Security-news

security-news@drupal.org

1 participants
1782 discussions

SA-CONTRIB-2012-071 - Glossify - Cross Site Scripting (XSS) - Unsupported
by security-news＠drupal.org 02 May '12

02 May '12

View online: http://drupal.org/node/1557874 * Advisory ID: DRUPAL-SA-CONTRIB-2012-071 * Project: Glossify Internal Links Auto SEO [1] (third-party module) * Version: 6.x * Date: 2012-May-02 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- This module generates internal node to node, node to taxonomy or node to external URL links (crosslinks) automatically - ideal for SEO of your site's pages and partner pages. This module does not protect against an Cross Site Scripting (XSS) attack. The vulnerability is mitigated by the fact that the attacker must be able to create or edit any of: content (nodes), vocabularies, or terms. -------- VERSIONS AFFECTED --------------------------------------------------- * 6.x-2.5 and before Drupal core is not affected. If you do not use the contributed Glossify Internal Links Auto SEO [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Uninstall the module, it is no longer supported. Also see the Glossify Internal Links Auto SEO [4] project page. -------- REPORTED BY --------------------------------------------------------- * Andrei Turcanu -------- COORDINATED BY ------------------------------------------------------ * Michael Hess [5] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [6]. Learn more about the Drupal Security team and their policies [7], writing secure code for Drupal [8], and securing your site [9]. [1] http://drupal.org/project/glossify [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/glossify [4] http://drupal.org/project/glossify [5] http://drupal.org/user/102818 [6] http://drupal.org/contact [7] http://drupal.org/security-team [8] http://drupal.org/writing-secure-code [9] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-070 - Taxonomy Grid : Catalog - Cross Site Scripting (XSS) - Unsupported
by security-news＠drupal.org 02 May '12

02 May '12

View online: http://drupal.org/node/1557872 * Advisory ID: DRUPAL-SA-CONTRIB-2012-070 * Project: Taxonomy Grid : Catalog [1] (third-party module) * Version: 6.x * Date: 2012-May-02 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- This module provides a page where you can see each content types you've selected under terms from vocabularies you've selected. This module does not properly filter user supplied text resulting in a Cross Site scripting bug. This vulnerability is mitigated by the fact that an attacker would need the ability to create or edit a vocabulary or term. -------- VERSIONS AFFECTED --------------------------------------------------- * 6.x-1.6 and before Drupal core is not affected. If you do not use the contributed Taxonomy Grid : Catalog [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Uninstall the module Also see the Taxonomy Grid : Catalog [4] project page. -------- REPORTED BY --------------------------------------------------------- * Dylan Tack [5] of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Michael Hess [6] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [7]. Learn more about the Drupal Security team and their policies [8], writing secure code for Drupal [9], and securing your site [10]. [1] http://drupal.org/project/taxonomy_grid [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/taxonomy_grid [4] http://drupal.org/project/taxonomy_grid [5] http://drupal.org/user/96647 [6] http://drupal.org/user/102818 [7] http://drupal.org/contact [8] http://drupal.org/security-team [9] http://drupal.org/writing-secure-code [10] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-069 - Addressbook - Multiple vulnerabilities - Unsupported
by security-news＠drupal.org 02 May '12

02 May '12

View online: http://drupal.org/node/1557868 * Advisory ID: DRUPAL-SA-CONTRIB-2012-069 * Project: Addressbook [1] (third-party module) * Version: 6.x * Date: 2012-May-02 * Security risk: Highly critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting, Cross Site Request Forgery, SQL Injection -------- DESCRIPTION --------------------------------------------------------- This module contains a simple addressbook. The module has multiple issues including SQL Injection and Cross Site Request Forgery. -------- VERSIONS AFFECTED --------------------------------------------------- * 6.x-4.2 and before Drupal core is not affected. If you do not use the contributed Addressbook [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ This module is not supported. Uninstall the module. Also see the Addressbook [4] project page. -------- REPORTED BY --------------------------------------------------------- * Michael Hess [5] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [6]. Learn more about the Drupal Security team and their policies [7], writing secure code for Drupal [8], and securing your site [9]. [1] http://drupal.org/project/addressbook [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/addressbook [4] http://drupal.org/project/addressbook [5] http://drupal.org/user/102818 [6] http://drupal.org/contact [7] http://drupal.org/security-team [8] http://drupal.org/writing-secure-code [9] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-068 - Node Gallery - Cross Site Request Forgery (CSRF) - Unsupported
by security-news＠drupal.org 02 May '12

