Biztonsági figyelmeztetések

SA-CONTRIB-2013-080 - Social Stats - Cross Site Scripting (XSS)

Biztonsági figyelmeztetések (contrib) - 2014. augusztus 20. 16.02
Description

The Social Stats module enables you to collect statistics from various social networks and use that data with the Views module as field data, sort criteria, or filter criteria.

The module does not sufficiently filter user-supplied text that is stored in the configuration, resulting in a persistent Cross Site Scripting vulnerability (XSS).

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "[Content Type]: Create new content".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Social Stats 7.x-1.x versions prior to 7.x-1.5.

Drupal core is not affected. If you do not use the contributed Social Stats module,
there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Social Stats module for Drupal 7.x, upgrade to 7.x-1.5

Also see the Social Stats project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: Drupal 7.x

SA-CONTRIB-2013-079 - RedHen CRM - Cross Site Scripting (XSS)

Biztonsági figyelmeztetések (contrib) - 2014. augusztus 20. 15.58
Description

The RedHen CRM project contains the redhen_dedup module which enables you to find duplicate contacts in the CRM.

The redhen_dedup module doesn't sufficiently filter administrator-entered text when deduping contacts as which creates a Cross Site Scripting (XSS) vulnerability.

The vulnerability is mitigated by the fact that an attacker needs the permission "administer redhen contacts".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • RedHen CRM 7.x-1.x versions prior to 7.x-1.8.

Drupal core is not affected. If you do not use the contributed RedHen CRM module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the RedHen CRM project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: Drupal 7.x

SA-CONTRIB-2014-078 - Notify - Access bypass

Biztonsági figyelmeztetések (contrib) - 2014. augusztus 13. 18.39
Description

The notify module allows users to subscribe to periodic emails which include all new or revised content and/or comments of specific content types, much like the daily newsletters sent by some websites.

The Notify module does not sufficiently check whether the user has access to recently added or updated nodes and all the fields within the node before including the nodes in notification emails to a given user. This will expose node titles and potentially node teasers and fields to users who should not see them.

This vulnerability is mitigated by the fact that a site must use some form of access control and must be configured to include nodes with protected content in notifications.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Notify 7.x-1.0.

Drupal core is not affected. If you do not use the contributed Notify module,
there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Notify module for Drupal 7.x, upgrade to Notify 7.x-1.1

Also see the Notify project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: Drupal 7.x

SA-CONTRIB-2014-077 - TableField - Cross Site Scripting (XSS)

Biztonsági figyelmeztetések (contrib) - 2014. augusztus 13. 15.40
Description

This module enables you to create a field attached to a entity which stores tabular data. The module doesn't sufficiently sanitize the field help text when presented to a privileged user.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer content types" or "administer taxonomy".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • TableField 7.x-2.x versions prior to 7.x-2.3.
  • TableField versions for Drupal 6 are NOT affected.

Drupal core is not affected. If you do not use the contributed TableField module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the TableField project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: Drupal 7.x

SA-CONTRIB-2014-076 - Fasttoggle - Access bypass

Biztonsági figyelmeztetések (contrib) - 2014. augusztus 6. 22.16
Description

This module enables you to quickly toggle various user, node and field related settings via ajax links.

The recent 7.x-1.3 and 1.4 releases of the module include a rewrite of the access control which doesn't correctly implement support for the user status (allow/block) link.

This vulnerability is mitigated by the fact that the administrator must enable the link in the fasttoggle configuration and allow user profiles to be viewed by anonymous or logged in users. For user 1 to be affected, the administrator must also enable the fasttoggle setting that allows that account to be blocked via fasttoggle.

All uses of the Fasttoggle module are logged, so any invocations of the exploit will be recorded. Accounts can only be blocked or unblocked via the exploit.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected

Drupal core is not affected. If you do not use the contributed Fasttoggle module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Fasttoggle project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

SA-CONTRIB-2014-075 - Biblio Autocomplete - SQL injection and Access Bypass

Biztonsági figyelmeztetések (contrib) - 2014. augusztus 6. 21.42
Description

This module provides functionality for AJAX based auto-completion of fields in the Biblio node type (provided by the Biblio module) using previously entered values and third party services.

