Security-news

security-news@drupal.org

1 participants
1782 discussions

SA-CONTRIB-2011-017 - Save Draft - Validation Bypass
by security-news＠drupal.org 27 Apr '11

27 Apr '11

* Advisory ID: DRUPAL-SA-CONTRIB-2011-017 * Project: Save Draft [1] (third-party module) * Version: 6.x, 7.x * Date: 2011-April-27 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Validation bypass -------- DESCRIPTION --------------------------------------------------------- The Save Draft module adds a "Save as draft" button to the node form, letting content creators easily save a post in unpublished draft form. The module adds validation to individual form actions, thereby bypassing any form-wide validation that is normally performed before saving content. This is a security vulnerability for sites where other modules are using node validation for security purposes. -------- VERSIONS AFFECTED --------------------------------------------------- * Save Draft module for Drupal 6.x versions prior to 6.x-1.8 * Save Draft module for Drupal 7.x versions prior to 7.x-1.4 Drupal core is not affected. If you do not use the contributed Save Draft [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Save Draft module for Drupal 6.x, upgrade to Save Draft 6.x-1.8 [4]. (Note that the 6.x-2.x branch of the module is not affected. If you use that, you do not need to upgrade.) * If you use the Save Draft module for Drupal 7.x, upgrade to Save Draft 7.x-1.4 [5]. See also the Save Draft project page [6]. -------- REPORTED BY --------------------------------------------------------- * David Rothstein [7] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * David Rothstein [8] of the Drupal Security Team * Katherine Senzee (ksenzee [9]), module co-maintainer -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the team and their policies [11], writing secure code for Drupal [12], and secure configuration [13] of your site. [1] http://drupal.org/project/save_draft [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/save_draft [4] http://drupal.org/node/1139378 [5] http://drupal.org/node/1139380 [6] http://drupal.org/project/save_draft [7] http://drupal.org/user/124982 [8] http://drupal.org/user/124982 [9] http://drupal.org/user/139855 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2011-016 - Node Quick Find - Information Disclosure
by security-news＠drupal.org 06 Apr '11

06 Apr '11

* Advisory ID: DRUPAL-SA-CONTRIB-2011-016 * Project: Node Quick Find [1] (third-party module) * Version: 6.x * Date: 2011-APRIL-06 * Security risk: Not critical (definition of risk levels) [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- The Node Quick Find module provides a block to quickly access nodes by title via an auto-completing text field. The module does not use db_rewrite_sql when generating the list of node titles, allowing users to see the titles of nodes to which they may not have access. Access to the node itself is not compromised. -------- VERSIONS AFFECTED --------------------------------------------------- * 6.x-1.1 Drupal core is not affected. If you do not use the contributed Node Quick Find module, there is nothing you need to do. Drupal core is not affected. If you do not use the contributed Node Quick Find [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Node Quick Find module for Drupal 6.x upgrade to Node Quick Find 6.x-1.2 [4]. See also the Node Quick Find project page. See also the Node Quick Find [5] project page. -------- REPORTED BY --------------------------------------------------------- * Jochen Meyer (derjochenmeyer [6]) -------- FIXED BY ------------------------------------------------------------ * Nicholas Thompson (nicholasThompson [7]) -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [8]. Learn more about the team and their policies [9], writing secure code for Drupal [10], and secure configuration [11] of your site. [1] http://www.drupal.org/project/node_quick_find [2] http://drupal.org/security-team/risk-levels [3] http://www.drupal.org/project/node_quick_find [4] http://drupal.org/node/1080114 [5] http://www.drupal.org/project/node_quick_find [6] http://drupal.org/user/106134 [7] http://drupal.org/user/59351 [8] http://drupal.org/contact [9] http://drupal.org/security-team [10] http://drupal.org/writing-secure-code [11] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2010-015 - Translation Management - Multiple Vulnerabilities
by security-news＠drupal.org 30 Mar '11