02 May '12

View online: http://drupal.org/node/1557852 * Advisory ID: DRUPAL-SA-CONTRIB-2012-068 * Project: Node Gallery [1] (third-party module) * Version: 6.x * Date: 2012-May-02 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Request Forgery -------- DESCRIPTION --------------------------------------------------------- Node gallery enable users to create a more flexible and powerful gallery that are fully integrated with Drupal's core node system. This module does not protect a CSRF attack when creating node galleries. -------- VERSIONS AFFECTED --------------------------------------------------- * 6.x-3.1 and before Drupal core is not affected. If you do not use the contributed Node Gallery [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Uninstall the module, this module is no longer supported. Also see the Node Gallery [4] project page. -------- REPORTED BY --------------------------------------------------------- * Andrew Berry [5] -------- COORDINATED BY ------------------------------------------------------ * Michael Hess [6] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [7]. Learn more about the Drupal Security team and their policies [8], writing secure code for Drupal [9], and securing your site [10]. [1] http://drupal.org/project/node_gallery [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/node_gallery [4] http://drupal.org/project/node_gallery [5] http://drupal.org/user/71291 [6] http://drupal.org/user/102818 [7] http://drupal.org/contact [8] http://drupal.org/security-team [9] http://drupal.org/writing-secure-code [10] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-067 - Linkit - Access bypass
by security-news＠drupal.org 25 Apr '12

25 Apr '12

View online: http://drupal.org/node/1547738 * Advisory ID: DRUPAL-SA-CONTRIB-2012-067 * Project: Linkit [1] (third-party module) * Version: 7.x * Date: 2012-April-25 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- Linkitprovides an easy interface for internal and external linking. Linkit links to nodes, users, managed files, terms and have basic support for all entities by default, using an autocomplete field. When searching for entities, no access restrictions were added and users may see information about content that they do not normally have access to see. This issue only affects sites using an entity access module to limit access to content for some users. -------- VERSIONS AFFECTED --------------------------------------------------- * Linkit 7.x-2.x versions prior to 7.x-2.2. Drupal core is not affected. If you do not use the contributed Linkit [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Linkit module for Drupal 7.x, upgrade to Linkit 7.x-2.3 [4] Also see the Linkit [5] project page. -------- REPORTED BY --------------------------------------------------------- * PAULAP [6] -------- FIXED BY ------------------------------------------------------------ * Emil Stjerneman [7] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [8] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/linkit [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/linkit [4] http://drupal.org/node/1547716 [5] http://drupal.org/project/linkit [6] http://drupal.org/user/29978 [7] http://drupal.org/user/464598 [8] http://drupal.org/user/36762 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-066 - Spaces and Spaces OG - Access Bypass
by security-news＠drupal.org 25 Apr '12

25 Apr '12

View online: http://drupal.org/node/1547736 * Advisory ID: DRUPAL-SA-CONTRIB-2012-066 * Project: Spaces [1] (third-party module) * Version: 6.x * Date: 2012-April-25 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- Spaces is an API module intended to make configuration options generally avaliable only at the sitewide level to be configurable and overridden by individual "spaces" on a Drupal site. The spaces and spaces_og modules (part of the spaces package) in some cases do not apply the expected spaces access permission to pages that are non-objects (e.g. /node) This vulnerability is mitigated by the fact that node_access and user profile permissions will prevent node or user data from being exposed, but other information (e.g. block data,etc) is still displayed. This issue only affects sites using spaces to limit access to content for some users. -------- VERSIONS AFFECTED --------------------------------------------------- * Spaces 6.x-3.x versions prior to 6.x-3.4. Drupal core is not affected. If you do not use the contributed Spaces [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Spaces module for Drupal 6.x, upgrade to Spaces 6.x-3.4 [4] Also see the Spaces [5] project page. -------- REPORTED BY --------------------------------------------------------- * hefox [6] -------- FIXED BY ------------------------------------------------------------ * Patrick Settle [7] the module maintainer * Fox [8] -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] of the Drupal Security Team * Michael Hess [10] of the Drupal Security Team * Matt Kleve [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/spaces [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/spaces [4] http://drupal.org/node/1547730 [5] http://drupal.org/project/spaces [6] http://drupal.org/user/426416 [7] http://drupal.org/user/26618 [8] http://drupal.org/user/426416 [9] http://drupal.org/user/36762 [10] http://drupal.org/user/102818 [11] http://drupal.org/user/150473 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-063 - RealName - Cross Site Scripting (XSS)
by security-news＠drupal.org 25 Apr '12