The submodule "Biblio self autocomplete" for previously entered values doesn't sufficiently sanitize user input as it is used in a database query.

Additionally, the AJAX autocompletion callback itself was not properly secured, thus potentially allowing any visitor access to the data, including the anonymous user.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected

Drupal core is not affected. If you do not use the contributed Biblio Autocomplete module,
there is nothing you need to do.

Solution

Install the latest version:

Additionally there is a new permission "access biblio autocomplete" for accessing the search. You need to give this permission to users with write permissions on Biblio nodes.

Also see the Biblio Autocomplete project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

SA-CORE-2014-004 - Drupal core - Denial of service

Biztonsági figyelmeztetések (core) - 2014. augusztus 6. 19.41
Description

Drupal 6 and Drupal 7 include an XML-RPC endpoint which is publicly available (xmlrpc.php). The PHP XML parser used by this XML-RPC endpoint is vulnerable to an XML entity expansion attack and other related XML payload attacks which can cause CPU and memory exhaustion and the site's database to reach the maximum number of open connections. Any of these may lead to the site becoming unavailable or unresponsive (denial of service).

All Drupal sites are vulnerable to this attack whether XML-RPC is used or not.

In addition, a similar vulnerability exists in the core OpenID module (for sites that have this module enabled).

This is a joint release as the XML-RPC vulnerability also affects WordPress (see the announcement).

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Drupal core 7.x versions prior to 7.31.
  • Drupal core 6.x versions prior to 6.33.
Solution

Install the latest version:

If you are unable to install the latest version of Drupal immediately, you can alternatively remove the xmlrpc.php file from the root of Drupal core (or add a rule to .htaccess to prevent access to xmlrpc.php) and disable the OpenID module. These steps are sufficient to mitigate the vulnerability in Drupal core if your site does not require the use of XML-RPC or OpenID functionality. However, this mitigation will not be effective if you are using a contributed module that exposes Drupal's XML-RPC API at a different URL (for example, the Services module); updating Drupal core is therefore strongly recommended.

Also see the Drupal core project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: Drupal 6.xDrupal 7.x

SA-CONTRIB-2014-074 - Storage API - Code execution prevention

Biztonsági figyelmeztetések (contrib) - 2014. július 30. 21.24
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-074
  • Project: (third-party module)
  • Version: 7.x
  • Date: 2014-July-30
  • Security risk: (Less Critical)
  • Vulnerability: Arbitrary PHP code execution
Description

Storage API is a low-level framework for managed file storage and serving.

The module creates an .htaccess file in the files directory to prevent code execution, but copied the Drupal core file and wasn't updated to include the improved file contents after SA-CORE-2013-003.

This vulnerability is mitigated by the fact that it only relates to a defense in depth mechanism, and sites would only be vulnerable if they are hosted on a server which contains code that does not use protections similar to those found in Drupal's file API to manage uploads in a safe manner.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected

Drupal core is not affected. If you do not use the contributed module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the project page.

Reported by

Reported publicly outside the Drupal Security Team reporting process.

Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

SA-CONTRIB-2014-073- Date - Cross Site Scripting (XSS)

Biztonsági figyelmeztetések (contrib) - 2014. július 30. 17.25
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-073
  • Project: Date (third-party module)
  • Version: 7.x
  • Date: 2014-July-30
  • Security risk: Moderately Critical
  • Vulnerability: Cross Site Scripting
Description

Date module provides flexible date/time field type Date field and a Date API that other modules can use.

The module incorrectly prints date field titles without proper sanitization thereby opening a Cross Site Scripting (XSS) vulnerability.

The vulnerability is mitigated by the fact that an attacker must have a permission to create Date fields, such as "administer taxonomy" to add date fields on taxonomy terms.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected

Drupal core is not affected. If you do not use the contributed Date module,
there is nothing you need to do.