30 Mar '11

* Advisory ID: DRUPAL-SA-CONTRIB-2011-015 * Project: Translation Management (third-party module) * Version: 6.x * Date: 2011-March-30 * Security risk: Critical (definition of risk levels) [1] * Exploitable from: Remote * Vulnerability: Cross Site Scripting, Cross Site Request Forgeries, SQL Injection -------- DESCRIPTION --------------------------------------------------------- This Translation Management module helps to manage the process of translating content on your site. The module has several vulnerabilities. It doesn't sufficiently escape user text when printed to the browser nor when used in database queries resulting in Cross Site Scripting (XSS) and SQL Injection vulnerabilities. It doesn't use the form API nor Drupal's token system to protect against Cross Site Request Forgeries (CSRF). -------- VERSIONS AFFECTED --------------------------------------------------- * Translation Management versions prior to 6.x-1.21 Drupal core is not affected. If you do not use the contributed Translation Management [2] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Translation Management module for Drupal 6.x upgrade to 6.x-1.22 [3] See also the Translation Management [4] project page. -------- REPORTED BY --------------------------------------------------------- * Dave Reid [5] of the Drupal Security Team * Greg Dunlap [6] -------- FIXED BY ------------------------------------------------------------ * Bruce Pearson [7] the module maintainer -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact. Learn more about the team and their policies [8], writing secure code for Drupal [9], and secure configuration [10] of your site. [1] http://drupal.org/security-team/risk-levels [2] http://drupal.org/project/translation_management [3] http://drupal.org/node/1108848 [4] http://drupal.org/project/translation_management [5] http://drupal.org/user/53892 [6] http://drupal.org/user/128537 [7] http://drupal.org/user/415674 [8] http://drupal.org/security-team [9] http://drupal.org/writing-secure-code [10] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2011-014 - Webform Block - Cross Site Scripting
by security-news＠drupal.org 23 Mar '11

23 Mar '11

* Advisory ID: DRUPAL-SA-CONTRIB-2011-014 * Project: Webform Block (third-party module) * Version: 6.x * Date: 2011-March-23 * Security risk: Moderately critical (definition of risk levels) [1] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Webform Block module enables users to make a webform available as a block. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting (XSS [2]) vulnerability that may lead to a malicious user gaining full administrative access. The vulnerability is mitigated by the fact that a malicious user must be assigned a role that includes permission to create and/or edit webforms. -------- VERSIONS AFFECTED --------------------------------------------------- * Webform Block module for Drupal 6.x versions prior to 6.x-1.2 Drupal core is not affected. If you do not use the contributed Webform Block [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Webform Block module for Drupal 6.x upgrade to Webform Block 6.x-1.2 [4] See also the Webform Block project page [5]. -------- REPORTED BY --------------------------------------------------------- * Dylan Wilder-Tack (grendzy [6]) of the Drupal security team -------- FIXED BY ------------------------------------------------------------ * Dylan Wilder-Tack (grendzy [7]) of the Drupal security team * Mike Carter (budda [8]), module maintainer -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact. Learn more about the team and their policies [9], writing secure code for Drupal [10], and secure configuration [11] of your site. [1] http://drupal.org/security-team/risk-levels [2] http://en.wikipedia.org/wiki/Cross-site_scripting [3] http://drupal.org/project/webformblock [4] http://drupal.org/node/1101996 [5] http://drupal.org/project/webformblock [6] http://drupal.org/user/96647 [7] http://drupal.org/user/96647 [8] http://drupal.org/user/13164 [9] http://drupal.org/security-team [10] http://drupal.org/writing-secure-code [11] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2011-013 - Tagadelic - Cross Site Scripting (XSS)
by security-news＠drupal.org 16 Mar '11

16 Mar '11

* Advisory ID: DRUPAL-SA-CONTRIB-2011-013 * Project: Tagadelic (third-party module) * Version: 6.x * Date: 2011-March-16 * Security risk: Moderately Critical (definition of risk levels) [1] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Tagadelic module offers various ways to display terms and vocabularies in a tag cloud on a page or in a block. The module does not sanitize the taxonomy vocabulary names and descriptions when displayed on listing pages or blocks, leading to a Cross-Site Scripting (XSS [2]) vulnerability that may lead to a malicious user gaining full administrative access. This vulnerability is mitigated by the fact that the user must be able to create or edit taxonomy vocabularies, normally restricted by the "administer taxonomy" permission, in order to exploit it. -------- VERSIONS AFFECTED --------------------------------------------------- * Tagadelic module 6.x-1.x versions prior to 6.x-1.3 Note: If you do not use the contributed Tagadelic [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Tagadelic module for Drupal 6.x-1.x upgrade to Tagadelic 6.x-1.3 [4] See also the Tagadelic project page [5]. -------- REPORTED BY --------------------------------------------------------- * Greg Knaddison (greggles) [6] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Bèr Kessels [7], module maintainer -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact. Learn more about the team and their policies [8], writing secure code for Drupal [9], and secure configuration [10] of your site. [1] http://drupal.org/security-team/risk-levels [2] http://en.wikipedia.org/wiki/Cross-site_scripting [3] http://drupal.org/project/tagadelic [4] http://drupal.org/node/1095016 [5] http://drupal.org/project/tagadelic [6] http://drupal.org/user/36762 [7] http://drupal.org/user/2663 [8] http://drupal.org/security-team [9] http://drupal.org/writing-secure-code [10] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2011-012 - Spaces - Access bypass
by security-news＠drupal.org 02 Mar '11

