Security-news

security-news@drupal.org

1 participants
1782 discussions

SA-CONTRIB-2013-004 - Live CSS - Arbitrary Code Execution
by security-news＠drupal.org 16 Jan '13

16 Jan '13

View online: http://drupal.org/node/1890318 * Advisory ID: DRUPAL-SA-CONTRIB-2013-004 * Project: Live CSS [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-January-16 * Security risk: Highly critical [2] * Exploitable from: Remote * Vulnerability: Arbitrary PHP code execution -------- DESCRIPTION --------------------------------------------------------- This module enables you to save CSS and LESS files on the server via your browser. The module doesn't check that the file being saved isn't a script or executable. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer CSS". -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Live CSS 6.x-2.x versions prior to 6.x-2.1 [4]. * Live CSS 7.x-2.x versions prior to 7.x-2.7 [5]. Drupal core is not affected. If you do not use the contributed Live CSS [6] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Live CSS module for Drupal 6.x, upgrade to 6.x-2.1 [7]. * If you use the Live CSS module for Drupal 7.x, upgrade to 7.x-2.7 [8]. Also see the Live CSS [9] project page. -------- REPORTED BY --------------------------------------------------------- * Ryan Garrett [10] -------- FIXED BY ------------------------------------------------------------ * Guy Bedford [11] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [12] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. [1] http://drupal.org/project/live_css [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/node/1883978 [5] http://drupal.org/node/1883976 [6] http://drupal.org/project/live_css [7] http://drupal.org/node/1883978 [8] http://drupal.org/node/1883976 [9] http://drupal.org/project/live_css [10] http://drupal.org/user/2392210 [11] http://drupal.org/user/746802 [12] http://drupal.org/user/27 [13] http://drupal.org/contact [14] http://drupal.org/security-team [15] http://drupal.org/writing-secure-code [16] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-003 - RESTful Web Services - Cross site request forgery (CSRF)
by security-news＠drupal.org 16 Jan '13

16 Jan '13

View online: http://drupal.org/node/1890222 * Advisory ID: DRUPAL-SA-CONTRIB-2013-003 * Project: RESTful Web Services [1] (third-party module) * Version: 7.x * Date: 2013-January-16 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Request Forgery -------- DESCRIPTION --------------------------------------------------------- This module enables you to expose Drupal entities as RESTful web services. It provides a machine-readable interface to exchange resources in JSON, XML and RDF. The module doesn't sufficiently verify POST requests thereby exposing a Cross Site Request Forgery vulnerability. This vulnerability is mitigated by the fact that an attacker must trick an authenticated user onto a prepared page that leverages a weakness in certain browser plugins. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * RESTWS 7.x-1.x versions prior to 7.x-1.2. * RESTWS 7.x-2.x versions prior to 7.x-2.0-alpha4. Drupal core is not affected. If you do not use the contributed RESTful Web Services [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the RESTWS 1.x module for Drupal 7.x, upgrade to RESTWS 7.x-1.2 [5] * If you use the RESTWS 2.x module for Drupal 7.x, upgrade to RESTWS 7.x-2.0-alpha4 [6] Also see the RESTful Web Services [7] project page. -------- REPORTED BY --------------------------------------------------------- * Fredrik Lassen [8] * Klaus Purer [9] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Klaus Purer [10] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Klaus Purer [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/restws [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/restws [5] http://drupal.org/node/1890212 [6] http://drupal.org/node/1890216 [7] http://drupal.org/project/restws [8] http://drupal.org/user/243377 [9] http://drupal.org/user/262198 [10] http://drupal.org/user/262198 [11] http://drupal.org/user/262198 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-002 - Payment - Access Bypass
by security-news＠drupal.org 09 Jan '13

