Biztonsági figyelmeztetések

• Advisory ID: DRUPAL-SA-CONTRIB-2013-027
• Project: Professional (third-party theme)
• Version: 7.x
• Date: 2013-February-06
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Cross Site Scripting

Description

This third-party contributed theme change Drupal's interface.

The theme doesn't properly sanitize user-entered content in the 3 slide gallery on the homepage leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker would have to have the 'administer themes' permission.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• Professional Theme versions prior to 7.x-1.4

Drupal core is not affected. If you do not use the contributed Professional theme, there is nothing you need to do.

Solution

Install the latest version:

• Professional Theme 7.x-1.4

Also see the Professional project page.

Reported by

• Greg Knaddison of the Drupal Security Team

Fixed by

• saran.quardz the theme maintainer

Coordinated by

• Greg Knaddison of the Drupal Security Team
• Ben Jeavons of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2013-026
• Project: Best Responsive (third-party theme)
• Version: 7.x
• Date: 2013-February-27
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Cross Site Scripting

Description

Best Responsive theme is a light weight Drupal 7 theme with a modern look and feel.

The theme doesn't properly sanitize user-entered content in the social icon leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker would have to have the 'administer themes' permission.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• Best Responsive Theme 7.x-1.x versions prior to 7.x-1.1.

Drupal core is not affected. If you do not use the contributed Best Responsive theme, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Best responsive Theme for Drupal 7.x, upgrade to Best responsive Theme 7.x-1.1

Also see the Best Responsive project page.

Reported by

• Greg Knaddison of the Drupal Security Team

Fixed by

• saran.quardz the theme maintainer

Coordinated by

• Greg Knaddison of the Drupal Security Team
• Ben Jeavons of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2013-025
• Project: Fresh theme (third-party theme)
• Version: 7.x
• Date: 2013-February-27
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Cross Site Scripting

Description

This third-party contributed theme change Drupal's interface.

The theme doesn't properly sanitize user-entered content in the 3 slide gallery on the homepage leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker would have to have the 'administer themes' permission.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• Fresh Theme versions prior to 7.x-1.4

Drupal core is not affected. If you do not use the contributed Fresh Theme, there is nothing you need to do.

Solution

Install the latest version:

• Fresh Theme 7.x-1.4

Also see the Fresh Theme project page.

Reported by

• Greg Knaddison of the Drupal Security Team

Fixed by

• saran.quardz the theme maintainer

Coordinated by

• Greg Knaddison of the Drupal Security Team
• Ben Jeavons of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2013-024
• Project: Creative Theme (third-party theme)
• Version: 7.x
• Date: 2013-February-27
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Cross Site Scripting

Description

Creative Theme is a light weight Drupal 7 theme with a modern look and feel.

The theme doesn't properly sanitize user-entered content in the social icon leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker would have to have the 'administer themes' permission.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• Creative Theme 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Creative Theme, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Creative Theme for Drupal 7.x, upgrade to Creative Theme 7.x-1.2

Also see the Creative Theme project page.

Reported by

• Greg Knaddison of the Drupal Security Team

Fixed by

• saran.quardz the theme maintainer

Coordinated by

• Greg Knaddison of the Drupal Security Team
• Ben Jeavons of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CORE-2013-002
• Project: Drupal core
• Version: 7.x
• Date: 2013-February-20
• Security risk: Critical
• Exploitable from: Remote
• Vulnerability: Denial of service

Description

Drupal core's Image module allows for the on-demand generation of image derivatives. This capability can be abused by requesting a large number of new derivatives which can fill up the server disk space, and which can cause a very high CPU load. Either of these effects may lead to the site becoming unavailable or unresponsive.

Please see the Drupal 7.20 release notes for important notes about the changes which were made to fix this issue, since some sites will require extra testing and care when deploying this Drupal core release.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• Drupal core 7.x versions prior to 7.20.

Solution

Install the latest version:

• If you use Drupal 7.x, upgrade to Drupal core 7.20.

Also see the Drupal core project page.

