.org/user/2957675 [10] https://www.drupal.org/u/wwalc [11] https://www.drupal.org/u/jcisio [12] https://www.drupal.org/u/matt-v. [13] https://www.drupal.org/u/greggles [14] https://www.drupal.org/contact [15] https://www.drupal.org/security-team [16] https://www.drupal.org/writing-secure-code [17] https://www.drupal.org/security/secure-configuration

1 0

SA-CORE-2014-005 - Drupal core - SQL injection
by security-news＠drupal.org 15 Oct '14

15 Oct '14

View online: https://www.drupal.org/SA-CORE-2014-005 * Advisory ID: DRUPAL-SA-CORE-2014-005 * Project: Drupal core [1] * Version: 7.x * Date: 2014-Oct-15 * Security risk: 20/25 ( Highly Critical) AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:All [2] * Vulnerability: SQL Injection -------- DESCRIPTION --------------------------------------------------------- Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks. A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks. This vulnerability can be exploited by anonymous users. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * CVE-2014-3704 -------- VERSIONS AFFECTED --------------------------------------------------- * Drupal core 7.x versions prior to 7.32. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Drupal 7.x, upgrade to Drupal core 7.32 [3]. If you are unable to update to Drupal 7.32 you can apply this patch [4] to Drupal's database.inc file to fix the vulnerability until such time as you are able to completely upgrade to Drupal 7.32. Also see the Drupal core [5] project page. -------- REPORTED BY --------------------------------------------------------- * Stefan Horst -------- FIXED BY ------------------------------------------------------------ * Stefan Horst * Greg Knaddison [6] of the Drupal Security Team * Lee Rowlands [7] of the Drupal Security Team * David Rothstein [8] of the Drupal Security Team * Klaus Purer [9] of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * The Drupal Security Team [10] -------- CONTACT AND MORE INFORMATION ---------------------------------------- We've prepared a FAQ on this release. Read more at https://www.drupal.org/node/2357241. The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/drupal-7.32-release-notes [4] http://cgit.drupalcode.org/drupal/patch/?id=26a7752c34321fd9cb889308f507ca6… [5] https://www.drupal.org/project/drupal [6] https://www.drupal.org/u/greggles [7] https://www.drupal.org/u/larowlan [8] https://www.drupal.org/u/david_rothstein [9] https://www.drupal.org/u/klausi [10] https://www.drupal.org/security-team [11] https://www.drupal.org/contact [12] https://www.drupal.org/security-team [13] https://www.drupal.org/writing-secure-code [14] https://www.drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2014-096 - OAuth2 Client - Cross Site Scripting (XSS)
by security-news＠drupal.org 08 Oct '14

08 Oct '14

View online: https://www.drupal.org/node/2352747 * Advisory ID: DRUPAL-SA-CONTRIB-2014-096 * Project: OAuth2 Client [1] (third-party module) * Version: 7.x * Date: 2014-October-08 * Security risk: 10/25 ( Moderately Critical) AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:All [2] * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- OAuth2 Client is an API support module, enabling other modules to connect to services using OAuth2 authentication. Within its API code the Client class exposes variables in an error message, which originate from a third party source without proper sanitisation thus leading to a Cross Site Scripting vulnerability. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * OAuth2 Client 7.x-2.x versions prior to 7.x-1.2. Drupal core is not affected. If you do not use the contributed OAuth2 Client [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the OAuth2 Client module for Drupal 7.x, upgrade to OAuth2 Client 7.x-1.2 [5] Also see the OAuth2 Client [6] project page. -------- REPORTED BY --------------------------------------------------------- * Balazs Dianiska [7] a provisional member of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Dashamir Hoxha [8] the module maintainer * Balazs Dianiska [9] a provisional member of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * David Stoline [10], member of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] https://www.drupal.org/project/oauth2_client [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/oauth2_client [5] https://www.drupal.org/node/2335935 [6] https://www.drupal.org/project/oauth2_client [7] https://www.drupal.org/user/58645 [8] https://www.drupal.org/user/993752 [9] https://www.drupal.org/user/58645 [10] https://www.drupal.org/u/dstol [11] https://www.drupal.org/contact [12] https://www.drupal.org/security-team [13] https://www.drupal.org/writing-secure-code [14] https://www.drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2014-097 - nodeaccess - Access Bypass
by security-news＠drupal.org 08 Oct '14

