[Security-news] OSF for Drupal - Critical - Multiple vulnerabilities - SA-CONTRIB-2015-134
security-news at drupal.org
security-news at drupal.org
Wed Jul 22 19:26:07 UTC 2015
View online: https://www.drupal.org/node/2537860
* Advisory ID: DRUPAL-SA-CONTRIB-2015-134
* Project: OSF for Drupal [1] (third-party module)
* Version: 7.x
* Date: 2015-July-22
* Security risk: 15/25 ( Critical)
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2]
* Vulnerability: Cross Site Scripting, Access bypass, Cross Site Request
Forgery
-------- DESCRIPTION
---------------------------------------------------------
The Open Semantic Framework (OSF) for Drupal is a middleware layer that
allows structured data (RDF) and associated vocabularies (ontologies) to
"drive" tailored tools and data displays within Drupal.
The module is vulnerable to reflected Cross Site Scripting (XSS) because it
did not sufficiently filter user input values in some administration pages.
An attacker could exploit this vulnerability by making other users visit a
specially-crafted URL. Only sites with OSF Ontology module enabled are
affected.
Additionally, the module is vulnerable to Arbitrary file deletion. A
malicious user can cause an administrator to delete files by getting their
browser to make a request to a specially-crafted URL. Only sites with OSF
Ontology and OSF Import modules enabled are affected.
Also, some forms were vulnerable to Cross Site Request Forgery (CSRF). An
attacker could create new OSF datasets by getting an administrator's browser
to make a request to a specially-crafted URL. Only sites with OSF Import
module enabled are affected.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* OSF 7.x-3.x versions prior to 7.x-3.1.
Drupal core is not affected. If you do not use the contributed OSF for Drupal
[4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the OSF for Drupal module for Drupal 7.x, upgrade to OSF
7.x-3.1 [5]
Also see the OSF for Drupal [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Pere Orga [7] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Frederick Giasson [8], the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Pere Orga [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [14]
[1] https://www.drupal.org/project/osf
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/osf
[5] https://www.drupal.org/node/2537120
[6] https://www.drupal.org/project/osf
[7] https://www.drupal.org/user/2301194
[8] https://www.drupal.org/user/512874
[9] https://www.drupal.org/user/2301194
[10] https://www.drupal.org/contact
[11] https://www.drupal.org/security-team
[12] https://www.drupal.org/writing-secure-code
[13] https://www.drupal.org/security/secure-configuration
[14] https://twitter.com/drupalsecurity
More information about the Security-news
mailing list