+ Telepítés

 WindowsLinuxMac

+ Keresés

Biztonsági figyelmeztetések

SA-CONTRIB-2012-085 - BrowserID - Multiple Vulnerabilities

Biztonsági figyelmeztetések (contrib) - 2012. május 23. 19.56
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-085
  • Project: BrowserID (Mozilla Persona) (third-party module)
  • Version: 7.x
  • Date: 2012-May-23
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Request Forgery (results in Privilege Escalation)
Description

CVE: Requested

The BrowserID module provides integration with BrowserID (also known as Mozilla Persona) -- a Mozilla project that lets users of your site quickly and easily log in without needing to remember a password specific to your site.

The module did not sufficiently validate requests for authentication to log in, potentially allowing a Cross Site Request Forgery (CSRF) attack and introducing the possibility that logging in to a malicious site with BrowserID could give that site the ability to log in to other websites using your BrowserID identity.

Versions affected
  • BrowserID (Mozilla Persona) 7.x-1.x versions prior to 7.x-1.3.

Drupal core is not affected. If you do not use the contributed BrowserID (Mozilla Persona) module, there is nothing you need to do.

Solution

Install the latest version:

This version adds a dependency on the Session API module. Make sure you install Session API before upgrading to BrowserID 7.x-1.3.

Also see the BrowserID (Mozilla Persona) project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategóriák: Biztonsági figyelmeztetések

SA-CONTRIB-2012-084 - Search API - Cross Site Scripting (XSS)

Biztonsági figyelmeztetések (contrib) - 2012. május 23. 19.09
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-084
  • Project: Search API (third-party module)
  • Version: 7.x
  • Date: 2012-May-23
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

CVE: Requested

This module enables you to build searches using a wide range of features, data sources and backends.

The module doesn't sufficiently sanitize user input in some cases when throwing exceptions or logging errors. This enables attackers to insert arbitrary data into a page by manipulating its URL. Users would have to open such a manipulated URL to see the changed content.

This is only possible in some setups of Search API, specifically when users can manually enter field identifiers in some way – e.g., through an exposed Views sort or with the old Facets module.

Versions affected
  • Search API 7.x-1.x versions prior to 7.x-1.1.

Drupal core is not affected. If you do not use the contributed Search API module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Search API module (especially with Views, the old Facets module or other advanced search forms) for Drupal 7.x, upgrade to Search API 7.x-1.1
  • Run update.php to also ensure that previously stored log messages are sanitized.

Also see the Search API project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategóriák: Biztonsági figyelmeztetések

SA-CONTRIB-2012-083 - Taxonomy List - Cross Site Scripting (XSS)

Biztonsági figyelmeztetések (contrib) - 2012. május 23. 18.08
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-083
  • Project: Taxonomy List (third-party module)
  • Version: 6.x
  • Date: 2012-May-23
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

CVE: Requested

This module enables you to display the terms (and optionally nodes) under categories.

The module doesn't sufficiently sanitize user supplied text in the taxonomy information.

This vulnerability is mitigated by the fact that an attacker must have a role with permissions to create or edit taxonomy terms.

Versions affected
  • Taxonomy List 6.x-1.x versions prior to 6.x-1.4.

The 6.x-2.x branch is not affected.

Drupal core is not affected. If you do not use the contributed Taxonomy List module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Taxonomy List project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategóriák: Biztonsági figyelmeztetések

SA-CONTRIB-2012-082 - Zen - Cross Site Scripting

Biztonsági figyelmeztetések (contrib) - 2012. május 16. 22.38
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-082
  • Project: Zen (third-party theme)
  • Version: 6.x
  • Date: 2012-May-16
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

CVE: Requested.

The Zen theme provides a configurable breadcrumb which is commonly used as an additional navigation tool for users.

The theme outputs the breadcrumb, but does not provide sufficient filtering to prevent a Cross site scripting (XSS) attack.

