Security-news

security-news@drupal.org

1 participants
1782 discussions

SA-CONTRIB-2013-080 - Simplenews - Cross Site Scripting (XSS)
by security-news＠drupal.org 16 Oct '13

16 Oct '13

View online: https://drupal.org/node/2113515 * Advisory ID: DRUPAL-SA-CONTRIB-2013-080 * Project: Simplenews [1] (third-party module) * Version: 6.x, 7.x * Date: 2013-Month-DD * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- This module enables you to publish and send newsletters to lists of subscribers. The module also includes an API that other modules can use to register subscribers. The module doesn't sufficiently sanitize e-mail addresses prior to outputting. The provided forms (sign-up, mass import, ..) validate and only allow valid e-mail addresses, but e-mail addresses could also be added directly through the API, which does not validate. This vulnerability is mitigated by the fact that the Simplnews module performs input validation which prevents known attacks, so the injection vector must be added another module (custom or contributed) without validating the email address using the Simplenews API . -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Simplenews 6.x-1.x versions prior to 6.x-1.5. * Simplenews 7.x-1.x versions prior to 7.x-1.1. Drupal core is not affected. If you do not use the contributed Simplenews [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Simplenews module for Drupal 6.x-1.x, upgrade to Simplenews 6.x-1.5 [5] * If you use the Simplenews module for Drupal 7.x-1.x, upgrade to Simplenews 7.x-1.1 [6] Also see the Simplenews [7] project page. -------- REPORTED BY --------------------------------------------------------- * Pat Redmond [8] -------- FIXED BY ------------------------------------------------------------ * Sascha Grossenbacher [9] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [10] and Lee Rowlands [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/simplenews [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/simplenews [5] https://drupal.org/node/2113487 [6] https://drupal.org/node/2113491 [7] http://drupal.org/project/simplenews [8] https://drupal.org/user/1369488 [9] http://drupal.org/user/214652 [10] http://drupal.org/user/36762 [11] http://drupal.org/user/395439 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-079 - Context - Mulitple Vulnerabilities
by security-news＠drupal.org 16 Oct '13

16 Oct '13

View online: https://drupal.org/node/2113317 * Advisory ID: DRUPAL-SA-CONTRIB-2013-079 * Project: Context [1] (third-party module) * Version: 6.x, 7.x * Date: 2013-2013-16 * Security risk: Highly critical [2] * Exploitable from: Remote * Vulnerability: Access bypass, Arbitrary PHP code execution -------- DESCRIPTION --------------------------------------------------------- Context allows you to manage contextual conditions and reactions for different portions of your site This advisory covers two separate issues. The first, and more severe issue (Highly Critical status), is that the module allows execution of PHP code via manipulation of a URL argument in a path used for AJAX operations when running in a configuration without a json_decode function provided by PHP or the PECL JSON library. This vulnerability is mitigated by the fact that the server must be running a version of PHP prior to 5.2 that does not have the json library installed (PHP 5.2+ come bundled with the JSON library). The second, less severe issue (Less Critical status), is that Context uses Drupal's token scheme to restrict access to the json rendering of a block. This control mechanism is insufficient as Drupal's token scheme is designed to provide security between two different sessions (or a session and a non authenticated user) and is not designed to provide security within a session. This means that a user with access to block A may be able to use the information about block A and the resulting token in order to generate the correct token for accessing block B to which they should not have access. The vulnerability is mitigated by needing blocks that have sensitive information (for example, custom blocks with private information or a list of unpublished nodes.) -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * 6.x-2.x versions prior to 6.x-3.2. * 7.x-3.x versions prior to 7.x-3.0. Drupal core is not affected. If you do not use the contributed Context [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Remote code execution can be resolved by any of * Upgrading your PHP to 5.2+ * Installing the JSON package [5]. * Upgrading context to 6.x-3.2 [6] or 7.x-3.0 [7] Block access issue can be resolved by upgrading context to 6.x-3.2 [8] or 7.x-3.0 [9]. Also see the Context [10] project page. -------- REPORTED BY --------------------------------------------------------- * Heine [11] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Hunter [12] of the Drupal Security Team, a module maintainer * Heine [13] of the Drupal Security Team * tekante [14] a module maintainer -------- COORDINATED BY ------------------------------------------------------ * Hunter [15] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [16]. Learn more about the Drupal Security team and their policies [17], writing secure code for Drupal [18], and securing your site [19]. [1] http://drupal.org/project/context [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/context [5] http://pecl.php.net/package/json [6] https://drupal.org/node/2112791 [7] https://drupal.org/node/2112785 [8] https://drupal.org/node/2112791 [9] https://drupal.org/node/2112785 [10] http://drupal.org/project/context [11] http://drupal.org/user/17943 [12] http://drupal.org/user/426416 [13] http://drupal.org/user/17943 [14] http://drupal.org/user/640024 [15] http://drupal.org/user/426416 [16] http://drupal.org/contact [17] http://drupal.org/security-team [18] http://drupal.org/writing-secure-code [19] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-078 - Quick Tabs - Access Bypass
by security-news＠drupal.org 02 Oct '13

