[Security-news] SA-CORE-2013-003 - Drupal core - Multiple vulnerabilities

security-news at drupal.org security-news at drupal.org
Wed Nov 20 23:25:09 UTC 2013


View online: https://drupal.org/SA-CORE-2013-003

   * Advisory ID: DRUPAL-SA-CORE-2013-003
   * Project: Drupal core [1]
   * Version: 6.x, 7.x
   * Date: 2013-November-20
   * Security risk: Highly critical [2]
   * Exploitable from: Remote
   * Vulnerability: Multiple vulnerabilities

-------- DESCRIPTION
---------------------------------------------------------

Multiple vulnerabilities were fixed in the supported Drupal core versions 6
and 7.

.... Multiple vulnerabilities due to optimistic cross-site request forgery
       protection (Form API validation - Drupal 6 and 7)

Drupal's form API has built-in cross-site request forgery (CSRF) validation,
and also allows any module to perform its own validation on the form.  In
certain common cases, form validation functions may execute unsafe
operations.  Given that the CSRF protection is an especially important
validation, the Drupal core form API has been changed in this release so that
it now skips subsequent validation if the CSRF validation fails.

This vulnerability is mitigated by the fact that a form validation callback
with potentially unsafe side effects must be active on the site, and none
exist in core. However, issues were discovered in several popular contributed
modules which allowed remote code execution that made it worthwhile to fix
this issue in core. Other similar issues with varying impacts are likely to
have existed in other contributed modules and custom modules and therefore
will also be fixed by this Drupal core release.

.... Multiple vulnerabilities due to weakness in pseudorandom number
       generation using mt_rand() (Form API, OpenID and random password
       generation - Drupal 6 and 7)

Drupal core directly used the mt_rand() pseudorandom number generator for
generating security related strings used in several core modules. It was
found that brute force tools could determine the seeds making these strings
predictable under certain circumstances.

This vulnerability has no mitigation; all Drupal sites are affected until the
security update has been applied.

.... Code execution prevention (Files directory .htaccess for Apache - Drupal
       6 and 7)

Drupal core attempts to add a "defense in depth" protection to prevent script
execution by placing a .htaccess file into the files directories that stops
execution of PHP scripts on the Apache web server. This protection is only
necessary if there is a vulnerability on the site or on a server that allows
users to upload malicious files. The configuration in the .htaccess file did
not prevent code execution on certain Apache web server configurations. This
release includes new configuration to prevent PHP execution on several
additional common Apache configurations. If you are upgrading a site and the
site is run by Apache you must fix the file manually, as described in the
"Solution" section below.

This vulnerability is mitigated by the fact it only relates to a defense in
depth mechanism, and sites would only be vulnerable if they are hosted on a
server which contains code that does not use protections similar to those
found in Drupal's file API to manage uploads in a safe manner.

.... Access bypass (Security token validation - Drupal 6 and 7)

The function drupal_valid_token() can return TRUE for invalid tokens if the
caller does not make sure that the token is a string.

This vulnerability is mitigated by the fact that a contributed or custom
module must invoke drupal_validate_token() with an argument that can be
manipulated to not be a string by an attacker. There is currently no known
core or contributed module that would suffer from this vulnerability.

.... Cross-site scripting (Image module - Drupal 7)

Image field descriptions are not properly sanitized before they are printed
to HTML, thereby exposing a cross-site scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a
permission to administer field descriptions, for example the "administer
taxonomy" permission to edit fields on taxonomy terms.

.... Cross-site scripting (Color module - Drupal 7)

A cross-site scripting vulnerability was found in the Color module. A
malicious attacker could trick an authenticated administrative user into
visiting a page containing specific JavaScript that could lead to a reflected
cross-site scripting attack via JavaScript execution in CSS.

This vulnerability is mitigated by the fact that it can only take place in
older browsers, and in a restricted set of modern browsers, namely Opera
through user interaction, and Internet Explorer under certain conditions.

.... Open redirect (Overlay module - Drupal 7)

The Overlay module displays administrative pages as a layer over the current
page (using JavaScript), rather than replacing the page in the browser
window. The Overlay module did not sufficiently validate URLs prior to
displaying their contents, leading to an open redirect vulnerability.

This vulnerability is mitigated by the fact that it can only be used against
site users who have the "Access the administrative overlay" permission.


-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------

   * /A CVE identifier [3] will be requested, and added upon issuance, in
     accordance with Drupal Security Team processes./

-------- VERSIONS AFFECTED
---------------------------------------------------

   * Drupal core 6.x versions prior to 6.29.
   * Drupal core 7.x versions prior to 7.24.

-------- SOLUTION
------------------------------------------------------------

Install the latest version:

   * If you use Drupal 6.x, upgrade to Drupal core 6.29 [4].
   * If you use Drupal 7.x, upgrade to Drupal core 7.24 [5].

-------- WARNING: FIXING THE CODE EXECUTION PREVENTION MAY REQUIRE SERVER
           CONFIGURATION; PLEASE READ:
-----------------------------------------

To fix the code execution prevention vulnerability on existing Apache
installations also requires changes to your site's .htaccess files in the
files directories. Until you do this, your site's status report page at
admin/reports/status will display error messages about the problem. Please
note that if you are using a different web server such as Nginx the .htaccess
files have no effect and you need to configure PHP execution protection
yourself in the respective server configuration files.