This vulnerability is mitigated by the fact that the "Append the content title to the end of the breadcrumb" checkbox is not enabled by default and needs to be enabled for this to be exploited.

Versions affected
  • Zen 6.x-1.x versions prior to 6.x-1.1

Drupal core is not affected. Zen versions 6.x-2.x are not affected. If you do not use the contributed Zen theme, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Zen theme for Drupal 6.x, upgrade to theme 6.x-1.1 or any later version.

If you copied code from the zen_breadcrumb function into a custom sub-theme's template.php file you should compare your code to the changes to ensure that menu_get_active_title() is properly wrapped in check plain like:

check_plain(menu_get_active_title());

Also see the Zen project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategóriák: Biztonsági figyelmeztetések

SA-CONTRIB-2012-081 - Aberdeen - Cross Site Scripting

Biztonsági figyelmeztetések (contrib) - 2012. május 16. 22.38
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-081
  • Project: Aberdeen (third-party theme)
  • Version: 6.x
  • Date: 2012-May-16
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

CVE: Requested.

The Aberdeen theme provides a configurable breadcrumb which is commonly used as an additional navigation tool for users.

The theme outputs the breadcrumb, but does not provide sufficient filtering to prevent a Cross site scripting (XSS) attack.

This vulnerability is mitigated by the fact that the "Append the content title to the end of the breadcrumb" checkbox is not enabled by default and needs to be enabled for this to be exploited.

Versions affected
  • Aberdeen 6.x-1.x versions prior to 6.x-1.11

Drupal core is not affected. If you do not use the contributed Aberdeen theme, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Aberdeen theme for Drupal 6.x, upgrade to theme 6.x-1.11

If you copied code from the aberdeen_breadcrumb function into a custom sub-theme's template.php file you should compare your code to the changes to ensure that menu_get_active_title() is properly wrapped in check plain like:

check_plain(menu_get_active_title());

Also see the Aberdeen project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategóriák: Biztonsági figyelmeztetések

SA-CONTRIB-2012-080 - Hostmaster (Aegir) - Access Bypass and Cross Site Scripting (XSS)

Biztonsági figyelmeztetések (contrib) - 2012. május 16. 18.35
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-080
  • Project: Hostmaster (Aegir) (third-party module)
  • Version: 6.x
  • Date: 2012-May-16
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities
Description Cross Site Scripting

CVE: Requested.

Hostmaster displays a log from tasks executed in Aegir's backend component, provision. In certain circumstances these log messages were not escaped properly before being displayed to the user. This vulnerability is mitigated by the fact that people wishing to exploit this must have access to the PHP code of either provision itself or one of the sites hosted by Aegir.

Access Bypass

CVE: Requested.

Hostmaster doesn't allow people to edit or create certain node types that are used for the internal representation of data. The implementation of this wasn't fully complete and would still allow privileged users to edit these nodes. This can cause some data corruption in the front-end, leading to tasks that would appear to never finish running. This vulnerability is mitigated by the fact that people wishing to exploit this must have the 'edit package' or 'administer nodes' permissions, which are not given to any roles by the default Aegir install.

Versions affected
  • Hostmaster 6.x-1.x versions prior to 6.x-1.9.

Drupal core is not affected. If you do not use the contributed Hostmaster (Aegir) module, there is nothing you need to do.

Solution

Follow the upgrade instructions in the release notes for the Aegir 1.9 release which can be found at: http://community.aegirproject.org/1.9

Also see the Hostmaster (Aegir) project page.