02 Mar '11

* Advisory ID: DRUPAL-SA-CONTRIB-2011-012 * Project: Spaces (third-party module) * Version: 6.x * Date: 2011-March-02 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- The Spaces module makes sitewide configuration options available to be overridden by individual "spaces" on a Drupal site. Spaces provides a Views module access plugin that does not properly check its permission setting which may allow underprivileged users to visit certain pages. This vulnerability is mitigated by the fact that Drupal's node access system will prevent users from viewing content that they do not have permission to view. -------- VERSIONS AFFECTED --------------------------------------------------- * Spaces module for Drupal 6.x versions prior to 6.x-3.1 Drupal core is not affected. If you do not use the contributed Spaces [1] and Views [2] modules, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Spaces module for Drupal 6.x upgrade to Spaces 6.x-3.1 [3] See also the Spaces project page [4]. -------- REPORTED BY --------------------------------------------------------- * Matthew Radcliffe [5] -------- FIXED BY ------------------------------------------------------------ * Jeff Miccolis [6], module maintainer -------- CONTACT ------------------------------------------------------------- The Drupal security team [7] can be reached at security at drupal.org [8] or via the form at http://drupal.org/contact [9]. Learn more about the team and their policies [10], writing secure code [11] for Drupal, and Secure Configuration [12] of your site. [1] http://drupal.org/project/spaces [2] http://drupal.org/project/views [3] http://drupal.org/node/1079192 [4] http://drupal.org/project/spaces [5] http://drupal.org/user/157079 [6] http://drupal.org/user/31731 [7] http://drupal.org/security-team [8] http://drupal.org [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration

1 0

DRUPAL-SA-CONTRIB-2011-011 - Secure Pages - Open redirect
by security-news＠drupal.org 02 Mar '11

02 Mar '11

* Advisory ID: DRUPAL-SA-CONTRIB-2011-011 * Project: Secure Pages (third-party module) * Version: 6.x * Date: 2011-March-02 * Security risk: Less Critical (definition of risk levels) [1] * Exploitable from: Remote * Vulnerability: Open Redirection -------- DESCRIPTION --------------------------------------------------------- The Secure Pages module allows administrators to choose certain URLs that must be delivered over HTTPS. An open redirection bug allows an attacker to formulate a URL in a way that redirects the user to an arbitrarily provided URL. -------- VERSIONS AFFECTED --------------------------------------------------- * Secure Pages module for Drupal 6.x versions prior to 6.x-1.9 Drupal core is not affected. If you do not use the contributed Secure Pages [2] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Secure Pages module for Drupal 6.x upgrade to Secure Pages 6.x-1.9 [3] See also the Secure Pages project page [4]. -------- REPORTED BY --------------------------------------------------------- * Mike Potter [5] -------- FIXED BY ------------------------------------------------------------ * Gordon Heydon [6], module maintainer -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact. Learn more about the team and their policies [7], writing secure code for Drupal [8], and secure configuration [9] of your site. [1] http://drupal.org/security-team/risk-levels [2] http://drupal.org/project/securepages [3] http://drupal.org/node/1070596 [4] http://drupal.org/project/securepages [5] http://drupal.org/user/616192 [6] http://drupal.org/user/959 [7] http://drupal.org/security-team [8] http://drupal.org/writing-secure-code [9] http://drupal.org/security/secure-configuration

1 0

PSA-2011-001 - "Drupal security update" social engineering
by security-news＠drupal.org 17 Feb '11

17 Feb '11

* Advisory ID: PSA-2011-001 * Project: Drupal core and contrib * Versions: All versions * Date: 2011-February-17 * Security risk: Not critical -------- DESCRIPTION --------------------------------------------------------- This is a public service announcement regarding a recent social engineering attack via the following mail purporting to come from the Drupal security team. >Hello, I am a member of the Drupal security team. Our installation records >show that your site runs Drupal on PHP [version] and [server]. We have >recently found a security problem with that configuration which could allow >a hacker to get into the site and delete any posts they want. We have not >posted anything about this yet publicly as we want to get this patch out to >as many people as possible first. We have developed a patch for this bug - >all you need to do is upload this file to your site in the >sites/default/files/ folder (do not change the name of the file) and Drupal >will see it and install it for you. We recommend you do this as soon as >possible. Sincerely, James Drupal security team The mail was sent with Drupal Security <drupal_s(a)yahoo.com> as the (easily-forged) "From" address. It also contained an attachment that was said to be a patch that had to be uploaded and installed. Needless to say that this file contained code to make the system accessible from the outside. If you received a message like the above, do not upload the attached file. How the Drupal Security Team communicates: 1) The Security Team does not supply patches to sites. 2) The Security Team will never ask site administrators to upload random files to their site. We only recommend to update to latest core or contrib releases downloaded from drupal.org. 3) The Security Team officially uses three forms of communication for Drupal Security Advisories; the update report in your Drupal installation, the posts and RSS feed on http://drupal.org/security, and the newsletter available from your Drupal.org user page. The Drupal Security Team does not publish to a Twitter feed or provide any other official communication channel. 4) The Security Team will never ask for passwords for your host or your Drupal install. If you receive communications from someone saying they are a member of the Security Team and their request is questionable, please forward the email to the team at security(a)drupal.org. -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