09 Jan '13

View online: http://drupal.org/node/1884360 * Advisory ID: DRUPAL-SA-CONTRIB-2013-002 * Project: Payment [1] (third-party module) * Version: 7.x * Date: 2013-January-09 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- Payment enables other modules to make payments using a variety of payment processing services. The module incorrectly grants access when checking if a user can view payments, allowing a user to access the payments of other users. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Payment 7.x-1.x versions prior to 7.x-1.3. Drupal core is not affected. If you do not use the contributed Payment [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Update to Payment 7.x-1.3 [5] or later. Also see the Payment [6] project page. -------- REPORTED BY --------------------------------------------------------- * Dario Emmanuel Godoy Rojas [7] -------- FIXED BY ------------------------------------------------------------ * Bart Feenstra [8] (the module maintainer) -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/payment [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/payment [5] http://drupal.org/node/1883830 [6] http://drupal.org/project/payment [7] http://drupal.org/user/186754 [8] http://drupal.org/user/62965 [9] http://drupal.org/user/36762 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-001 - Search API - Cross Site Scripting
by security-news＠drupal.org 09 Jan '13

09 Jan '13

View online: http://drupal.org/node/1884332 * Advisory ID: DRUPAL-SA-CONTRIB-2013-001 * Project: Search API [1] (third-party module) * Version: 7.x * Date: 2013-January-09 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- This module enables you to build searches using a wide range of features, data sources and backends. The module doesn't sufficiently sanitize user input when displaying errors in a view with certain backends, including the database backend. This enables attackers to create a Reflected Cross Site Scripting attack by manipulating the URL. This is mitigated by the fact that the vulnerability only occurs with some backends (the Solr backend, e.g., is safe) and for certain common configurations of facets. The module also doesn't sufficiently sanitize output field names in the admin view. This is mitigated by the fact that an attacker would have to have the necessary permissions to change the field names of an indexed entity type. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Search API 7.x-1.x versions prior to 7.x-1.4. Drupal core is not affected. If you do not use the contributed Search API [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Search API module for Drupal 7.x, upgrade to Search API 7.x-1.4 [5] Also see the Search API [6] project page. -------- REPORTED BY --------------------------------------------------------- * XSS in Views error messages was reported by Josh Stroschein [7]. * XSS in field names was reported by Francisco José Cruz Romanos [8]. -------- FIXED BY ------------------------------------------------------------ * XSS in Views error messages was fixed by Lee Rowlands [9] of the Drupal Security Team and Bojan Živanović [10]. * XSS in field names was fixed by Francisco José Cruz Romanos [11]. -------- COORDINATED BY ------------------------------------------------------ * Lee Rowlands [12] of the Drupal Security Team * Greg Knaddison [13] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [14]. Learn more about the Drupal Security team and their policies [15], writing secure code for Drupal [16], and securing your site [17]. [1] http://drupal.org/project/search_api [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/search_api [5] http://drupal.org/node/1884076 [6] http://drupal.org/project/search_api [7] http://drupal.org/user/2198458 [8] http://drupal.org/user/848238 [9] http://drupal.org/user/395439 [10] http://drupal.org/user/86106 [11] http://drupal.org/user/848238 [12] http://drupal.org/user/395439 [13] http://drupal.org/user/36762 [14] http://drupal.org/contact [15] http://drupal.org/security-team [16] http://drupal.org/writing-secure-code [17] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-174 - Context - Information Disclosure
by security-news＠drupal.org 19 Dec '12

19 Dec '12

View online: http://drupal.org/node/1870550 * Advisory ID: DRUPAL-SA-CONTRIB-2012-174 * Project: Context [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-12-19 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Information Disclosure -------- DESCRIPTION --------------------------------------------------------- Context has functionality that renders block content for use with its inline editor. When these requests are made the context module does not sufficiently ensure that users have access to the block. A malicious user could send a specially crafted request and get access to block content they should not be able to see. This vulnerability is mitigated by the fact that an attacker must know the identifiers for the block containing sensitive information and that the block's code must render that sensitive information when requested by a user without privileges to see this information. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Context 6.x-3.x versions prior to 6.x-3.1. * Context 7.x-3.x versions prior to 7.x-3.0-beta6. Drupal core is not affected. If you do not use the contributed Context [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Context module for Drupal 6.x, upgrade to Context 6.x-3.1 [5] * If you use the Context module for Drupal 7.x, upgrade to Context 7.x-3.0-beta6 [6] Also see the Context [7] project page. -------- REPORTED BY --------------------------------------------------------- * Fox (hefox) [8] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Fox (hefox) [9] the module maintainer * tekante [10] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Fox (hefox) [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/context [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/context [5] http://drupal.org/node/1870518 [6] http://drupal.org/node/1869910 [7] http://drupal.org/project/context [8] http://drupal.org/user/426416 [9] http://drupal.org/user/426416 [10] http://drupal.org/user/640024 [11] http://drupal.org/user/426416 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration

