Security-news

security-news@drupal.org

1 participants
1782 discussions

SA-CONTRIB-2014-057 - Password policy - General logic error
by security-news＠drupal.org 21 May '14

21 May '14

View online: https://drupal.org/node/2271839 * Advisory ID: DRUPAL-SA-CONTRIB-2014-057 * Project: Password policy [1] (third-party module) * Version: 7.x * Date: 2014-May-21 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: General logic error -------- DESCRIPTION --------------------------------------------------------- This module enables you to define password policies with various constraints on allowable user passwords. The history constraint, when enabled, disallows a user's password from being changed to match a specified number of their previous passwords. Beginning with Password Policy 7.x-1.4, the history constraint had no effect when enabled, and user passwords could be changed to match any previous passwords beyond the most recent. Therefore, passwords of users that were changed since Password Policy 7.x-1.4 or later was installed may match previous passwords in violation of the history constraint. This vulnerability is mitigated by the fact that it only affects users covered by a password policy with the history constraint enabled. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Password policy 7.x-1.x versions prior to 7.x-1.6. Drupal core is not affected. If you do not use the contributed Password policy [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ 1) Install the latest version: * If you use the Password policy module for Drupal 7.x, upgrade to Password policy 7.x-1.6 [5] 2) Force a password change for all users covered by a password policy with the history constraint enabled. Also see the Password policy [6] project page. -------- REPORTED BY --------------------------------------------------------- * AohRveTPV [7] -------- FIXED BY ------------------------------------------------------------ * Alberto García Lamela [8] -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [14] [1] http://drupal.org/project/password_policy [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/password_policy [5] https://drupal.org/node/2271835 [6] http://drupal.org/project/password_policy [7] https://drupal.org/user/2760115 [8] https://drupal.org/user/1205082 [9] http://drupal.org/user/36762 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration [14] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2014-056 - Commerce Moneris - Information Disclosure
by security-news＠drupal.org 21 May '14

21 May '14

View online: https://drupal.org/node/2271823 * Advisory ID: DRUPAL-SA-CONTRIB-2014-056 * Project: Commerce Moneris [1] (third-party module) * Version: 7.x * Date: 2014-May-21 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Information Disclosure -------- DESCRIPTION --------------------------------------------------------- Commerce Moneris is a payment module that integrates the Moneris payment system with Drupal Commerce [3]. The module stores credit card data in a commerce order object unnecessarily for the purpose of passing the credit card information to the payment gateway. The credit card information is never removed from the order object and is later saved in the clear as serialized data in the database. This vulnerability is mitigated by the fact that an attacker must have access to the database or the ability to execute PHP to output the raw or unserialized data from the commerce order. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [4] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Commerce Moneris 7.x-1.x versions prior to 7.x-1.4. Drupal core is not affected. If you do not use the contributed Commerce Moneris [5] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Commerce Moneris module for Drupal 7.x, upgrade to Commerce Moneris 7.x-1.4 [6] Also see the Commerce Moneris [7] project page. -------- REPORTED BY --------------------------------------------------------- * Ryan Szrama [8] -------- FIXED BY ------------------------------------------------------------ * Scott Reeves [9], module co-maintainer -------- COORDINATED BY ------------------------------------------------------ * Rick Manelius [10] of the Drupal Security Team * Klaus Purer [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [16] [1] http://drupal.org/project/commerce_moneris [2] http://drupal.org/security-team/risk-levels [3] https://drupal.org/project/commerce [4] http://cve.mitre.org/ [5] http://drupal.org/project/commerce_moneris [6] https://drupal.org/node/2271789 [7] http://drupal.org/project/commerce_moneris [8] https://drupal.org/user/49344 [9] https://drupal.org/user/1167326 [10] https://drupal.org/user/680072 [11] https://drupal.org/user/262198 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration [16] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2014-055 - Require Login - Access bypass
by security-news＠drupal.org 21 May '14

