Security-news

security-news@drupal.org

1 participants
1782 discussions

SA-CONTRIB-2012-022 - CDN - Information disclosure
by security-news＠drupal.org 15 Feb '12

15 Feb '12

* Advisory ID: DRUPAL-SA-CONTRIB-2012-022 * Project: CDN [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-February-15 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- The CDN module provides easy Content Delivery Network integration for Drupal sites. It alters file URLs, so that files are downloaded from a CDN instead of your web server. When running in Origin Pull mode together with the "Far Future expiration" option, the module contains a vulnerability that allows anyone to view the contents of any *.php file within the site, including settings.php. This vulnerability is mitigated by the fact that the site owner must have enabled the "Far Future expiration" option, and must be using the latest version of the module. -------- VERSIONS AFFECTED --------------------------------------------------- * CDN version 6.x-2.2 * CDN version 7.x-2.2 Drupal core is not affected. If you do not use the contributed CDN [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * Upgrade to CDN module 6.x-2.3 [4] * Upgrade to CDN module 7.x-2.3 [5] See also the CDN [6] project page. -------- REPORTED BY --------------------------------------------------------- * Ivo Van Geertruyen [7] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Wim Leers [8] the module maintainer * Ivo Van Geertruyen [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/cdn [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/cdn [4] http://drupal.org/node/1441482 [5] http://drupal.org/node/1441480 [6] http://drupal.org/project/cdn [7] http://drupal.org/user/383424 [8] http://drupal.org/user/99777 [9] http://drupal.org/user/383424 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-021 - Organic Groups Vocab Access Bypass
by security-news＠drupal.org 15 Feb '12

15 Feb '12

* Advisory ID: DRUPAL-SA-CONTRIB-2012-021 * Project: Organic Groups Vocabulary [1] (third-party module) * Version: 6.x * Date: 2012-February-15 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This module enables you to have a specific vocabulary per organic group. The module doesn't sufficiently check access to vocabularies while allowing a group admin to edit the vocabularies. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to "administer own group vocabulary" and be an admin of another group. -------- VERSIONS AFFECTED --------------------------------------------------- * OG Vocab 6.x-1.x versions prior to 6.x-1.2. Drupal core is not affected. If you do not use the contributed OG Vocabulary [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the OG Vocab module for Drupal 6.x, upgrade to OG Vocab 6.x-1.2 [4] See also the OG Vocabulary [5] project page. -------- REPORTED BY --------------------------------------------------------- * Chris Czeyka [6] -------- FIXED BY ------------------------------------------------------------ * Amitai Burstein [7] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [8] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/og_vocab [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/og_vocab [4] http://drupal.org/node/1441086 [5] http://drupal.org/project/og_vocab [6] http://drupal.org/user/223351 [7] http://drupal.org/user/57511 [8] http://drupal.org/user/36762 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-020 - Faster Permissions - Access bypass
by security-news＠drupal.org 15 Feb '12

15 Feb '12

* Advisory ID: DRUPAL-SA-CONTRIB-2012-020 * Project: Faster Permissions [1] (third-party module) * Version: 7.x * Date: 2012-February-15 * Security risk: Highly critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This module enables you to configure the permissions of a specific module on a separate page. This is especially handy for sites with a large list of permissions. The module doesn't sufficiently check for the required permissions when the provided permission administration is displayed and therefore allows users without the required permissions to configure module permissions. -------- VERSIONS AFFECTED --------------------------------------------------- * Faster Permissions 7.x-2.x versions prior to 7.x-1.2. Drupal core is not affected. If you do not use the contributed Faster Permissions [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Faster Permissions module for Drupal 7.x, upgrade to Faster Permissions 7.x-1.2 [4] See also the Faster Permissions [5] project page. -------- REPORTED BY --------------------------------------------------------- * Sascha Grossenbacher [6] -------- FIXED BY ------------------------------------------------------------ * Sascha Grossenbacher [7] * Jason Savino [8] the module maintainer. -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/fp [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/fp [4] http://drupal.org/node/1441264 [5] http://drupal.org/project/fp [6] http://drupal.org/user/214652 [7] http://drupal.org/user/214652 [8] http://drupal.org/user/411241 [9] http://drupal.org/user/36762 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-019 - Link checker - Access bypass
by security-news＠drupal.org 15 Feb '12