1 0

SA-CORE-2012-004 - Drupal core - Multiple vulnerabilities
by security-news＠drupal.org 19 Dec '12

19 Dec '12

View online: http://drupal.org/SA-CORE-2012-004 * Advisory ID: DRUPAL-SA-CORE-2012-004 * Project: Drupal core [1] * Version: 6.x, 7.x * Date: 2012-December-19 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass, Arbitrary PHP code execution -------- DESCRIPTION --------------------------------------------------------- Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7. .... Access bypass (User module search - Drupal 6 and 7) A vulnerability was identified that allows blocked users to appear in user search results, even when the search results are viewed by unprivileged users. This vulnerability is mitigated by the fact that the default Drupal core user search results only display usernames (and disclosure of usernames is not considered a security vulnerability [3]). However, since modules or themes may override the search results to display more information from each user's profile, this could result in additional information about blocked users being disclosed on some sites. CVE: Requested. .... Access bypass (Upload module - Drupal 6) A vulnerability was identified that allows information about uploaded files to be displayed in RSS feeds and search results to users that do not have the "view uploaded files" permission. This issue affects Drupal 6 only. CVE: Requested. .... Arbitrary PHP code execution (File upload modules - Drupal 6 and 7) Drupal core's file upload feature blocks the upload of many files that can be executed on the server by munging the filename. A malicious user could name a file in a manner that bypasses this munging of the filename in Drupal's input validation. This vulnerability is mitigated by several factors: The attacker would need the permission to upload a file to the server. Certain combinations of PHP and filesystems are not vulnerable to this issue, though we did not perform an exhaustive review of the supported PHP versions. Finally: the server would need to allow execution of files in the uploads directory. Drupal core has protected against this with a .htaccess file protection in place from SA-2006-006 - Drupal Core - Execution of arbitrary files in certain Apache configurations [4]. Users of IIS should consider updating their web.config [5]. Users of Nginx should confirm that only the index.php and other known good scripts are executable. Users of other webservers should review their configuration to ensure the goals are achieved in some other way. CVE: Requested. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [6] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Drupal core 6.x versions prior to 6.27. * Drupal core 7.x versions prior to 7.18. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Drupal 6.x, upgrade to Drupal core 6.27 [7]. * If you use Drupal 7.x, upgrade to Drupal core 7.18 [8]. Also see the Drupal core [9] project page. -------- REPORTED BY --------------------------------------------------------- * The access bypass issue in the User module search results was reported by Derek Wright [10] of the Drupal Security Team. * The access bypass issue in the Drupal 6 Upload module was reported by Simon Rycroft [11], and by Damien Tournoud [12] of the Drupal Security Team. * The arbitrary code execution issue was reported by Amit Asaravala [13]. -------- FIXED BY ------------------------------------------------------------ * The access bypass issue in the User module search results was fixed by Derek Wright [14], Ivo Van Geertruyen [15], Peter Wolanin [16], and David Rothstein [17], all members of the Drupal Security Team. * The access bypass issue in the Drupal 6 Upload module was fixed by Michaël Dupont [18], and by Fox [19] and David Rothstein [20] of the Drupal Security Team. * The arbitrary code execution issue was fixed by Nathan Haug [21] and Justin Klein-Keane [22], and by John Morahan [23] and Greg Knaddison [24] of the Drupal Security team. -------- COORDINATED BY ------------------------------------------------------ * Jeremy Thorson [25] QA/Testing infrastructure * Ben Jeavons [26] of the Drupal Security Team * David Rothstein [27] of the Drupal Security Team * Gábor Hojtsy [28] of the Drupal Security Team * Greg Knaddison [29] of the Drupal Security Team * Fox [30] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [31]. Learn more about the Drupal Security team and their policies [32], writing secure code for Drupal [33], and securing your site [34]. [1] http://drupal.org/project/drupal [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/node/1004778 [4] http://drupal.org/node/65409 [5] http://drupal.org/node/1543392 [6] http://cve.mitre.org/ [7] http://drupal.org/drupal-6.27-release-notes [8] http://drupal.org/drupal-7.18-release-notes [9] http://drupal.org/project/drupal [10] http://drupal.org/user/46549 [11] http://drupal.org/user/151544 [12] http://drupal.org/user/22211 [13] http://drupal.org/user/181407 [14] http://drupal.org/user/46549 [15] http://drupal.org/user/383424 [16] http://drupal.org/user/49851 [17] http://drupal.org/user/124982 [18] http://drupal.org/user/400288 [19] http://drupal.org/user/426416 [20] http://drupal.org/user/124982 [21] http://drupal.org/user/35821 [22] http://drupal.org/user/302225 [23] http://drupal.org/user/58170 [24] http://drupal.org/user/36762 [25] http://drupal.org/user/148199 [26] http://drupal.org/user/91990 [27] http://drupal.org/user/124982 [28] http://drupal.org/user/4166 [29] http://drupal.org/user/36762 [30] http://drupal.org/user/426416 [31] http://drupal.org/contact [32] http://drupal.org/security-team [33] http://drupal.org/writing-secure-code [34] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-173 - Nodewords: Information disclosure
by security-news＠drupal.org 05 Dec '12