Reported by
  • The Cross Site Scripting vulnerability was reported by Steven Jones one of the module maintainers.
  • The Access Bypass vulnerability was reported by Ivo Van Geertruyen of the Drupal Security Team.
Fixed by
  • The Cross Site Scripting vulnerability was fixed by Steven Jones one of the module maintainers.
  • The Access Bypass vulnerability was fixed by Ivo Van Geertruyen of the Drupal Security Team and mig5 one of the module maintainers.
Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategóriák: Biztonsági figyelmeztetések

SA-CONTRIB-2012-079 - Post Affiliate Pro - Cross Site Scripting (XSS) and Access Bypass - Unsupported

Biztonsági figyelmeztetések (contrib) - 2012. május 16. 18.21
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-079
  • Project: Post Affiliate Pro (third-party module)
  • Version: 6.x
  • Date: 2012-May-16
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting, Access bypass
Description

CVE: Requested.

Post Affiliate Pro (PAP) is a module providing affiliate functionality for Ubercart and Post Affiliate Pro application.
The module doesn't sufficiently filter user supplied text provided by users registering on the site and also allows unauthorized users to view other user's commission.

Versions affected
  • All versions of the module.

Drupal core is not affected. If you do not use the contributed Post Affiliate Pro module, there is nothing you need to do.

Solution

The module is no longer supported. Users should disable it. Users interested in continuing to use it should see the project page for more information.

Also see the Post Affiliate Pro project page.

Reported by Fixed by

No fix was provided.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategóriák: Biztonsági figyelmeztetések

SA-CONTRIB-2012-078 - Smart Breadcrumb - Cross Site Scripting (XSS)

Biztonsági figyelmeztetések (contrib) - 2012. május 16. 17.30
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-078
  • Project: Smart Breadcrumb (third-party module)
  • Version: 6.x
  • Date: 2012-May-16
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

CVE: Requested.

The function filter_titles() incorrectly attempts to set a title to plain-text, but does not properly filter user supplied text.

This vulnerability is mitigated by the fact that an attacker must have the permission to create or edit a node to exploit the issue.

Versions affected
  • Smart Breadcrumb 6.x-2.x versions prior to 6.x-1.3.

Drupal core is not affected. If you do not use the contributed Smart Breadcrumb module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Smart Breadcrumb project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategóriák: Biztonsági figyelmeztetések

SA-CONTRIB-2012-77 - Advertisement - Cross Site Scripting & Information Disclosure

Biztonsági figyelmeztetések (contrib) - 2012. május 16. 17.16
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-077
  • Project: Advertisement (third-party module)
  • Version: 6.x
  • Date: 2012-May-16
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting, Information Disclosure, Multiple vulnerabilities
Description

CVE: Requested.

This module enables you to serve advertisements, define pools of ads and show certain ads on certain pages.
The module could, under certain conditions, expose limited site configuration information and a debugging mode did not sufficiently sanitize input, allowing for potential cross-site scripting (XSS).
This vulnerability is mitigated by the fact that exposed data must have been explicitly set in the $conf variable in settings.php.

Versions affected
  • Advertisement 6.x-2.x versions prior to 6.x-2.2.

Drupal core is not affected. If you do not use the contributed Advertisement module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Advertisement project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategóriák: Biztonsági figyelmeztetések

SA-CONTRIB-2012-076 - Ubercart Product Keys Access Bypass

Biztonsági figyelmeztetések (contrib) - 2012. május 16. 17.07
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-076
  • Project: Ubercart Product Keys (third-party module)
  • Version: 6.x
  • Date: 2012-May-16
  • Security risk: Moderately Critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

CVE: Requested.

This module enables you to sell product keys from an Ubercart store.

Under certain circumstances, a user can view all unassigned product keys which could grant them access to the software circumventing the process of selling the key.

Versions affected
  • Ubercart Product Keys 6.x-1.x versions prior to 6.x-1.1.

Drupal core is not affected. If you do not use the contributed Ubercart Product Keys module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Ubercart Product Keys project page.