02 Oct '13

View online: https://drupal.org/node/2103187 * Advisory ID: DRUPAL-SA-CONTRIB-2013-078 * Project: Quick Tabs [1] (third-party module) * Version: 6.x, 7.x * Date: 2013-October-02 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- The Quick Tabs module allows you to create blocks of tabbed content, specifically views, blocks, nodes and other quicktabs. You can create a block on your site containing multiple tabs with corresponding content. The module does not sufficiently check block permissions before rendering a Quick Tab. Before this vulnerability was addressed, if a block had been restricted to only appear for certain roles, that access was not checked before rending it within a Quick Tab - leaving the contents of that block visible to the world. This vulnerability is mitigated by the fact that node and view permissions are respected, meaning the vulnerability primarily exists for custom blocks created for specific roles. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Quick Tabs 7.x-3.x versions prior to 7.x-3.6. * Quick Tabs 6.x-3.x versions prior to 6.x-3.2. * Quick Tabs 6.x-2.x versions prior to 6.x-2.2. Drupal core is not affected. If you do not use the contributed Quick Tabs [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Quick Tabs 3.x module for Drupal 7.x, upgrade to Quick Tabs 7.x-3.6 [5] * If you use the Quick Tabs 3.x module for Drupal 6.x, upgrade to Quick Tabs 6.x-3.2 [6] * If you use the Quick Tabs 2.x module for Drupal 6.x, upgrade to Quick Tabs 6.x-2.2 [7] Also see the Quick Tabs [8] project page. -------- REPORTED BY --------------------------------------------------------- * Steven Wiliam [9] -------- FIXED BY ------------------------------------------------------------ * Fengtan [10] * Matt Tucker [11] (one of) the module maintainers -------- COORDINATED BY ------------------------------------------------------ * Lee Rowlands [12] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. [1] http://drupal.org/project/quicktabs [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/quicktabs [5] https://drupal.org/node/2103113 [6] https://drupal.org/node/2103121 [7] https://drupal.org/node/2103127 [8] http://drupal.org/project/quicktabs [9] http://drupal.org/user/299097 [10] http://drupal.org/user/847318 [11] http://drupal.org/user/153963 [12] http://drupal.org/user/395439 [13] http://drupal.org/contact [14] http://drupal.org/security-team [15] http://drupal.org/writing-secure-code [16] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-077 - Google Site Search - Cross Site Scripting (XSS)
by security-news＠drupal.org 18 Sep '13

18 Sep '13

View online: https://drupal.org/node/2092395 * Advisory ID: DRUPAL-SA-CONTRIB-2013-077 * Project: Google Site Search [1] (third-party module) * Version: 6.x, 7.x * Date: 2013-September-18 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- This module enables you to use the Google API to search one or more sites and show the result in your Drupal site, with your custom styling. The module doesn't sufficiently sanitize the data retrieved from the Google API. This vulnerability is mitigated by the fact that an attack must come from the API which requires either compromising Google or spoofing DNS. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Google Site Search 6.x-1.x versions before 6.x-1.4. * Google Site Search 7.x-1.x versions before 7.x-1.10. Drupal core is not affected. If you do not use the contributed Google Site Search [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Google Site Search module for Drupal 6.x, upgrade to 6.x-1.4 [5] * If you use the Google Site Search module for Drupal 7.x, upgrade to 7.x-1.10 [6] Also see the Google Site Search [7] project page. -------- REPORTED BY --------------------------------------------------------- * Philip Hornig [8] -------- FIXED BY ------------------------------------------------------------ * Dhavyd Vanderlei [9] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * pwolanin [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/gss [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/gss [5] https://drupal.org/node/2091745 [6] https://drupal.org/node/2091753 [7] http://drupal.org/project/gss [8] http://drupal.org/user/611674 [9] http://drupal.org/user/1483950 [10] http://drupal.org/user/49851 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-076 - jQuery Countdown - Cross Site Scripting (XSS)
by security-news＠drupal.org 11 Sep '13