To fix this issue, you must edit or replace the old .htaccess files manually.
    Copies of the .htaccess files are found in the public files directory and
temporary files directory, and (for Drupal 7 only) the private files
directory if your site is configured to use one.  To find the location of
these directories, consult the error messages at admin/reports/status, or
visit the file system configuration page at admin/settings/file-system
(Drupal 6) or admin/config/media/file-system (Drupal 7).

Go onto your server, navigate to each directory, and replace or create the
.htaccess file in this directory with the contents described below.
Alternatively, you can remove the .htaccess file from each directory using a
tool like SFTP and then visit the file system configuration page
(admin/settings/file-system in Drupal 6 or admin/config/media/file-system in
Drupal 7) and click the save button to have Drupal create the file
automatically.

The recommended .htaccess file contents are as follows.

# Turn off all options we don't need.
Options None
Options +FollowSymLinks

# Set the catch-all handler to prevent scripts from being executed.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006

     # Override the handler again if we're run later in the evaluation list.
     SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003


# If we know how to do it safely, disable the PHP engine entirely.

     php_flag engine off

# PHP 4, Apache 1.

     php_flag engine off

# PHP 4, Apache 2.

     php_flag engine off



For Drupal 7:


# Turn off all options we don't need.
Options None
Options +FollowSymLinks

# Set the catch-all handler to prevent scripts from being executed.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006

     # Override the handler again if we're run later in the evaluation list.
     SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003


# If we know how to do it safely, disable the PHP engine entirely.

     php_flag engine off
Also see the Drupal core [6] project page.

-------- REPORTED BY
---------------------------------------------------------

   * The form validation cross-site request forgery issue was reported by  
Heine
     Deelstra [7] of the Drupal Security Team.
   * The non-random seed vulnerability was reported by David Stoline [8] of  
the
     Drupal Security Team.
   * The code execution prevention vulnerability was reported by Lee Rowlands
     [9] of the Drupal Security Team, Miguel Jacq [10], artfulrobot [11], and
     Dave Fletcher [12].
   * The token access bypass issue was reported by Heine Deelstra [13] of the
     Drupal Security Team.
   * The Image module cross-site scripting issue was reported by Francisco
     José Cruz Romanos [14].
   * The Color module cross-site scripting issue was reported by Mauro Gentile
     [15].
   * The open redirect in the Overlay module was reported by Stephane
     Corlosquet [16] of the Drupal Security Team, and by Sebastian Nerz.

-------- FIXED BY
------------------------------------------------------------

   * The form validation cross-site request forgery issue was fixed by Lee
     Rowlands [17] and Klaus Purer [18], both of the Drupal Security Team.
   * The non-random seed vulnerability was fixed by Owen Barton [19], David
     Stoline [20], Heine Deelstra [21], Damien Tournoud [22], and Peter  
Wolanin
     [23], all of the Drupal Security Team.
   * The code execution prevention vulnerability was fixed by David Rothstein
     [24] of the Drupal Security Team, Morbus Iff [25] of the Drupal Security
     Team, Dan Reif [26], Antoine Beaupré [27], Miguel Jacq [28], Christopher
     Gervais [29], and Herman van Rink [30].
   * The token access bypass issue was fixed by Heine Deelstra [31], Klaus
     Purer [32], and David Rothstein [33], all of the Drupal Security Team.
   * The Image module cross-site scripting issue was fixed by Francisco José
     Cruz Romanos [34], and Peter Wolanin [35] of the Drupal Security Team.
   * The Color module cross-site scripting issue was fixed by David Rothstein
     [36] of the Drupal Security Team.
   * The open redirect in the Overlay module was fixed by Heine Deelstra [37]
     of the Drupal Security Team.

-------- COORDINATED BY
------------------------------------------------------

The Drupal Security Team [38]

-------- CONTACT AND MORE INFORMATION
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [39].

Learn more about the Drupal Security team and their policies [40], writing
secure code for Drupal [41], and securing your site [42].


[1] http://drupal.org/project/drupal
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/drupal-6.29-release-notes
[5] http://drupal.org/drupal-7.24-release-notes
[6] http://drupal.org/project/drupal
[7] https://drupal.org/user/17943
[8] https://drupal.org/user/329570
[9] https://drupal.org/user/395439
[10] https://drupal.org/user/153206
[11] https://drupal.org/user/1206300
[12] https://drupal.org/user/72475
[13] https://drupal.org/user/17943
[14] https://drupal.org/user/848238
[15] https://drupal.org/user/1862060
[16] https://drupal.org/user/52142
[17] https://drupal.org/user/395439
[18] https://drupal.org/user/262198
[19] https://drupal.org/user/19668
[20] https://drupal.org/user/329570
[21] https://drupal.org/user/17943
[22] https://drupal.org/user/22211
[23] https://drupal.org/user/49851
[24] https://drupal.org/user/124982
[25] https://drupal.org/user/9034
[26] https://drupal.org/user/454444
[27] https://drupal.org/user/1274
[28] https://drupal.org/user/153206
[29] https://drupal.org/user/368613
[30] https://drupal.org/user/449000
[31] https://drupal.org/user/17943
[32] https://drupal.org/user/262198
[33] https://drupal.org/user/124982
[34] https://drupal.org/user/848238
[35] https://drupal.org/user/49851
[36] https://drupal.org/user/124982
[37] https://drupal.org/user/17943
[38] https://drupal.org/security-team
[39] http://drupal.org/contact
[40] http://drupal.org/security-team
[41] http://drupal.org/writing-secure-code
[42] http://drupal.org/security/secure-configuration



More information about the Security-news mailing list