Reported by
  • Daniel Glucksman
Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategóriák: Biztonsági figyelmeztetések

SA-CONTRIB-2012-075 - Take Control - Cross Site Request Forgery (CSRF)

Biztonsági figyelmeztetések (contrib) - 2012. május 9. 18.40
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-075
  • Project: Take Control (third-party module)
  • Version: 6.x
  • Date: 2012-May-09
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Request Forgery
Description

This module enables you to manage your Drupal file-system from within Drupal itself.
The module does not sufficiently validate Ajax calls leading to possibility of a Cross Site Request Forgery CSRF attack.
This vulnerability is mitigated by the fact that the attacker must be able to guess your Drupal file-system root path exactly. Further, if your site follows the secure file-system permissions recommendations and the web-server account does not have write access to Drupal root, only files/folders in Drupal's "files" directory are open to manipulation.

Versions affected
  • Take Control 6.x-2.x versions prior to 6.x-2.2.

Drupal core is not affected. If you do not use the contributed Take Control module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Take Control project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategóriák: Biztonsági figyelmeztetések

SA-CONTRIB-2012-074 - Contact Forms - Access Bypass

Biztonsági figyelmeztetések (contrib) - 2012. május 9. 18.36
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-074
  • Project: Contact Forms (third-party module)
  • Version: 7.x
  • Date: 2012-May-09
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

This module expands the features of the site wide contact form. It eliminates the drop down category menu by generating a clean looking contact form (without a drop down menu) with a unique path for each of the contact form categories.
The module allowed users to edit the Contact Form settings if they have permission to 'access the site-wide contact form' instead of more appropriate 'Administer contact forms and contact form settings' permission.
This vulnerability is only mitigated by the fact that an attacker must know the correct url to access the Contact Forms settings page (though it is the same on all Drupal sites).

Versions affected
  • Contact Forms 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Contact Forms module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Contact Forms project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategóriák: Biztonsági figyelmeztetések

SA-CONTRIB-2012-073 - Glossary - Cross-Site Scripting (XSS)

Biztonsági figyelmeztetések (contrib) - 2012. május 9. 18.24
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-073
  • Project: Glossary (third-party module)
  • Version: 6.x
  • Date: 2012-May-09
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

The glossary module scans posts for glossary terms, adding an indicator. By hovering over the indicator, users may learn the definition of that term.

The module does not sufficiently sanitize the taxonomy information. This leaves sites vulnerable to Cross-Site Scripting attacks.

This vulnerability is mitigated by the fact that an attacker must have a role with permissions to create or edit taxonomy terms.

Versions affected
  • Glossary 6.x-1.x versions prior to 6.x-1.8.

Drupal core is not affected. If you do not use the contributed Glossary module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Glossary project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategóriák: Biztonsági figyelmeztetések

SA-CONTRIB-2012-072 - cctags - Cross Site Scripting (XSS)

Biztonsági figyelmeztetések (contrib) - 2012. május 2. 21.36
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-072
  • Project: cctags (third-party module)
  • Version: 6.x, 7.x
  • Date: 2012-May-02
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

This module enables you to create "tag clouds" with taxonomy terms displayed in different sizes depending on how frequently they are used on a site.
The module doesn't sufficiently filter user supplied text leading to a Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the ability to create or edit vocabularies or terms.

Versions affected
  • cctags 6.x-1.x versions prior to 6.x-1.10.
  • cctags 7.x-1.x versions prior to 7.x-1.10.

Drupal core is not affected. If you do not use the contributed cctags module, there is nothing you need to do.

Solution

Install the latest version:

Also see the cctags project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategóriák: Biztonsági figyelmeztetések

SA-CORE-2012-002 - Drupal core multiple vulnerabilities

Biztonsági figyelmeztetések (core) - 2012. május 2. 17.17
  • Advisory ID: DRUPAL-SA-CORE-2012-002
  • Project: Drupal core
  • Version: 7.x
  • Date: 2012-May-2
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Denial of Service, Access bypass, Unvalidated form redirect
Description Denial of Service

CVE: CVE-2012-1588

Drupal core's text filtering system provides several features including removing inappropriate HTML tags and automatically linking content that appears to be a link. A pattern in Drupal's text matching was found to be inefficient with certain specially crafted strings. This vulnerability is mitigated by the fact that users must have the ability to post content sent to the filter system such as a role with the "post comments" or "Forum topic: Create new content" permission.