11 Sep '13

View online: https://drupal.org/node/2087095 * Advisory ID: DRUPAL-SA-CONTRIB-2013-076 * Project: jQuery Countdown [1] (third-party module) * Version: 7.x * Date: 2013-September-11 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- This jQuery Countdown Module enables you to display a countdown block based upon date settings. The jQuery Countdown Module does not properly sanitize the settings, allowing a malicious user to embed scripts within a page, resulting in a Cross-site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have the "access administration pages" permission. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * jquery_countdown 7.x-1.x versions prior to 7.x-1.0. Drupal core is not affected. If you do not use the contributed jQuery Countdown [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the jQuery Countdown module, upgrade to jQuery Countdown 7.x-1.1 [5] Also see the jQuery Countdown [6] project page. -------- REPORTED BY --------------------------------------------------------- * Joachim Noreiko [7] -------- FIXED BY ------------------------------------------------------------ * Dennis Brücke [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] and Lee Rowlands [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/jquery_countdown [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/jquery_countdown [5] https://drupal.org/node/2087089 [6] http://drupal.org/project/jquery_countdown [7] https://drupal.org/user/107701 [8] https://drupal.org/user/413429 [9] http://drupal.org/user/36762 [10] https://drupal.org/user/395439 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-075 - Click2Sell - Multiple Vulnerabilities (XSS and CSRF)
by security-news＠drupal.org 11 Sep '13

11 Sep '13

View online: https://drupal.org/node/2087055 * Advisory ID: DRUPAL-SA-CONTRIB-2013-075 * Project: Click2Sell Suite [1] (third-party module) * Version: 6.x * Date: 2013-September-11 * Security risk: Highly critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting, Cross Site Request Forgery -------- DESCRIPTION --------------------------------------------------------- Click2Sell is an Affiliate Marketing Network which lets you sell your products through their marketplace or on your website with buy it now buttons, and which also allows you to access hundreds of affiliates who want to sell your product for you and earn commission. .... Reflected Cross Site Scripting (XSS) The module doesn't sufficiently filter user supplied data when presenting a confirmation form. .... Cross Site Request Forgery (CSRF) The module doesn't properly use Drupal's Form API which allows a malicious user to trick an admin into accidentally deleting information from Click2Sell's database. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * All Click2Sell Suite 6.x-1.x versions. Drupal core is not affected. If you do not use the contributed Click2Sell Suite [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ * If you use the Click2Sell Suite module for Drupal 6.x you should disable it. Also see the Click2Sell Suite [5] project page. -------- REPORTED BY --------------------------------------------------------- * Greg Knaddison [6] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ Not applicable. -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [7]. Learn more about the Drupal Security team and their policies [8], writing secure code for Drupal [9], and securing your site [10]. [1] http://drupal.org/project/click2sell [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/click2sell [5] http://drupal.org/project/click2sell [6] http://drupal.org/user/36762 [7] http://drupal.org/contact [8] http://drupal.org/security-team [9] http://drupal.org/writing-secure-code [10] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-074 - MediaFront - Cross Site Scripting (XSS)
by security-news＠drupal.org 11 Sep '13

11 Sep '13

View online: https://drupal.org/node/2087051 * Advisory ID: DRUPAL-SA-CONTRIB-2013-074 * Project: MediaFront [1] (third-party module) * Version: 6.x, 7.x * Date: 2013-September-11 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The MediaFront module provides a front-end media presentation layer for Drupal The module doesn't sufficiently filter user input from MediaFront preset settings. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer mediafront" to exploit this bug. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * MediaFront 6.x-1.x versions prior to 6.x-1.6. * MediaFront 7.x-1.x versions prior to 7.x-1.6. * MediaFront 7.x-2.x versions prior to 7.x-2.1. Drupal core is not affected. If you do not use the contributed MediaFront [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the MediaFront module for Drupal 6.x, upgrade to MediaFront 6.x-1.6 [5] * If you use the MediaFront module version 1.x for Drupal 7.x, upgrade to MediaFront 7.x-1.6 [6] * If you use the MediaFront module version 2.x for Drupal 7.x, upgrade to MediaFront 7.x-2.1 [7] Also see the MediaFront [8] project page. -------- REPORTED BY --------------------------------------------------------- * Justin KleinKeane [9] -------- FIXED BY ------------------------------------------------------------ * Justin KleinKeane [10] * Travis Tidwell [11] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [12] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. [1] http://drupal.org/project/mediafront [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/mediafront [5] https://drupal.org/node/2086187 [6] https://drupal.org/node/2086189 [7] https://drupal.org/node/2086191 [8] http://drupal.org/project/mediafront [9] https://drupal.org/user/302225 [10] https://drupal.org/user/302225 [11] http://drupal.org/user/98581 [12] http://drupal.org/user/36762 [13] http://drupal.org/contact [14] http://drupal.org/security-team [15] http://drupal.org/writing-secure-code [16] http://drupal.org/security/secure-configuration

1 0

PSA-2013-001: Drupal core - Users can insert hidden text and links
by security-news＠drupal.org 04 Sep '13