15 Feb '12

* Advisory ID: DRUPAL-SA-CONTRIB-2012-019 * Project: Link checker [1] (third-party module) * Version: 6.x * Date: 2012-February-15 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- The Link checker module extracts links from your site's content and periodically tries to detect broken links and report them so they can be fixed. The module does not correctly check permission to access the site's content before displaying broken links that were found within it, leading to an access bypass vulnerability. This vulnerability is mitigated by several factors: The site must have private content (for example, if a node access or CCK field access module is being used), and the Link checker module must be configured to display broken links to users who do not already have permission to bypass content access control. Also, only the URLs of the broken links are displayed, so this vulnerability is only serious if the content of those URLs is potentially sensitive (for example, if the URL contains a username and password or a secure token, or if it would reveal sensitive information about topics being discussed in the rest of the private content). -------- VERSIONS AFFECTED --------------------------------------------------- * Link checker 6.x-2.x versions prior to 6.x-2.5. Drupal core is not affected. If you do not use the contributed Link checker [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Link checker module for Drupal 6.x, upgrade to Link checker 6.x-2.5 [4]. See also the Link checker [5] project page. -------- REPORTED BY --------------------------------------------------------- Various aspects of the access bypass vulnerability were reported by the following individuals: * Ivo Van Geertruyen [6] of the Drupal Security Team * Dave Reid [7] of the Drupal Security Team * Alexander Hass [8], the module maintainer * David Rothstein [9] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * David Rothstein [10] of the Drupal Security Team * Alexander Hass [11], the module maintainer * Ivo Van Geertruyen [12] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. [1] http://drupal.org/project/linkchecker [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/linkchecker [4] http://drupal.org/node/1440508 [5] http://drupal.org/project/linkchecker [6] http://drupal.org/user/383424 [7] http://drupal.org/user/53892 [8] http://drupal.org/user/85918 [9] http://drupal.org/user/124982 [10] http://drupal.org/user/124982 [11] http://drupal.org/user/85918 [12] http://drupal.org/user/383424 [13] http://drupal.org/contact [14] http://drupal.org/security-team [15] http://drupal.org/writing-secure-code [16] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-018 - Revisioning - Cross Site Scripting
by security-news＠drupal.org 09 Feb '12

09 Feb '12

* Advisory ID: DRUPAL-SA-CONTRIB-2012-018 * Project: Revisioning [1] (third-party module) * Version: 6.x * Date: 2012-FEB-08 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Drupal Revisioning module (https://drupal.org/project/revisioning [3]) "is a module for the configuration of workflows to create, moderate and publish content revisions." The Revisioning module contains a persistent cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize tags before display. Users with the ability to create content and tags that are submitted to a review queue could include malicious JavaScript or HTML as part of their tags. Users reviewing the queue would then become victims of the XSS attack. The risk is mitigated by the fact that the attacker must have the ability to create taxonomy terms (either "administer taxonomy" or via a freetagging vocabulary). -------- VERSIONS AFFECTED --------------------------------------------------- * Revisioning 6.x-3.13 and prior. Drupal core is not affected. If you do not use the contributed Revisioning [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * Upgrade to Revisioning 6.x-3.14 [5] See also the Revisioning [6] project page. -------- REPORTED BY --------------------------------------------------------- * Justin C. Klein Keane [7] -------- FIXED BY ------------------------------------------------------------ * Justin C. Klein Keane [8] * Rik de Boer [9], the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Dylan Tack [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/revisioning [2] http://drupal.org/security-team/risk-levels [3] https://drupal.org/project/revisioning [4] http://drupal.org/project/revisioning [5] http://drupal.org/node/1431114 [6] http://drupal.org/project/revisioning [7] http://drupal.org/user/302225 [8] http://drupal.org/user/302225 [9] http://drupal.org/user/404007 [10] http://drupal.org/user/96647 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-017 - Finder - Multiple vulnerabilities
by security-news＠drupal.org 08 Feb '12

08 Feb '12

* Advisory ID: DRUPAL-SA-CONTRIB-2012-017 * Project: Finder [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-February-08 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting, Arbitrary PHP code execution, Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- Finder is a Drupal module that allows users to create faceted search forms. The module's autocomplete, checkbox, and radio button functionalities previously did not sanitize the output of fields and raw database values. In addition, users with the "administer finder" permission were able to execute arbitrary code through a PHP import interface; specific PHP execution permissions were not required. -------- VERSIONS AFFECTED --------------------------------------------------- * Finder 6.x-1.x prior to 6.x-1.26 * Finder 7.x-1.x versions (all) * Finder 7.x-2.x versions prior to 7.x-2.0-alpha8 Drupal core is not affected. If you do not use the contributed Finder [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Finder module for Drupal 6.x, upgrade to Finder 6.x-1.26 [4]. * If you use the Finder module for Drupal 7.x, upgrade to Finder 7.x-2.0-alpha8 [5]. See also the Finder [6] project page. -------- REPORTED BY --------------------------------------------------------- * Justin C. Klein-Keane [7] -------- FIXED BY ------------------------------------------------------------ * Daniel Braksator [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] and Forest Monsen [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/finder [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/finder [4] http://drupal.org/node/1432318 [5] http://drupal.org/node/1432320 [6] http://drupal.org/project/finder [7] http://drupal.org/user/302225 [8] http://drupal.org/user/134005 [9] http://drupal.org/user/36762 [10] http://drupal.org/user/181798 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-016 - Forward module XSS and Access bypass
by security-news＠drupal.org 01 Feb '12