Unvalidated form redirect

CVE: CVE-2012-1589

Drupal core's Form API allows users to set a destination, but failed to validate that the URL was internal to the site. This weakness could be abused to redirect the login from to a remote site with a malicious script that harvests the login credentials and redirects to the live site. This vulnerability is mitigated only by the end user's ability to recognize a URL with malicious query parameters to avoid the social engineering required to exploit the problem.

Access bypass - forum listing

CVE: CVE-2012-1590

Drupal core's forum lists fail to check user access to nodes when displaying them in the forum overview page. If an unpublished node was the most recently updated in a forum then users who should not have access to unpublished forum posts were still be able to see meta-data about the forum post such as the post title.

Access bypass - private images

CVE: CVE-2012-1591

Drupal core provides the ability to have private files, including images, and Image Styles which create derivative images from an original image that may differ, for example, in size or saturation. Drupal core failed to properly terminate the page request for cached image styles allowing users to access image derivatives for images they should not be able to view. Furthermore, Drupal didn't set the right headers to prevent image styles from being cached in the browser.

Access bypass - content administration

CVE: CVE-2012-2153

Drupal core provides the ability to list nodes on a site at admin/content. Drupal core failed to confirm a user viewing that page had access to each node in the list. This vulnerability only concerns sites running a contributed node access module and is mitigated by the fact that users must have a role with the "view content overview" permission. Unpublished nodes were not displayed to users who only had the "view content overview" permission.

Versions affected
  • Drupal core 7.x versions prior to 7.13.
Solution

Install the latest version:

Also see the Drupal core project page.

Reported by Fixed by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategóriák: Biztonsági figyelmeztetések

SA-CORE-2012-002 - Drupal core multiple vulnerabilities

Biztonsági figyelmeztetések (core) - 2012. május 2. 17.17
  • Advisory ID: DRUPAL-SA-CORE-2012-002
  • Project: Drupal core
  • Version: 7.x
  • Date: 2012-May-2
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Denial of Service, Access bypass, Unvalidated form redirect
Description Denial of Service

CVE: CVE-2012-1588

Drupal core's text filtering system provides several features including removing inappropriate HTML tags and automatically linking content that appears to be a link. A pattern in Drupal's text matching was found to be inefficient with certain specially crafted strings. This vulnerability is mitigated by the fact that users must have the ability to post content sent to the filter system such as a role with the "post comments" or "Forum topic: Create new content" permission.

Unvalidated form redirect

CVE: CVE-2012-1589

Drupal core's Form API allows users to set a destination, but failed to validate that the URL was internal to the site. This weakness could be abused to redirect the login from to a remote site with a malicious script that harvests the login credentials and redirects to the live site. This vulnerability is mitigated only by the end user's ability to recognize a URL with malicious query parameters to avoid the social engineering required to exploit the problem.

Access bypass - forum listing

CVE: CVE-2012-1590

Drupal core's forum lists fail to check user access to nodes when displaying them in the forum overview page. If an unpublished node was the most recently updated in a forum then users who should not have access to unpublished forum posts were still be able to see meta-data about the forum post such as the post title.

Access bypass - private images

CVE: CVE-2012-1591

Drupal core provides the ability to have private files, including images, and Image Styles which create derivative images from an original image that may differ, for example, in size or saturation. Drupal core failed to properly terminate the page request for cached image styles allowing users to access image derivatives for images they should not be able to view. Furthermore, Drupal didn't set the right headers to prevent image styles from being cached in the browser.

Access bypass - content administration

CVE: Requested.