05 Dec '12

View online: http://drupal.org/node/1859282 * Advisory ID: DRUPAL-SA-CONTRIB-2012-173 * Project: Nodewords: D6 Meta Tags [1] (third-party module) * Version: 6.x * Date: 2012-December-05 * Security risk: Not critical [2] * Exploitable from: Remote * Vulnerability: Information Disclosure -------- DESCRIPTION --------------------------------------------------------- This module enables you to assign meta tags on Drupal 6 sites to aid with 3rd party search indexing and sharing on social networks. The module doesn't correctly filter node content when configured to automatically generate descriptions meta tags from the node text. This lack of filtering could allow some code, e.g. BBCode, to pass through unprocessed and potentially display private or otherwise secret information, links, file paths or other potentially sensitive details. The problem affects the normal 'description' meta tag along with the 'dc.description' and 'og:description' meta tags, all of which used the same logic. This vulnerability is mitigated by the fact that it is unlikely that sensitive content would be within the extracted portion. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Nodewords 6.x-1.x versions prior to 6.x-1.14. Drupal core is not affected. If you do not use the contributed Nodewords: D6 Meta Tags [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Nodewords module for Drupal 6.x, upgrade to Nodewords 6.x-1.14 [5]. Also see the Nodewords: D6 Meta Tags [6] project page. -------- REPORTED BY --------------------------------------------------------- * Andrey Tretyakov [7] * asb [8] -------- FIXED BY ------------------------------------------------------------ * Damien McKenna [9] the module maintainer. -------- COORDINATED BY ------------------------------------------------------ * Chris Hales [10] of the Drupal Security Team * Greg Knaddison [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/nodewords [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/nodewords [5] http://drupal.org/node/1859208 [6] http://drupal.org/project/nodewords [7] http://drupal.org/user/169459 [8] http://drupal.org/user/37833 [9] http://drupal.org/user/108450 [10] http://drupal.org/user/347249 [11] http://drupal.org/user/36762 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-172 - Zero Point - Cross Site Scripting (XSS)
by security-news＠drupal.org 28 Nov '12