21 May '14

View online: https://drupal.org/node/2271837 * Advisory ID: DRUPAL-SA-CONTRIB-2014-055 * Project: Require Login [1] (third-party module) * Version: 7.x * Date: 2014-May-21 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This module enables you to restrict access to a site for all non-authenticated users. The module does not protect the front page, thereby exposing any sensitive information on the front page to anonymous users. This vulnerability is mitigated by the fact that private/sensitive information must be on the site's front page. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Login Redirect 7.x-1.x versions prior to 7.x-1.1. Drupal core is not affected. If you do not use the contributed Require Login [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Require Login module for Drupal 7.x, upgrade to Require Login 7.x-1.1 [5] Also see the Require Login [6] project page. -------- REPORTED BY --------------------------------------------------------- * Eelke Blok [7] -------- FIXED BY ------------------------------------------------------------ * Eelke Blok [8] * Jeffrey C. [9], the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Klaus Purer [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [15] [1] http://drupal.org/project/require_login [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/require_login [5] https://drupal.org/node/2271413 [6] http://drupal.org/project/require_login [7] https://drupal.org/user/423078 [8] https://drupal.org/user/423078 [9] https://drupal.org/user/1290564 [10] https://drupal.org/user/262198 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration [15] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2014-054 - Views - Access Bypass
by security-news＠drupal.org 21 May '14

21 May '14

View online: https://drupal.org/node/2271809 * Advisory ID: DRUPAL-SA-CONTRIB-2014-054 * Project: Views [1] (third-party module) * Version: 7.x * Date: 2014-May-21 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- The Views module provides a flexible method for Drupal site designers to control how lists and tables of content, users, taxonomy terms and other data are presented. The module doesn't sufficiently check handler access when returning the list of handlers from view_plugin_display::get_handlers(). The most critical code (access plugins and field output) is unaffected - only area handlers, the get_field_labels() method, token replacement, and some relationship handling are susceptible. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Views 7.x-3.x versions prior to 7.x-3.8. Drupal core is not affected. If you do not use the contributed Views [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Views module for Drupal 7.x, upgrade to Views 7.x-3.8 [5] Also see the Views [6] project page. -------- REPORTED BY --------------------------------------------------------- * Tim Plunkett [7] -------- FIXED BY ------------------------------------------------------------ * Tim Plunkett [8] and Daniel Wehner [9], the module maintainers * David Snopek [10] of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * David Snopek [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [16] [1] http://drupal.org/project/views [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/views [5] https://drupal.org/node/2271305 [6] http://drupal.org/project/views [7] https://drupal.org/user/241634 [8] https://drupal.org/user/241634 [9] https://drupal.org/user/99340 [10] https://drupal.org/user/266527 [11] https://drupal.org/user/266527 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration [16] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2014-053 - Field API Tab Editor (FATE) - Access bypass
by security-news＠drupal.org 14 May '14

14 May '14

View online: https://drupal.org/node/2267539 * Advisory ID: DRUPAL-SA-CONTRIB-2014-053 * Project: Field API Tab Editor [1] (third-party module) * Version: 7.x * Date: 2014-May-14 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This module allows each entity field to be individually edited via its own custom page, accessible via a tab on the entity's page. The module returns an incorrect value to hook_menu if the current user does not have access to edit the entity. This allows users who would not normally have access to edit the entity to edit any fields that are enabled via this module. The problem is mitigated by the fact that a site builder must enable the custom edit page for the fields. That configuration is not the default nor automatic. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Field API Tab Editor (FATE) 7.x-1.x versions prior to 7.x-1.1. Drupal core is not affected. If you do not use the contributed Field API Tab Editor [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Field API Tab Editor (FATE) module for Drupal 7.x, upgrade to Field API Tab Editor (FATE) v7.x-1.1 [5]. Also see the Field API Tab Editor [6] project page. -------- REPORTED BY --------------------------------------------------------- * Damien McKenna [7], the module's maintainer. -------- FIXED BY ------------------------------------------------------------ * Damien McKenna [8], the module's maintainer. * Bob Kepford [9], a reviewer. -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [10], of the Drupal Security Team. -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [15] [1] http://drupal.org/project/fate [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/fate [5] https://drupal.org/node/2267527 [6] http://drupal.org/project/fate [7] http://drupal.org/user/108450 [8] http://drupal.org/user/108450 [9] http://drupal.org/user/212517 [10] http://drupal.org/user/36762 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration [15] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2014-052 - AddressField Tokens - Cross Site Scripting (XSS)
by security-news＠drupal.org 14 May '14