Reported by

• Bèr Kessels
• aBrookland
• Chad Fennell

Fixed by

• Damien Tournoud of the Drupal Security Team
• Peter Wolanin of the Drupal Security Team
• David Rothstein of the Drupal Security Team
• Heine Deelstra of the Drupal Security Team
• Bèr Kessels

Coordinated by

• David Rothstein of the Drupal Security Team
• Stéphane Corlosquet of the Drupal Security Team
• Peter Wolanin of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CORE-2013-002
• Project: Drupal core
• Version: 7.x
• Date: 2013-February-20
• Security risk: Critical
• Exploitable from: Remote
• Vulnerability: Denial of service

Description

Drupal core's Image module allows for the on-demand generation of image derivatives. This capability can be abused by requesting a large number of new derivatives which can fill up the server disk space, and which can cause a very high CPU load. Either of these effects may lead to the site becoming unavailable or unresponsive.

Please see the Drupal 7.20 release notes for important notes about the changes which were made to fix this issue, since some sites will require extra testing and care when deploying this Drupal core release.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• Drupal core 7.x versions prior to 7.20.

Solution

Install the latest version:

• If you use Drupal 7.x, upgrade to Drupal core 7.20.

Also see the Drupal core project page.

Reported by

• Bèr Kessels
• aBrookland
• Chad Fennell

Fixed by

• Damien Tournoud of the Drupal Security Team
• Peter Wolanin of the Drupal Security Team
• David Rothstein of the Drupal Security Team
• Heine Deelstra of the Drupal Security Team
• Bèr Kessels

Coordinated by

• David Rothstein of the Drupal Security Team
• Stéphane Corlosquet of the Drupal Security Team
• Peter Wolanin of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2013-023
• Project: Varnish HTTP Accelerator Integration (third-party module)
• Version: 6.x, 7.x
• Date: 2013-February-20
• Security risk: Less critical
• Exploitable from: Remote
• Vulnerability: Cross Site Scripting

Description

This module provides integration between your Drupal site and the Varnish HTTP Accelerator, an advanced and very fast reverse-proxy system.

The module doesn't sufficiently filter user-supplied text provided in the configuration settings.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer Varnish".

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• Varnish 6.x-1.x versions prior to 6.x-1.2.
• Varnish 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Varnish HTTP Accelerator Integration module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Varnish module for Drupal 6.x, upgrade to Varnish 6.x-1.2
• If you use the Varnish module for Drupal 7.x, upgrade to Varnish 7.x-1.0-beta2

Also see the Varnish HTTP Accelerator Integration project page.

Reported by

• Ivo Van Geertruyen of the Drupal Security Team

Fixed by

• Josh Koenig the module maintainer
• Fabian Sörqvist the module maintainer
• Ivo Van Geertruyen of the Drupal Security Team

Coordinated by

• Greg Knaddison of the Drupal Security Team
• Ben Jeavons of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2013-022
• Project: Menu Reference (third-party module)
• Version: 7.x
• Date: 2013-February-20
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Cross Site Scripting

Description

Module Menu Reference doesn't escape HTML that contains menu link title displayed in Menu Reference "Rendered links" formatter.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer menus and menu items" to insert HTML code in menu link title.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• Menu Reference 7.x-1.x versions prior to 7.x-1.0.

Drupal core is not affected. If you do not use the contributed Menu Reference module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Menu Reference module for Drupal 7.x, upgrade to Menu Reference 7.x-1.1

Also see the Menu Reference project page.

Reported by

• Tamás Demeter-Haludka

Fixed by

• Tomáš Barej the module maintainer

Coordinated by

• Greg Knaddison of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2013-021
• Project: Display Suite (third-party module)
• Version: 7.x
• Date: 2013-February-20
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Cross Site Scripting

Description

Display Suite allows you to take full control over how your content is displayed using a drag and drop interface.

In certain situations, Display Suite does not properly sanitize user-supplied data, allowing a malicious user to embed scripts within a page, resulting in a Cross-site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that the site must use a contributed module that alters usernames such as the realname module and the author field must be displayed as plain text "author".

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• Display Suite 7.x-1.x versions prior to 7.x-1.7.
• Display Suite 7.x-2.x versions prior to 7.x-2.1.

Drupal core is not affected. If you do not use the contributed Display Suite module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Display Suite module for Drupal 7.x-1.x, upgrade to Display Suite 7.x-1.7
• If you use the Display Suite module for Drupal 7.x-2.x, upgrade to Display Suite 7.x-2.1

Also see the Display Suite project page.

Reported by

• Stéphane Corlosquet of the Drupal Security Team

Fixed by

• Stéphane Corlosquet of the Drupal Security Team
• Kristof De Jaeger the module maintainer

Coordinated by

• Stéphane Corlosquet of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2013-020
• Project: Ubercart (third-party module)
• Version: 7.x
• Date: 2013-February-20
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Cross Site Scripting

Description

The Ubercart module for Drupal provides a shopping cart and e-commerce features for Drupal.