25 Apr '12

View online: http://drupal.org/node/1547660 * Advisory ID: DRUPAL-SA-CONTRIB-2012-063 * Project: RealName [1] (third-party module) * Version: 6.x * Date: 2012-April-25 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- This module allows you to set a pattern for constructing "Real names" for users out of profile fields. The module does not sufficiently escape users' real names under certain circumstances which could lead to a Cross-Site Scripting (XSS) [3] attack. -------- VERSIONS AFFECTED --------------------------------------------------- * RealName 6.x-1.x versions prior to 6.x-1.5 [4]. * RealName 7.x-1.x versions are not vulnerable. Drupal core is not affected. If you do not use the contributed RealName [5] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the RealName module for Drupal 6.x, upgrade to RealName 6.x-1.5 [6]. Also see the RealName [7] project page. -------- REPORTED BY --------------------------------------------------------- * Gabor Szanto [8] * Dave Reid [9], module maintainer and Drupal Security Team member -------- FIXED BY ------------------------------------------------------------ * Gabor Szanto [10] * Dave Reid [11], module maintainer and Drupal Security Team member -------- COORDINATED BY ------------------------------------------------------ * Dave Reid [12] of the Drupal Security Team * Michael Hess [13] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [14]. Learn more about the Drupal Security team and their policies [15], writing secure code for Drupal [16], and securing your site [17]. [1] http://drupal.org/project/realname [2] http://drupal.org/security-team/risk-levels [3] http://en.wikipedia.org/wiki/Cross-site_scripting [4] http://drupal.org/node/1547352 [5] http://drupal.org/project/realname [6] http://drupal.org/node/1547352 [7] http://drupal.org/project/realname [8] http://drupal.org/user/610310 [9] http://drupal.org/user/53892 [10] http://drupal.org/user/610310 [11] http://drupal.org/user/53892 [12] http://drupal.org/user/53892 [13] http://drupal.org/user/102818 [14] http://drupal.org/contact [15] http://drupal.org/security-team [16] http://drupal.org/writing-secure-code [17] http://drupal.org/security/secure-configuration

1 1

SA-CONTRIB-2012-065 - Sitedoc - Information disclosure
by security-news＠drupal.org 25 Apr '12

25 Apr '12

View online: http://drupal.org/node/1547686 * Advisory ID: DRUPAL-SA-CONTRIB-2012-065 * Project: Site Documentation [1] (third-party module) * Version: 6.x * Date: 2012-April-25 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Information Disclosure -------- DESCRIPTION --------------------------------------------------------- This module enables you to display a plethora of information about your site's structure. Optionally, the information may be saved into a file for later comparison. The module doesn't sufficiently verify that the saved file is protected by the Private File System. This vulnerability is mitigated by the fact that the administrator must have configured the module to save the HTML report file to disk. -------- VERSIONS AFFECTED --------------------------------------------------- * Sitedoc 6.x-1.x versions prior to 6.x-1.4. Drupal core is not affected. If you do not use the contributed Site Documentation [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Sitedoc module for Drupal 6.x, upgrade to Sitedoc 6.x-1.4 [4], and * Enable the private file system if you want to save the output file. Also see the Site Documentation [5] project page. -------- REPORTED BY --------------------------------------------------------- * Jakub Suchý [6] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Nancy Wichmann [7], the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Forest Monsen [8] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/sitedoc [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/sitedoc [4] http://drupal.org/node/1546224 [5] http://drupal.org/project/sitedoc [6] http://drupal.org/user/31977 [7] http://drupal.org/user/101412 [8] http://drupal.org/user/181798 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-064 - Ubercart - Multiple vulnerabilities
by security-news＠drupal.org 25 Apr '12