14 May '14

View online: https://drupal.org/node/2267485 * Advisory ID: DRUPAL-SA-CONTRIB-2014-052 * Project: Addressfield Tokens [1] (third-party module) * Version: 7.x * Date: 2014-May-14 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The AddressField Tokens module extends the addressfield module by adding token support. It also adds some convenient addressfield formatters and provides Webform addressfield integration. The module does not properly filter address field values, resulting in a Cross Site Scripting (XSS) vulnerability which can be leveraged by any user that can edit an addressfield on a site displaying that field using the "address components" field formatter. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create or edit an AddressField field (e.g. create or edit a node). -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * AddressField Tokens 7.x-1.x versions prior to 7.x-1.4. Drupal core is not affected. If you do not use the contributed Addressfield Tokens [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * Upgrade to addressfield_tokens-7.x-1.4 [5] Also see the Addressfield Tokens [6] project page. -------- REPORTED BY --------------------------------------------------------- * Josh Benner [7] -------- FIXED BY ------------------------------------------------------------ * Mark Casias [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [14] [1] http://drupal.org/project/addressfield_tokens [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/addressfield_tokens [5] https://drupal.org/node/2267475 [6] http://drupal.org/project/addressfield_tokens [7] http://drupal.org/user/150069 [8] http://drupal.org/user/206687 [9] http://drupal.org/user/36762 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration [14] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2014-51 - Realname Registration - Information Disclosure
by security-news＠drupal.org 14 May '14

14 May '14

View online: https://drupal.org/node/2267481 * Advisory ID: DRUPAL-SA-CONTRIB-2014-051 * Project: Realname registration [1] (third-party module) * Version: 6.x, 7.x * Date: 2014-05-14 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Information Disclosure -------- DESCRIPTION --------------------------------------------------------- This module enables you to generate usernames based on fields filled out by the user during registration. The module doesn't sufficiently restrict access to the settings for determining which user fields are incorporated into usernames, and doesn't properly validate generated user names. Any user with the "access administration pages" permission can change which fields are used to generate this name. This may publicly expose user profile fields intended to be kept private. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access administration pages". In addition, generated user names are not passed through the core function user_validate_name(). This vulnerability is mitigated by the fact that it only impacts custom modules or themes which do not properly filter usernames through check_plain() before displaying them. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Realname Registration 6.x-2.x versions 6.x-2.0-rc5 and prior. * Realname Registration 7.x-1.x and 7.x-2.x versions 7.x-2.0-rc2 and prior. Drupal core is not affected. If you do not use the contributed Realname registration [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ * If you use the Realname Registration module for Drupal 6.x, upgrade to Realname Registration 6.x-2.0 [5] * If you use the Realname Registration module for Drupal 7.x, upgrade to Realname Registration 7.x-2.0 [6] Also see the Realname registration [7] project page. -------- REPORTED BY --------------------------------------------------------- * Matt Corks [8] -------- FIXED BY ------------------------------------------------------------ * Steve Gerbino [9] and Matt Corks [10], the module maintainers -------- COORDINATED BY ------------------------------------------------------ * Beth Binkovitz [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [16] [1] http://drupal.org/project/realname_registration [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/realname_registration [5] https://drupal.org/node/2267419 [6] https://drupal.org/node/2267429 [7] http://drupal.org/project/realname_registration [8] http://drupal.org/user/15016 [9] http://drupal.org/user/877974 [10] http://drupal.org/user/15016 [11] http://drupal.org/user/161263 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration [16] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2014-050 - Commerce Postfinance ePayment - Access Bypass
by security-news＠drupal.org 14 May '14

