[Security-news] SA-CONTRIB-2014-045 - Drupal Commons - Multiple Vulnerabilities

security-news at drupal.org security-news at drupal.org
Wed Apr 23 22:05:40 UTC 2014


View online: https://drupal.org/node/2248171

   * Advisory ID: DRUPAL-SA-CONTRIB-2014-045
   * Project: Drupal Commons [1] (third-party module)
   * Version: 7.x
   * Date: 2014-April-23
   * Security risk: Moderately critical [2]
   * Exploitable from: Remote
   * Vulnerability: Access bypass

-------- DESCRIPTION
---------------------------------------------------------

This SA contains two patches against Drupal Commons

.... Views Bulk Operations Access Bypass

Drupal commons comes with a view to moderate reported content, which is
intended for authenticated users to view which content has been reported.
Since it has hard coded VBO operations within the view, and Drupal Commons
doesn't come with the VBO 'access_permissions' submodule enabled, all views
bulk operations can be performed by anyone with access to the view. In its
default setting, this allows users to delete content from other users and
potentially ban other users from the site.

.... Anonymous Users can view Wiki revisions regardless of group privacy

Commons allows users of a group to edit a wiki created by anyone, regardless
of edit permissions. It is supposed to refer back to the group permissions
when creating this edit permission. However, the revisions permission hook
allows anyone (anonymous or authenticated) to view revisions and diffs
between revisions. This can potentially leak hidden data from groups a user
does not otherwise have access to.

-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------

   * /A CVE identifier [3] will be requested, and added upon issuance, in
     accordance with Drupal Security Team processes./

-------- VERSIONS AFFECTED
---------------------------------------------------

   * Drupal Commons 7.x-3.x versions prior to 7.x-3.10.

Drupal core is not affected. If you do not use the contributed Drupal Commons
[4] module, there is nothing you need to do.

-------- SOLUTION
------------------------------------------------------------

Install the latest version:

   * If you use the Drupal Commons distribution for Drupal 7.x, upgrade to
     Drupal Commons 7.x-3.10 [5]

Also see the Drupal Commons [6] project page.

-------- REPORTED BY
---------------------------------------------------------

   * Ezra Gildesgame [7]
   * Jakub Suchy [8] of the Drupal Security Team

-------- FIXED BY
------------------------------------------------------------

   * Jakob Perry [9] the module maintainer
   * Devin Carlson [10] the module maintainer

-------- COORDINATED BY
------------------------------------------------------

   * Ben Jeavons [11] of the Drupal Security Team
   * David Stoline [12] of the Drupal Security Team

-------- CONTACT AND MORE INFORMATION
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [13].

Learn more about the Drupal Security team and their policies [14], writing
secure code for Drupal [15], and securing your site [16].

Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [17]


[1] http://drupal.org/project/commons
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/commons
[5] https://drupal.org/node/2248299
[6] http://drupal.org/project/commons
[7] https://drupal.org/user/69959
[8] https://drupal.org/user/31977
[9] https://drupal.org/user/45640
[10] https://drupal.org/user/290182
[11] https://drupal.org/user/91990
[12] https://drupal.org/user/329570
[13] http://drupal.org/contact
[14] http://drupal.org/security-team
[15] http://drupal.org/writing-secure-code
[16] http://drupal.org/security/secure-configuration
[17] https://twitter.com/drupalsecurity



More information about the Security-news mailing list