01 Feb '12

* Advisory ID: DRUPAL-SA-CONTRIB-2012-016 * Project: Forward [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-February-01 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass, Cross Site Request Forgery -------- DESCRIPTION --------------------------------------------------------- The Forward module enables you to add a "forward this page" link to each node. The link takes regular site visitors to a form where they can generate an email to a friend. The module exhibits multiple vulnerabilities as described below. The module includes "Recent forwards" and "Most forwarded" blocks that display the titles of the most recently forwarded nodes and the nodes forwarded the most for all time. The module doesn't check that site visitors have permissions to view the node titles listed in these blocks, resulting in an access bypass. This vulnerability is mitigated by the fact that these blocks are disabled by default. The module includes a "Dynamic Block" feature which adds a listing of the top 5 node titles to the bottom of the generated email to a friend. The module doesn't sufficiently check that the email recipient has permission to view the node titles included in the block, resulting in an access bypass. This vulnerability is mitigated by the fact that the Dynamic Block feature is disabled by default. The module includes clickthrough tracking so that the site administrator can determine which emails are generating the most clicks back to the site. The tracking code is vulnerable to CSRF because it uses a publicly available link that could be manipulated to falsely boost the perceived importance of a node. -------- VERSIONS AFFECTED --------------------------------------------------- * Forward 6.x-1.x versions prior to 6.x-1.21 * Forward 7.x-1.x versions prior to 7.x-1.3 Drupal core is not affected. If you do not use the contributed Forward [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Forward module for Drupal 6.x, upgrade to Forward 6.x-1.21 [4] * If you use the Forward module for Drupal 7.x, upgrade to Forward 7.x-1.3 [5] The upgrade is "code only" and does not require running the database update script. IMPORTANT: Administrators of sites that rely on the Dynamic Block access bypass to operate correctly need to visit the Forward configuration page and explicitly select the Dynamic Block Access Control bypass option after upgrading. This should be rare, so most site administrators can simply upgrade the module without the need for additional configuration. See also the Forward [6] project page. -------- REPORTED BY --------------------------------------------------------- * Greg Knaddison (greggles) [7] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * John Oltman [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison (greggles) [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/forward [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/forward [4] http://drupal.org/node/1423720 [5] http://drupal.org/node/1423722 [6] http://drupal.org/project/forward [7] http://drupal.org/user/36762 [8] http://drupal.org/user/699926 [9] http://drupal.org/user/36762 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

SA-CORE-2012-001 - Drupal core multiple vulnerabilities
by security-news＠drupal.org 01 Feb '12