14 May '14

View online: https://drupal.org/node/2267381 * Advisory ID: DRUPAL-SA-CONTRIB-2014-050 * Project: Commerce Postfinance ePayment [1] (third-party module) * Version: 7.x * Date: 2014-May-14 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- The Commerce Postfinance ePayment module provides commerce payment methods for the Postfinance e-Payment service provider. The module doesn't sufficiently validate incoming payment notification (IPN) messages. Sending a specifically crafted IPN message to an affected site allows an attacker to create transactions and manipulate the status of an order. This has the potential to allow an attacker to complete the purchase of items without actually paying for them. This vulnerability is partially mitigated by the fact that an attack is identifiable by comparing the transaction log from the payment service provider with commerce orders on an affected site. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Commerce Postfinance ePayment 7.x-1.x versions prior to 7.x-1.5. Drupal core is not affected. If you do not use the contributed Commerce Postfinance ePayment [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Commerce Postfinance ePayment module for Drupal 7.x, upgrade to Commerce Postfinance ePayment 7.x-1.5 [5] Also see the Commerce Postfinance ePayment [6] project page. -------- REPORTED BY --------------------------------------------------------- * znerol [7] -------- FIXED BY ------------------------------------------------------------ * Rémy [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [14] [1] http://drupal.org/project/commerce_postfinance [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/commerce_postfinance [5] https://drupal.org/node/2266975 [6] http://drupal.org/project/commerce_postfinance [7] https://drupal.org/user/63999 [8] https://drupal.org/user/1153644 [9] http://drupal.org/user/36762 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration [14] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2014-049 - Organic Groups (OG) - Access Bypass
by security-news＠drupal.org 07 May '14

07 May '14

View online: https://drupal.org/node/2261245 * Advisory ID: DRUPAL-SA-CONTRIB-2014-049 * Project: Organic groups [1] (third-party module) * Version: 7.x * Date: 2014-May-07 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- Organic groups (OG) enables users to create and manage their own 'groups'. Each group can have subscribers, and maintains a group home page where subscribers communicate amongst themselves. OG doesn't sufficiently check the permissions when a group member is pending or blocked status within the group and tries to access information in a site. This vulnerability only affects sites using the "Organic groups access control" sub-module available within the Organic Groups package. It's further mitigated by the fact that an attacker must be pending or blocked. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Organic Groups 7.x-2.x versions prior to 7.x-2.7. Drupal core is not affected. If you do not use the contributed Organic groups [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Organic Groups module for Drupal 7.x, upgrade to Organic Groups 7.x-2.7 [5] Also see the Organic groups [6] project page. -------- REPORTED BY --------------------------------------------------------- * Joachim Noreiko [7] -------- FIXED BY ------------------------------------------------------------ * Joachim Noreiko [8] * Amitai Burstein [9] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [15] [1] http://drupal.org/project/og [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/og [5] https://drupal.org/node/2261231 [6] http://drupal.org/project/og [7] https://drupal.org/user/107701 [8] https://drupal.org/user/107701 [9] https://drupal.org/user/57511 [10] http://drupal.org/user/36762 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration [15] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2014-048 - Field API Pane Editor (FAPE) - Access bypass
by security-news＠drupal.org 30 Apr '14

30 Apr '14

View online: https://drupal.org/node/2254943 * Advisory ID: DRUPAL-SA-CONTRIB-2014-048 * Project: Field API Pane Editor (FAPE) [1] (third-party module) * Version: 7.x * Date: 2014-April-30 * Security risk: Highly critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This module adds a contextual menu to fields which are added to an entity display in Panels, allowing individual fields to be directly edited via a separate page or, if it is enabled, the Overlay module. The module doesn't sufficiently verify the user has access to modify the entity the field is attached to. Unless another module was installed which restricted access to edit the fields, any user can edit any field on any entity on the site. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Field API Pane Editor (FAPE) 7.x-1.x versions prior to 7.x-1.2. Drupal core is not affected. If you do not use the contributed Field API Pane Editor (FAPE) [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Field API Pane Editor (FAPE) module for Drupal 7.x, upgrade to Field API Pane Editor (FAPE) 7.x-1.2. [5] Also see the Field API Pane Editor (FAPE) [6] project page. -------- REPORTED BY --------------------------------------------------------- * Andrew Belcher [7]. -------- FIXED BY ------------------------------------------------------------ * David Rothstein [8] of the Drupal Security Team. * Damien McKenna [9], the module maintainer. -------- COORDINATED BY ------------------------------------------------------ * David Snopek [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [15] [1] http://drupal.org/project/fape [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/fape [5] https://drupal.org/node/2254923 [6] http://drupal.org/project/fape [7] http://drupal.org/user/655282 [8] http://drupal.org/user/124982 [9] http://drupal.org/user/108450 [10] https://drupal.org/user/266527 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration [15] https://twitter.com/drupalsecurity

1 0

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news