25 Apr '12

View online: http://drupal.org/node/1547674 * Advisory ID: DRUPAL-SA-CONTRIB-2012-064 * Project: Ubercart [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-April-25 * Security risk: Moderately critical [2] * Exploitable from: Varies (Local & Remote) * Vulnerability: Cross Site Scripting, Arbitrary PHP code execution, Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- The Ubercart module for Drupal provides a shopping cart and e-commerce features for Drupal. Parts of Ubercart were vulnerable to a Failure to encrypt data, Cross Site Scripting, and an Arbitrary PHP Execution vulnerability. .... Failure to encrypt data: Exploitable from local Passwords supplied by new customers during checkout were stored as plain text until payment was completed for an order, for a maximum of 15 minutes. This vulnerability is not exploitable remotely, but information may have inadvertently been leaked via database access (e.g. backups, developer laptops that are compromised). .... Cross Site Scripting: Exploitable from remote The product classes feature did not properly sanitize output and was vulnerable to a cross site scripting attack. This vulnerability is mitigated by the fact that an attacker must have the "administer product classes" permission. .... Arbitrary PHP Execution: Exploitable from remote In Ubercart 6.x-2.x, arbitrary PHP code can be executed by users with the "administer conditional actions" permission. This vulnerability is mitigated by the fact that this permission should only granted to trusted users. -------- VERSIONS AFFECTED --------------------------------------------------- * Ubercart 6.x-2.x versions prior to 6.x-2.8. [3] * Ubercart 7.x-3.x versions prior to 7.x-3.1. [4] Drupal core is not affected. If you do not use the contributed Ubercart [5] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Ubercart module for Drupal 6.x, upgrade to Ubercart 6.x-2.8. [6] * If you use the Ubercart module for Drupal 7.x, upgrade to Ubercart 7.x-3.1. [7] Additionally, in Drupal 6.x, ensure that only trusted users have roles that have been granted the "administer conditional actions" permission. Also see the Ubercart [8] project page. -------- REPORTED BY --------------------------------------------------------- * Shaun Dychko [9] reported the Failure to encrypt data issue * Lee Rowlands [10] reported the Cross Site Scripting issue * Dave Long [11] reported the Arbitrary PHP Execution issue -------- FIXED BY ------------------------------------------------------------ * Dave Long [12] the module maintainer * Lyle Mantooth [13] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [14] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [15]. Learn more about the Drupal Security team and their policies [16], writing secure code for Drupal [17], and securing your site [18]. [1] http://drupal.org/project/ubercart [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/node/1547506 [4] http://drupal.org/node/1547508 [5] http://drupal.org/project/ubercart [6] http://drupal.org/node/1547506 [7] http://drupal.org/node/1547508 [8] http://drupal.org/project/ubercart [9] http://drupal.org/user/475828 [10] http://drupal.org/user/395439 [11] http://drupal.org/user/246492 [12] http://drupal.org/user/246492 [13] http://drupal.org/user/86683 [14] http://drupal.org/user/36762 [15] http://drupal.org/contact [16] http://drupal.org/security-team [17] http://drupal.org/writing-secure-code [18] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-062 - Creative Commons - Cross Site Scripting (XSS)
by security-news＠drupal.org 25 Apr '12

25 Apr '12

View online: http://drupal.org/node/1547520 * Advisory ID: DRUPAL-SA-CONTRIB-2012-062 * Project: Creative Commons [1] (third-party module) * Version: 6.x * Date: 2012-April-25 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Creative Commons module allows users to select and assign a Creative Commons license to a node and any attached content, or to the entire site. The module did not sufficiently filter the text describing licenses. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer creative commons". -------- VERSIONS AFFECTED --------------------------------------------------- * Creative Commons 6.x-1.x versions prior to 6.x-1.1. [3] Drupal core is not affected. If you do not use the contributed Creative Commons [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Creative Commons module for Drupal 6.x, upgrade to Creative Commons 6.x-1.1 [5] Also see the Creative Commons [6] project page. -------- REPORTED BY --------------------------------------------------------- * Justin Klein-Keane [7] -------- FIXED BY ------------------------------------------------------------ * Kevin Reynen [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] of the Drupal Security Team * Michael Hess [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/creativecommons [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/node/1547478 [4] http://drupal.org/project/creativecommons [5] http://drupal.org/node/1547478 [6] http://drupal.org/project/creativecommons [7] http://drupal.org/user/302225 [8] http://drupal.org/user/48877 [9] http://drupal.org/user/36762 [10] http://drupal.org/user/102818 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news