Biztonsági figyelmeztetések

SA-CONTRIB-2014-089 - Geofield Yandex Maps - Cross Site Scripting (XSS)

Biztonsági figyelmeztetések (contrib) - 2014. szeptember 17. 16.40
Description

The Geofield Yandex Maps module provides a Geofield widget, Geofield formatter, Views handler, Form element and Text filter to allow Yandex maps to be added to a site.

The module does not sufficiently filter user-supplied text, resulting in a persistent Cross Site Scripting (XSS) vulnerability.

The vulnerability is mitigated by the fact that an attacker would need permission to create nodes or entities using the Geofield widget.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Geofield Yandex Maps 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Geofield Yandex Maps module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Geofield Yandex Maps project page.

Reported by
  • Matt V. (provisional member of the Drupal Security Team)
Fixed by
  • Matt V. (provisional member of the Drupal Security Team)
Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: Drupal 7.x

SA-CONTRIB-2014-088 - Mollom - Cross-site scripting (XSS)

Biztonsági figyelmeztetések (contrib) - 2014. szeptember 17. 16.11
Description

Mollom is an "intelligent" content moderation web service which determines if a post is potentially spam; not only based on the posted content, but also on the past activity and reputation of the poster across multiple sites.

Mollom offers a feature to report submitted content as inappropriate which allows end users to indicate that a piece of site content is objectionable or out of place. When reporting content, the content title is not sufficiently sanitized to prevent cross-site scripting (XSS) attacks.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create content and the content type must be enabled for "Flag as Inappropriate" within the Mollom advanced configuration settings (which is not the default setting).

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Mollom 6.x-2.x versions from 6.x-2.7 to 6.x-2.10
  • Mollom 7.x-2.x versions from 7.x-2.9 to 7.x-2.10

Drupal core is not affected. If you do not use the contributed Mollom module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Mollom project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at href="https://www.drupal.org/contact">https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies,
writing secure code for Drupal, and
securing your site.

Drupal version: Drupal 6.xDrupal 7.x

SA-CONTRIB-2014-087 - Drupal Commerce - Information disclosure

Biztonsági figyelmeztetések (contrib) - 2014. szeptember 10. 19.23
Description

Drupal Commerce is used to build eCommerce websites and applications of all sizes.

The commerce_order module can be used to create new user accounts where email addresses are used as user names. Since user names are not considered private information in Drupal this is an information disclosure of email addresses.

This vulnerability is mitigated by the fact that the commerce_checkout module must be enabled with the default rule configuration enabled that creates new user accounts when an anonymous user completes the checkout process.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Drupal Commerce 7.x-1.x versions prior to 7.x-1.10.

Drupal core is not affected. If you do not use the contributed Drupal Commerce module,
there is nothing you need to do.

Solution

Drupal Commerce 1.10 includes an update function that will change all user names on the site that look like email addresses. This can be a disruptive process for some sites and therefore must be enabled explicitly by the update administrator. If you don't run the default update function you need to make sure yourself that user names are not valid email addresses.

To enable the username cleaning update function, you must set the commerce_checkout_run_update_7103 variable to TRUE before running update.php or drush updb: You can either use $conf['commerce_checkout_run_update_7103'] = TRUE; in settings.php or drush vset commerce_checkout_run_update_7103 1.

Then install the latest version:

In case you don't want to apply the default update function you can just run update.php without the variable and the update function will be skipped.

Also see the Drupal Commerce project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: Drupal 7.x

SA-CONTRIB-2014-086 - Custom BreadCrumbs - Cross Site Scripting (XSS)

Biztonsági figyelmeztetések (contrib) - 2014. szeptember 10. 17.04
Description

Custom Breadcrumbs allows administrators to set up parametrized breadcrumb trails for different content types, views, panels, taxonomy vocabularies and terms, paths, and a simple API that allows contributed modules to enable custom breadcrumbs for module pages and theme templates.

User input is not properly sanitized in all use cases, opening a Cross Site Scripting (XSS) vulnerability.

The vulnerability is only present when the custom breadcrumb is configured with the <none> special identifier so that some of the breadcrumb items are not links. Typical example is that the last breadcrumb element is showing the current page title but is not a link. The XSS vulnerability is not triggered if all items of the breadcrumb are links and special identifier <none> is not used.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Custom Breadcrumbs 6.x-1.x versions prior to 6.x-1.6
  • Custom Breadcrumbs 6.x-2.x versions are NOT affected
  • Custom Breadcrumbs 7.x-2.x versions prior to 7.x-2.0-beta1

Drupal core is not affected. If you do not use the contributed Custom Breadcrumbs module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Custom Breadcrumbs project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies,
writing secure code for Drupal, and
securing your site.

Drupal version: Drupal 6.xDrupal 7.x

SA-CONTRIB-2014-085 - Ubercart - Information disclosure

Biztonsági figyelmeztetések (contrib) - 2014. szeptember 10. 16.58
Description

The Ubercart module for Drupal provides a shopping cart and e-commerce features for Drupal.

The per-user order history view is not properly protected.

This vulnerability is mitigated by the fact that an attacker must have an account with the "view own orders" permission and can only view order IDs, dates, statuses and totals with the default configuration.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Ubercart 7.x-3.x versions prior to 7.x-3.7.

Drupal core is not affected. If you do not use the contributed Ubercart module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Ubercart project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies,
writing secure code for Drupal, and
securing your site.

Drupal version: Drupal 7.x

SA-CONTRIB-2014-084 - Avatar Uploader - Information Disclosure

Biztonsági figyelmeztetések (contrib) - 2014. szeptember 3. 16.08
Description

The Avatar Uploader enables you to upload user pictures in a user-friendly way, like Quora and Facebook.

The module doesn't sufficiently check the picture path when a user crops the picture in the uploader panel allowing a malicious user to make specially crafted requests to obtain sensitive server files that are readable by the webserver user.

This vulnerability is mitigated by the fact that an attacker must know or guess the relative path out of the temporary directory and to the sensitive files.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Avatar_Uploader 6.x-1.x versions prior to 6.x-1.2
  • Avatar_Uploader 7.x-1.x versions prior to 7.x-1.0-beta5

Drupal core is not affected. If you do not use the contributed Avatar Uploader module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Avatar Uploader project page.

Reported by Fixed by Coordinated by
  • Greg Knaddison of the Drupal Security Team
  • Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    Drupal version: Drupal 6.xDrupal 7.x

    Oldalak

    Feliratkozás drupal.hu hírolvasó - Biztonsági figyelmeztetések csatornájára