[Security-news] Bible - Critical - Multiple Vulnerabilities - SA-CONTRIB-2018-003
security-news at drupal.org
security-news at drupal.org
Wed Jan 17 20:04:16 UTC 2018
View online: https://www.drupal.org/sa-contrib-2018-003
Project: Bible [1]
Date: 2018-January-17
Security risk: *Critical* 17∕25
AC:Basic/A:User/CI:Some/II:All/E:Proof/TD:All [2]
Vulnerability: Multiple Vulnerabilities
Description:
This module enables you to display a Bible on your website. Users can
associate notes with a Bible version.
This module has a vulnerability that would allow an attacker to wipe out,
update or read notes from other users with a carefully crafted title.
A user must have the "Access Bible content" privilege, which is most likely
the default if you have enabled this module.
The code appeared to allow other SQL injection vulnerabilities as well. Many
lines of code were rewritten to make this module more secure. Therefore, even
if you did not give users the "Access Bible content" privilege, there may
have been other SQL vulnerabilities which could have been exploited.
Solution:
Install the latest version:
* If you use the Bible module for Drupal 7.x, upgrade to Bible 7.x-1.7 [3]
Reported By:
* jfhovinne [4]
Fixed By:
* Berend de Boer [5] the module maintainer
* László Csécsy (Boobaa) [6] the module maintainer
Coordinated By:
* Michael Hess [7] of the Drupal Security Team
[1] https://www.drupal.org/project/bible
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/bible/releases/7.x-1.7
[4] https://www.drupal.org/user/77723
[5] https://www.drupal.org/user/143552
[6] https://www.drupal.org/user/199303
[7] https://www.drupal.org/u/mlhess
More information about the Security-news
mailing list