28 Nov '12

View online: http://drupal.org/node/1853376 * Advisory ID: DRUPAL-SA-CONTRIB-2012-172 * Project: Zero Point [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-November-28 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Zero Point is an advanced theme which includes many options, ideal for a wide range of sites. The theme does not escape path aliases exposing a Cross site scripting (XSS) vulnerability in URLs. There are no mitigating factors. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * zeropoint 6.x-1.x versions prior to 6.x-1.18 * zeropoint 7.x-1.x versions prior to 7.x-1.4 Drupal core is not affected. If you do not use the contributed Zero Point [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Zero Point theme for Drupal 6.x, upgrade to zeropoint 6.x-1.18 [4] * If you use the Zero Point theme for Drupal 7.x, upgrade to zeropoint 7.x-1.4 [5] Also see the Zero Point [6] project page. -------- REPORTED BY --------------------------------------------------------- * samatha [7] -------- FIXED BY ------------------------------------------------------------ * Florian Radut [8] the module maintainer * Christian López Espínola [9] -------- COORDINATED BY ------------------------------------------------------ * Klaus Purer [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/zeropoint [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/zeropoint [4] http://drupal.org/node/1853358 [5] http://drupal.org/node/1853350 [6] http://drupal.org/project/zeropoint [7] http://drupal.org/user/534190 [8] http://drupal.org/user/35316 [9] http://drupal.org/user/959536 [10] http://drupal.org/user/262198 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-171 - Webmail Plus - SQL injection - (unsupported)
by security-news＠drupal.org 28 Nov '12

28 Nov '12

View online: http://drupal.org/node/1853268 * Advisory ID: DRUPAL-SA-CONTRIB-2012-171 * Project: Webmail Plus [1] (third-party module) * Version: 6.x * Date: 2012-November-28 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: SQL Injection -------- DESCRIPTION --------------------------------------------------------- The Webmail plus module is a full-featured email client for Drupal. It's designed to provide email for any or all members of a Drupal site. The module doesn't sufficiently sanitize user input as it is used in a database query. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * All Webmail Plus module versions. Drupal core is not affected. If you do not use the contributed Webmail Plus [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Uninstall the module: * If you use the Webmail Plus module you should disable the module. Also see the Webmail Plus [4] project page. -------- REPORTED BY --------------------------------------------------------- * Fox [5] of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Gerhard Killesreiter [6] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [7]. Learn more about the Drupal Security team and their policies [8], writing secure code for Drupal [9], and securing your site [10]. [1] http://drupal.org/project/webmail_plus [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/webmail_plus [4] http://drupal.org/project/webmail_plus [5] http://drupal.org/user/426464 [6] http://drupal.org/user/83 [7] http://drupal.org/contact [8] http://drupal.org/security-team [9] http://drupal.org/writing-secure-code [10] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-170 - MultiLink - Access Bypass
by security-news＠drupal.org 28 Nov '12

28 Nov '12

View online: http://drupal.org/node/1853244 * Advisory ID: DRUPAL-SA-CONTRIB-2012-170 * Project: Multi-Language Link and Redirect (MultiLink) [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-November-28 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- MultiLink allows you to generate in-content links to a suitable node or node translation based on the visitor's language preferences. It allows the Node Title of the target node to be shown as the visible text and title attribute for the generated link. Prior to versions 6.x-2.7 and 7.x-2.7 the module doesn't check the the current user has access to a node referenced by the generated link, so that node title (only) may be disclosed to a user who would otherwise have no access to that node. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to edit text using an Input Format for which the MultiLink Filter has been enabled. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * MulitLink 6.x-2.x versions prior to 6.x-2.7 [3]. * MulitLink 7.x-2.x versions prior to 7.x-2.7 [4]. Drupal core is not affected. If you do not use the contributed Multi-Language Link and Redirect (MultiLink) [5] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version - see the project page http://drupal.org/project/multilink [6] for downloads. Also see the Multi-Language Link and Redirect (MultiLink) [7] project page. -------- REPORTED BY --------------------------------------------------------- * Andy Inman [8] the module maintainer -------- FIXED BY ------------------------------------------------------------ * Andy Inman [9] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Stéphane Corlosquet [10] of the Drupal Security Team * Greg Knaddison [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/multilink [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/node/1289292 [4] http://drupal.org/node/1289294 [5] http://drupal.org/project/multilink [6] http://drupal.org/project/multilink [7] http://drupal.org/project/multilink [8] http://drupal.org/user/216383 [9] http://drupal.org/user/216383 [10] http://drupal.org/user/52142 [11] http://drupal.org/user/36762 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration

1 0

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news