The "full name" field in Views did not properly sanitize output.

The vulnerability is mitigated by the fact that an attacker must get far enough in the checkout process to store their name with an order.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• Ubercart 7.x-3.x versions prior to 7.x-3.4.

Drupal core is not affected. If you do not use the contributed Ubercart module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Ubercart module for Drupal 7.x, upgrade to Ubercart 7.x-3.4

Also see the Ubercart project page.

Reported by

• 20th

Fixed by

• 20th
• Dave Long the module maintainer

Coordinated by

• Greg Knaddison of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2013-019
• Project: Ubercart Views (third-party module)
• Version: 6.x
• Date: 2013-February-20
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Cross Site Scripting

Description

Ubercart Views provides Views integration for the Ubercart shopping cart module.

The "full name" field in Views is not properly sanitized on output.

The vulnerability is mitigated by the fact that an attacker must get far enough in the checkout process to store their name with an order.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• All versions of Ubercart Views for Drupal 6.x prior to 6.x-3.3.

Drupal core is not affected. If you do not use the contributed Ubercart Views module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Ubercart Views module for Drupal 6.x, upgrade to Ubercart Views 6.x-3.3

Also see the Ubercart Views project page.

Reported by

• 20th

Fixed by

• 20th
• Dave Long the module maintainer

Coordinated by

• Greg Knaddison of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2013-018
• Project: Taxonomy Manager (third-party module)
• Version: 6.x, 7.x
• Date: 2013-February-20
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Cross Site Request Forgery

Description

The Taxonomy Manager provides an advanced interface for administrating taxonomy vocabularies.

The module doesn't sufficiently verify POST requests thereby exposing a Cross Site Request Forgery vulnerability.

This vulnerability is mitigated by the fact that an attacker must trick a user with 'administer taxonomy' permissions onto a prepared page with a site-specific malicious HTML form submission.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• Taxonomy Manager 6.x-2.x versions prior to 6.x-2.2.
• Taxonomy Manager 7.x-1.x versions prior to 7.x-1.0-rc1.

Drupal core is not affected. If you do not use the contributed Taxonomy Manager module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Taxonomy Manager module for Drupal 6.x, upgrade to Taxonomy Manager 6.x-2.3
• If you use the Taxonomy Manager module for Drupal 7.x, upgrade to Taxonomy Manager 7.x-1.0-rc2

Also see the Taxonomy Manager project page.

Reported by

• Matthias Hutterer the module maintainer

Fixed by

• Matthias Hutterer the module maintainer

Coordinated by

• Klaus Purer of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2013-017
• Project: Yandex.Metrics (third-party module)
• Version: 6.x, 7.x
• Date: 2013-February-20
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Cross Site Scripting

Description

The Yandex.Metrics module enables you to install Yandex.Metrica tracking code and watch reports by key indicators of user activity.
The module doesn't sufficiently escape Yandex.Metrica service data when being displayed.
This vulnerability is mitigated by the fact that it only impacts sites with published content which contains special code and which is indexed by Yandex search engine.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• Yandex.Metrics 6.x-1.x versions prior to 6.x-1.6.
• Yandex.Metrics 7.x-1.x versions prior to 7.x-1.5.

Drupal core is not affected. If you do not use the contributed Yandex.Metrics module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Yandex.Metrics module for Drupal 6.x, upgrade to Yandex.Metrics 6.x-1.6
• If you use the Yandex.Metrics module for Drupal 7.x, upgrade to Yandex.Metrics 7.x-1.5

Also see the Yandex.Metrics project page.

Reported by

• Konstantin Komelin

Fixed by

• Konstantin Komelin

Coordinated by

• Greg Knaddison of the Drupal Security Team
• Lee Rowlands of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2013-016
• Project: Banckle Chat (third-party module)
• Version: 7.x
• Date: 2013-February-13
• Security risk: Highly critical
• Exploitable from: Remote
• Vulnerability: Access bypass

Description

This module enables you to chat with the visitors of your web site.

The module doesn't sufficiently check access to its admin pages.

This vulnerability is not mitigated.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• All Banckle Chat 7.x-1.x versions.

Drupal core is not affected. If you do not use the contributed Banckle Chat module, there is nothing you need to do.

Solution

Uninstall the module.

Also see the Banckle Chat project page.