Drupal core provides the ability to list nodes on a site at admin/content. Drupal core failed to confirm a user viewing that page had access to each node in the list. This vulnerability only concerns sites running a contributed node access module and is mitigated by the fact that users must have a role with the "view content overview" permission. Unpublished nodes were not displayed to users who only had the "view content overview" permission.

Versions affected
  • Drupal core 7.x versions prior to 7.13.
Solution

Install the latest version:

Also see the Drupal core project page.

Reported by Fixed by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategóriák: Biztonsági figyelmeztetések

SA-CONTRIB-2012-071 - Glossify - Cross Site Scripting (XSS) - Unsupported

Biztonsági figyelmeztetések (contrib) - 2012. május 2. 16.34
Description

This module generates internal node to node, node to taxonomy or node to external URL links (crosslinks) automatically - ideal for SEO of your site's pages and partner pages.
This module does not protect against an Cross Site Scripting (XSS) attack. The vulnerability is mitigated by the fact that the attacker must be able to create or edit any of: content (nodes), vocabularies, or terms.

Versions affected
  • 6.x-2.5 and before

Drupal core is not affected. If you do not use the contributed Glossify Internal Links Auto SEO module, there is nothing you need to do.

Solution

Uninstall the module, it is no longer supported.

Also see the Glossify Internal Links Auto SEO project page.

Reported by
  • Andrei Turcanu
Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategóriák: Biztonsági figyelmeztetések

SA-CONTRIB-2012-070 - Taxonomy Grid : Catalog - Cross Site Scripting (XSS) - Unsupported

Biztonsági figyelmeztetések (contrib) - 2012. május 2. 16.33
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-070
  • Project: Taxonomy Grid : Catalog (third-party module)
  • Version: 6.x
  • Date: 2012-May-02
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

This module provides a page where you can see each content types you've selected under terms from vocabularies you've selected.
This module does not properly filter user supplied text resulting in a Cross Site scripting bug. This vulnerability is mitigated by the fact that an attacker would need the ability to create or edit a vocabulary or term.

Versions affected
  • 6.x-1.6 and before

Drupal core is not affected. If you do not use the contributed Taxonomy Grid : Catalog module, there is nothing you need to do.

Solution

Uninstall the module

Also see the Taxonomy Grid : Catalog project page.

Reported by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategóriák: Biztonsági figyelmeztetések

SA-CONTRIB-2012-069 - Addressbook - Multiple vulnerabilities - Unsupported

Biztonsági figyelmeztetések (contrib) - 2012. május 2. 16.31
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-069
  • Project: Addressbook (third-party module)
  • Version: 6.x
  • Date: 2012-May-02
  • Security risk: Highly critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting, Cross Site Request Forgery, SQL Injection
Description

This module contains a simple addressbook.
The module has multiple issues including SQL Injection and Cross Site Request Forgery.

Versions affected
  • 6.x-4.2 and before

Drupal core is not affected. If you do not use the contributed Addressbook module, there is nothing you need to do.

Solution

This module is not supported. Uninstall the module.

Also see the Addressbook project page.

Reported by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategóriák: Biztonsági figyelmeztetések

SA-CONTRIB-2012-068 - Node Gallery - Cross Site Request Forgery (CSRF) - Unsupported

Biztonsági figyelmeztetések (contrib) - 2012. május 2. 16.09
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-068
  • Project: Node Gallery (third-party module)
  • Version: 6.x
  • Date: 2012-May-02
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Request Forgery
Description

Node gallery enable users to create a more flexible and powerful gallery that are fully integrated with Drupal's core node system.
This module does not protect a CSRF attack when creating node galleries.

Versions affected
  • 6.x-3.1 and before

Drupal core is not affected. If you do not use the contributed Node Gallery module, there is nothing you need to do.

Solution

Uninstall the module, this module is no longer supported.

Also see the Node Gallery project page.

Reported by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategóriák: Biztonsági figyelmeztetések

Oldalak

Feliratkozás drupal.hu hírolvasó - Biztonsági figyelmeztetések csatornára