04 Sep '13

View online: https://drupal.org/node/2081887 * Advisory ID: PSA-2013-001 * Project: Drupal core [1] * Version: 6.x, 7.x * Date: 2013-September-04 * Security risk: Not critical [2] * Exploitable from: Remote * Vulnerability: Information Disclosure -------- DESCRIPTION --------------------------------------------------------- This is a public service announcement regarding possible insertion of hidden links in comments using core CSS selectors within filtered HTML Text formats ("Input formats" in Drupal 6). Drupal core provides several CSS selectors that, by design, hide elements on the page. Using these selectors it is possible to create links to third-party websites that are hidden within a comment. This technique has been observed on live production websites. Drupal core provides mechanisms that sanitize user submitted links by adding a rel="nofollow" attribute. This feature can be enabled for Drupal 7 sites at admin/config/content/formats/filtered_html and for Drupal 6 sites at admin/settings/filters/1/configure. Note that these paths are for the default formats provided with core. Your site may define custom formats which should be reviewed and updated as well. Careful moderation of user submitted comments is always advised. Additionally, automated comment moderation tools may help to mitigate and flag these malicious comment submissions. -------- SOLUTION ------------------------------------------------------------ Review user-submitted content on your site to see if untrusted users have posted content that includes classes. Review those classes to see if they will hide unwanted content. -------- REPORTED BY --------------------------------------------------------- * Aaron Weiss [3] -------- COORDINATED BY ------------------------------------------------------ * David Stoline [4] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [5]. Learn more about the Drupal Security team and their policies [6], writing secure code for Drupal [7], and securing your site [8]. [1] http://drupal.org/project/drupal [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/user/745366 [4] http://drupal.org/user/329570 [5] http://drupal.org/contact [6] http://drupal.org/security-team [7] http://drupal.org/writing-secure-code [8] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-073 - Make Meeting Scheduler - Access Bypass
by security-news＠drupal.org 04 Sep '13

04 Sep '13

View online: https://drupal.org/node/2081637 * Advisory ID: DRUPAL-SA-CONTRIB-2013-073 * Project: Make Meeting Scheduler [1] (third-party module) * Version: 6.x * Date: 2013-September-04 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This module enables you to create polls accessible by an url with hash (e.g. example.com/makemeeting/sn9028xh3398) so that anonymous users can view and vote on the poll. The module didn't sufficiently check access when a poll is accessed directly via its node url (e.g. node/123). Note: a user with the hashed url can still access and vote on the poll as that is the intention of the module. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Make Meeting Scheduler 6.x-1.x versions prior to 6.x-1.3. Drupal core is not affected. If you do not use the contributed Make Meeting Scheduler [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Make Meeting Scheduler module for Drupal 6.x, upgrade to Make Meeting Scheduler module 6.x-1.3 [5] Also see the Make Meeting Scheduler [6] project page. -------- REPORTED BY --------------------------------------------------------- * rhatto [7] -------- FIXED BY ------------------------------------------------------------ * rhatto [8] * SebCorbin [9] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/makemeeting [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/makemeeting [5] https://drupal.org/node/2081647 [6] http://drupal.org/project/makemeeting [7] http://drupal.org/user/108738 [8] http://drupal.org/user/108738 [9] http://drupal.org/user/412171 [10] http://drupal.org/user/36762 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-072 - Node View Permissions - Access Bypass
by security-news＠drupal.org 28 Aug '13

28 Aug '13

View online: https://drupal.org/node/2076315 * Advisory ID: DRUPAL-SA-CONTRIB-2013-072 * Project: Node View Permissions [1] (third-party module) * Version: 7.x * Date: 2013-August-28 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- The Node View Permissions module adds permissions "View own content" and "View any content" for each content type on the permissions page. However, it only implements hook_node_access() and not hook_query_alter(), which means any listing of nodes does not respect the node view permission. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Node View Permissions 7.x-1.0. Drupal core is not affected. If you do not use the contributed Node View Permissions [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Node View Permissions module for Drupal 7.x, upgrade to Node View Permissions 7.x-1.2 [5] Also see the Node View Permissions [6] project page. -------- REPORTED BY --------------------------------------------------------- * Mark Theunissen [7] -------- FIXED BY ------------------------------------------------------------ * hoter [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Michael Hess [9] of the Drupal Security Team * Mark Ferree [10] provisional member of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/node_view_permissions [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/node_view_permissions [5] https://drupal.org/node/2031621 [6] http://drupal.org/project/node_view_permissions [7] https://drupal.org/user/108606 [8] http://drupal.org/user/1677790 [9] https://drupal.org/user/102818 [10] http://drupal.org/user/76245 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news