01 Feb '12

* Advisory ID: DRUPAL-SA-CORE-2012-001 * Project: Drupal core [1] * Version: 6.x, 7.x * Date: 2012-February-01 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass, Cross Site Request Forgery, Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- .... Cross Site Request Forgery vulnerability in Aggregator module CVE: CVE-2012-0826 An XSRF vulnerability can force an aggregator feed to update. Since some services are rate-limited (e.g. Twitter limits requests to 150 per hour) this could lead to a denial of service. This issue affects Drupal 6.x and 7.x. .... OpenID not verifying signed attributes in SREG and AX CVE: CVE-2012-0825 A group of security researchers identified a flaw in how some OpenID relying parties implement Attribute Exchange (AX). Not verifying that attributes being passed through AX have been signed could allow an attacker to modify users' information. This issue affects Drupal 6.x and 7.x. .... Access bypass in File module CVE: CVE-2012-0827 When using private files in combination with certain field access modules, the File module will allow users to download the file even if they do not have access to view the field it was attached to. This issue affects Drupal 7.x only. -------- VERSIONS AFFECTED --------------------------------------------------- * Drupal 6.x core prior to 6.23. * Drupal 7.x core prior to 7.11. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Drupal 6.x upgrade to 6.23 [3] * If you use Drupal 7.x upgrade to 7.11 [4] See also the Drupal core [5] project page. -------- REPORTED BY --------------------------------------------------------- * The Aggregator module CSRF vulnerability was reported by Dylan Tack [6] of the Drupal Security Team. * The OpenID vulnerability was reported by Rui Wang, Shuo Chen and Xiao Feng Wang [7]. * The File module access bypass issue was reported by David Rothstein [8] of the Drupal Security Team, and by Sascha Grossenbacher [9]. -------- FIXED BY ------------------------------------------------------------ * Aggregator CSRF issue fixed by Dave Reid [10] of the Drupal Security Team * OpenID issue fixed by Vojtech Kusy [11] and Christian Schmidt [12] * The File module access bypass issue was fixed by David Rothstein [13] of the Drupal Security Team, Sascha Grossenbacher [14], and Derek Wright [15] of the Drupal Security Team. -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [16]. Learn more about the Drupal Security team and their policies [17], writing secure code for Drupal [18], and securing your site [19]. [1] http://drupal.org/project/drupal [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/node/1425082 [4] http://drupal.org/node/1425092 [5] http://drupal.org/project/drupal [6] http://drupal.org/user/96647 [7] http://openid.net/2011/05/05/attribute-exchange-security-alert/ [8] http://drupal.org/user/124982 [9] http://drupal.org/user/214652 [10] http://drupal.org/user/53892 [11] http://drupal.org/user/56154 [12] http://drupal.org/user/216078 [13] http://drupal.org/user/124982 [14] http://drupal.org/user/214652 [15] http://drupal.org/user/46549 [16] http://drupal.org/contact [17] http://drupal.org/security-team [18] http://drupal.org/writing-secure-code [19] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-015 - Managesite - Cross Site Scripting (XSS)
by security-news＠drupal.org 25 Jan '12

25 Jan '12

* Advisory ID: DRUPAL-SA-CONTRIB-2012-015 * Project: Managesite [1] (third-party module) * Version: 6.x * Date: 2012-January-25 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- This module provides a way to build a control panel similar to the one provided by Drupal 7 on the admin zone (/admin). The module doesn't sufficiently filter user supplied text in the administration settings. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer managesite". -------- VERSIONS AFFECTED --------------------------------------------------- * Managesite 6.x-1.x versions prior to 6.x-1.1. Drupal core is not affected. If you do not use the contributed Managesite [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Managesite module for Drupal 6.x, upgrade to Managesite 6.x-1.1 [4] See also the Managesite [5] project page. -------- REPORTED BY --------------------------------------------------------- * Justin Klein Keane [6] -------- FIXED BY ------------------------------------------------------------ * jacinto capote robles [7] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [8] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/managesite [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/managesite [4] http://drupal.org/node/1410856 [5] http://drupal.org/project/managesite [6] http://drupal.org/user/302225 [7] http://drupal.org/user/348228 [8] http://drupal.org/user/36762 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-014 - Drupal Commerce - Cross Site Scripting (XSS)
by security-news＠drupal.org 25 Jan '12

25 Jan '12

* Advisory ID: DRUPAL-SA-CONTRIB-2012-014 * Project: Drupal Commerce [1] (third-party module) * Version: 7.x * Date: 2012-January-25 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Drupal Commerce is a flexible eCommerce framework built on Drupal 7 that lets you construct any type of eCommerce website. Part of its flexibility lies in its ability to render product fields into node displays through the product reference field used to build dynamic Add to Cart forms. In Drupal Commerce 1.1 this feature was expanded to also incorporate the "extra fields" of products, i.e. the product title and SKU. The theme functions used to render product titles and SKUs prints those variables to the page without properly sanitizing them first. A user with the proper permissions could create a product that ends up in a node display where a malicious title or SKU is rendered. This vulnerability is mitigated by the fact that the attacker must have a role with a product creation permission, and since Drupal Commerce 1.1, the site must have been updated to make use of these extra fields in product display nodes as they default to being hidden on all product displays. -------- VERSIONS AFFECTED --------------------------------------------------- * Drupal Commerce version 7.x-1.1. Drupal core is not affected. If you do not use the contributed Drupal Commerce [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Drupal Commerce 7.x-1.1, upgrade to Drupal Commerce 7.x-1.2 [4] See also the Drupal Commerce [5] project page. -------- REPORTED BY --------------------------------------------------------- * Ivo Van Geertruyen (mr.baileys [6]) of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Ivo Van Geertruyen (mr.baileys [7]) of the Drupal Security Team * Ryan Szrama (rszrama [8]) the module maintainer -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/commerce [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/commerce [4] http://drupal.org/node/1417014 [5] http://drupal.org/project/commerce [6] http://drupal.org/user/383424 [7] http://drupal.org/user/383424 [8] http://drupal.org/user/49344 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration

1 0

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news