1 0

SA-CONTRIB-2011-010 - Messaging - Cross Site Scripting
by security-news＠drupal.org 16 Feb '11

16 Feb '11

* Advisory ID: DRUPAL-SA-CONTRIB-2011-010 * Project: Messaging (third-party module) * Version: 6.x * Date: 2011-February-16 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting The Messaging module is a Framework to allow message sending in a channel independent way. It provides a common API for message composition and sending while allowing plug-ins for multiple messaging methods. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting (XSS [1]) vulnerability that may lead to a malicious user gaining full administrative access. This vulnerability is mitigated by the fact that the attacker must have a role with the 'administer messaging' permission which should generally only be granted to trusted roles. -------- VERSIONS AFFECTED --------------------------------------------------- * Messaging module for Drupal 6.x versions prior to 6.x-2.4 and 6.x-4.0-beta8 Drupal core is not affected. If you do not use the contributed Messaging [2] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Messaging module version 6.x-2.x upgrade to Messaging 6.x-2.4 [3] * If you use the Messaging module version 6.x-4.x upgrade to Messaging 6.x-4.0-beta8 [4] See also the Messaging project page [5]. -------- REPORTED BY --------------------------------------------------------- * Justin Klein Keane [6] -------- FIXED BY ------------------------------------------------------------ * Jose Reyero [7], module maintainer -------- CONTACT ------------------------------------------------------------- The Drupal security team [8] can be reached at security at drupal.org [9] or via the form at http://drupal.org/contact [10]. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/project/messaging [3] http://drupal.org/node/1064014 [4] http://drupal.org/node/1064026 [5] http://drupal.org/project/messaging [6] http://drupal.org/user/302225 [7] http://drupal.org/user/4299 [8] http://drupal.org/security-team [9] http://drupal.org [10] http://drupal.org/contact

1 0

SA-CONTRIB-2011-009 - Droptor - SQL Injection
by security-news＠drupal.org 02 Feb '11

02 Feb '11

* Advisory ID: DRUPAL-SA-CONTRIB-2011-009 * Project: Droptor (third-party module) * Version: 6.x * Date: 2011-February-02 * Security risk: Critical * Exploitable from: Remote * Vulnerability: SQL Injection -------- DESCRIPTION --------------------------------------------------------- The Droptor module connects a Drupal site to Droptor.com, a Drupal monitoring and management solution. When capturing memory logging information the module does not filter the value input from the current page request variable. This vulnerability can be exploited to perform an SQL Injection attack [1]. This vulnerability is mitigated by the fact that memory monitoring must be enabled, which is not the default configuration. -------- VERSIONS AFFECTED --------------------------------------------------- * Droptor module for Drupal 6.x before version 6.x-2.8 Only sites that have "memory monitoring" enabled in their Droptor settings page are affected. The Drupal 7 version of this module is not affected. Drupal core is not affected. If you do not use the contributed Droptor [2] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Droptor module for Drupal 6.x before version 6.x-2.8 upgrade to Droptor 6.x-2.8 [3]. See also the Droptor project page [4]. -------- REPORTED BY --------------------------------------------------------- * Heine Deelstra [5] and Peter Wolanin [6], of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Justin Emond (jemond [7]), module maintainer -------- CONTACT ------------------------------------------------------------- The Drupal security team [8] can be reached at security at drupal.org [9] or via the form at http://drupal.org/contact [10]. [1] http://en.wikipedia.org/wiki/Sql_injection [2] http://drupal.org/project/droptor [3] http://drupal.org/node/1049098 [4] http://drupal.org/project/droptor [5] http://drupal.org/user/17943 [6] http://drupal.org/user/ [7] http://drupal.org/user/186334 [8] http://drupal.org/security-team [9] http://drupal.org [10] http://drupal.org/contact

1 0

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news