08 Oct '14

View online: https://www.drupal.org/node/2352757 * Advisory ID: DRUPAL-SA-CONTRIB-2014-097 * Project: Nodeaccess [1] (third-party module) * Version: 6.x, 7.x * Date: 2014-October-08 * Security risk: 13/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:Uncommon [2] * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- Nodeaccess is a Drupal access control module which provides view, edit and delete access to nodes. This module enables you to inadvertently allow an author of a node view/edit/delete the node in question (who may not have access). The module over-eagerly grants read/write/delete access to all authors of nodes. In addition, a node that is unpublished, but is granted node specific permissions will obey the node specific permissions and not the unpublished content permission for the role. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Nodeaccess 6.x-1.x versions prior to 6.x-1.5. * Nodeaccess 7.x-1.x versions prior to 7.x-1.4. Drupal core is not affected. If you do not use the contributed Nodeaccess [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Ensure that you are using the latest version of the Nodeaccess module when installing. For existing nodes, please ensure that the author permissions are correct. * If you use the Nodeaccess module for Drupal 6.x, upgrade to Nodeaccess 6.x-1.5 [5] * If you use the Nodeaccess module for Drupal 7.x, upgrade to Nodeaccess 7.x-1.4 [6] Also see the Nodeaccess [7] project page. -------- REPORTED BY --------------------------------------------------------- * AdamPS [8] * sanette [9] -------- FIXED BY ------------------------------------------------------------ * AdamPS [10] the issue reporter. * Vlad Pavlovic [11] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [12] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. [1] https://www.drupal.org/project/nodeaccess [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/nodeaccess [5] https://www.drupal.org/node/2351755 [6] https://www.drupal.org/node/2351751 [7] https://www.drupal.org/project/nodeaccess [8] https://www.drupal.org/user/2650563 [9] https://www.drupal.org/user/2292392 [10] https://www.drupal.org/user/2650563 [11] https://www.drupal.org/u/vlad.pavlovic [12] https://www.drupal.org/u/greggles [13] https://www.drupal.org/contact [14] https://www.drupal.org/security-team [15] https://www.drupal.org/writing-secure-code [16] https://www.drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2014-095 - Safeword - Cross Site Scripting (XSS)
by security-news＠drupal.org 24 Sep '14

24 Sep '14

View online: https://www.drupal.org/node/2344383 * Advisory ID: DRUPAL-SA-CONTRIB-2014-095 * Project: Safeword [1] (third-party module) * Version: 7.x * Date: 2014-September-23 * Security risk: 7/25 ( Less Critical) AC:Basic/A:Admin/CI:None/II:None/E:Theoretical/TD:All [2] * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The safeword module provides an automatically generated 'Machine Name' when text is entered into a human-readable field. The module doesn't sufficiently sanitize the field description that can be used as help text under the machine name editing field. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer taxonomy". -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Safeword 7.x-1.x versions prior to 7.x-1.9. Drupal core is not affected. If you do not use the contributed Safeword [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Safeword module for Drupal 7.x, upgrade to Safeword 7.x-1.10 [5] Also see the Safeword [6] project page. -------- REPORTED BY --------------------------------------------------------- * Matt Vance [7] -------- FIXED BY ------------------------------------------------------------ * Matt Vance [8] provisional member the Drupal Security Team * Francisco José Cruz Romanos [9] provisional member the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Rick Manelius [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] https://www.drupal.org/project/safeword [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/safeword [5] https://www.drupal.org/node/2344323 [6] https://www.drupal.org/project/safeword [7] https://www.drupal.org/user/88338 [8] https://www.drupal.org/user/88338 [9] https://www.drupal.org/user/848238 [10] https://www.drupal.org/user/680072 [11] https://www.drupal.org/contact [12] https://www.drupal.org/security-team [13] https://www.drupal.org/writing-secure-code [14] https://www.drupal.org/security/secure-configuration

1 0

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news