Reported by

• Wale Adesanya
• Lau Futtrup Rasmussen

Fixed by

Not applicable.

Coordinated by

• Gerhard Killesreiter of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2013-015
• Project: Manager Change for Organic Groups (third-party module)
• Version: 7.x
• Date: 2013-February-13
• Security risk: Less critical
• Exploitable from: Remote
• Vulnerability: Cross Site Scripting

Description

This module extends Organic Groups to allow the manager of a group to select a new manager for their group (ie if they want to leave the group).

The autocomplete field for selecting a new manager didn't properly filter usernames.

The vulnerability is mitigated by the fact that Drupal's default registration validation prevents the creation of username that contain cross site scripting attacks. However, a contributed module may bypass that validation or alter the way usernames are loaded in a way that introduces an attack vector.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• Manager Change for Organic Groups 7.x-2.x versions prior to 7.x-2.1.

Drupal core is not affected. If you do not use the contributed module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the 2.x branch of the Manager Change for Organic Groups module for Drupal 7.x, upgrade to Manager Change for Organic Groups 7.x-2.1

Also see the Manager Change for Organic Groups project page.

Reported by

• Michael Hess of the Drupal Security Team

Fixed by

• Joe Haskins the module maintainer

Coordinated by

• Michael Hess of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2013-014
• Project: Drush Debian Packaging (third-party module)
• Version: 7.x
• Date: 2013-January-30
• Security risk: Critical
• Exploitable from: Local
• Vulnerability: Information Disclosure

Description

This package is a tool to build debian packages from a Drupal instance.

The module doesn't sufficiently protect database credentials.

This vulnerability is mitigated by the fact that an attacker must have shell access to the server.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• All versions.

Drupal core is not affected. If you do not use the contributed Drush Debian Packaging module, there is nothing you need to do.

Solution

Uninstall the package.

Also see the Drush Debian Packaging project page.

Reported by

• jiri-catalyst

Fixed by

Not applicable.

Coordinated by

• Greg Knaddison of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2013-013
• Project: Boxes (third-party module)
• Version: 7.x
• Date: 2013-January-30
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Cross Site Scripting

Description

The subject field for the included simple box doesn't escape HTML properly.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission to administer/edit boxes.

Wikipedia has more information about cross site scripting (XSS).

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• Boxes 7.x-1.x versions prior to 7.x-1.1

Drupal core is not affected. If you do not use the contributed Boxes module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Boxes module for Drupal 7.x, upgrade to Boxes 7.x-1.1

Also see the Boxes project page.

Reported by

• Laura Dickinson

Fixed by

• Tirdad Chaharlengi the module maintainer

Coordinated by

• Greg Knaddison of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2013-012
• Project: Google Authenticator login (third-party module)
• Version: 7.x
• Date: 2013-January-30
• Security risk: Highly critical
• Exploitable from: Remote
• Vulnerability: Access bypass

Description

This module will allow you to add Time-based One-time Password Algorithm (also called "Two Step Authentication" or "Multi-Factor Authentication") support to user logins.

Users with the permission to use multi-factor authentication need to associate a Google Authenticator token with their acount before they can use the multi-factor authentication for login. If this step is not done or not completed, their accounts can be logged-in to by supplying the username only due to a logic bug in the module's validation. This means that when an administrator enables the module and grants the permission to use multi-factor authentication all user accounts with that permission can be logged-in to via the username.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• All 7.x versions prior to 7.x-1.3.

Drupal core is not affected. If you do not use the contributed Google Authenticator login module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Google Authenticator login module for Drupal 7.x, upgrade to Google Authenticator login 7.x-1.3

Also see the Google Authenticator login project page.

Reported by

• Patrick C.

Fixed by

• attiks the module maintainer

Coordinated by

• Heine Deelstra of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2013-011
• Project: email2image (third-party module)
• Version: 6.x
• Date: 2013-January-30
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Access bypass

Description

This module creates images of user email addresses and email fields. The module doesn't sufficiently check node access restrictions when displaying such fields.

This vulnerability is mitigated by the fact that it only impacts sites using node access.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• All email2image 6.x-1.x and 6.x-2.x versions.

Drupal core is not affected. If you do not use the contributed email2image module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the email2image module for Drupal 6.x you should uninstall the module

Also see the email2image project page.

Reported by

• Ayesh Karunaratne

Fixed by

Not applicable.

Coordinated by

• Lee Rowlands of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.