Solution

Install the latest version:

  • If you use the date module for Drupal 7.x, upgrade to Date 7.x-2.8

Also see the Date project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: Drupal 7.x

SA-CONTRIB-2014-072 - Freelinking, Freelinking Case Tracker - Access bypass

Biztonsági figyelmeztetések (contrib) - 2014. július 23. 19.47
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-072
  • Project: freelinking (third-party module)
  • Project: freelinking case tracker (third-party module)
  • Version: 6.x, 7.x
  • Date: 2014-July-23
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

The freelinking and freelinking case tracker modules implement a filter for the easier creation of HTML links to other pages in the site or external sites with a wiki style format such as [[pluginname:identifier]].

The module doesn't sufficiently check access to content when displaying links to nodes and users. This makes it possible to see node titles, usernames and potentially other data depending on the site configuration.

This vulnerability is mitigated by the fact that a site must use node access or permissions to prevent some users from viewing some nodes or users.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected

All versions of Freelinking and Freelinking for case tracker

Drupal core is not affected. If you do not use the contributed freelinking or freelinking Case tracker modules, there is nothing you need to do.

Solution

Uninstall the module, it is no longer maintained.

Also see the freelinking and freelinking case tracker project pages.

Reported by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

SA-CONTRIB-2014-071 - FileField - Access bypass

Biztonsági figyelmeztetések (contrib) - 2014. július 16. 22.51
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-071
  • Project: FileField (third-party module)
  • Version: 6.x
  • Date: 2014-July-16
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

The FileField module enables you to define and use fields that contain files.

The module doesn't sufficiently check permission to view the attached file when attaching a file that was previously uploaded. This could allow attackers to gain access to private files.

This vulnerability is mitigated by the fact that the attacker must have permission to create or edit content with a file field.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • FileField 6.x-3.x versions prior to 6.x-3.13.

Drupal core is not affected. If you do not use the contributed FileField module, there is nothing you need to do.

Solution Reported by Fixed by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x

SA-CORE-2014-003 - Drupal core - Multiple vulnerabilities

Biztonsági figyelmeztetések (core) - 2014. július 16. 16.48
  • Advisory ID: DRUPAL-SA-CORE-2014-003
  • Project: Drupal core
  • Version: 6.x, 7.x
  • Date: 2014-July-16
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities
Description

Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7.

Denial of service with malicious HTTP Host header (Base system - Drupal 6 and 7 - Critical)

Drupal core's multisite feature dynamically determines which configuration file to use based on the HTTP Host header.

The HTTP Host header validation does not sufficiently check maliciously-crafted header values, thereby exposing a denial of service vulnerability. This vulnerability also affects sites that don't actually use the multisite feature.

Access bypass (File module - Drupal 7 - Critical)

The File module included in Drupal 7 core allows attaching files to pieces of content. The module doesn't sufficiently check permission to view the attached file when attaching a file that was previously uploaded. This could allow attackers to gain access to private files.

This vulnerability is mitigated by the fact that the attacker must have permission to create or edit content with a file field.

Note: The Drupal 6 FileField module is affected by a similar issue (see SA-CONTRIB-2014-071 - FileField - Access bypass) and requires an update to the current security release of Drupal 6 core in order for the fix released there to work correctly. However, Drupal 6 core itself is not directly affected.

Cross-site scripting (Form API option groups - Drupal 6 and 7 - Moderately critical)

A cross-site scripting vulnerability was found due to Drupal's form API failing to sanitize option group labels in select elements. This vulnerability affects Drupal 6 core directly, and likely affects Drupal 7 forms provided by contributed or custom modules.

This vulnerability is mitigated by the fact that it requires the "administer taxonomy" permission to exploit in Drupal 6 core, and there is no known exploit within Drupal 7 core itself.

Cross-site scripting (Ajax system - Drupal 7 - Moderately critical)

A reflected cross-site scripting vulnerability was found in certain forms containing a combination of an Ajax-enabled textfield (for example, an autocomplete field) and a file field.

This vulnerability is mitigated by the fact that an attacker can only trigger the attack in a limited set of circumstances, usually requiring custom or contributed modules.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Drupal core 6.x versions prior to 6.32.
  • Drupal core 7.x versions prior to 7.29.
Solution

Install the latest version:

Also see the Drupal core project page.

Reported by
  • The denial of service vulnerability using malicious HTTP Host headers was reported by Régis Leroy.
  • The access bypass vulnerability in the File module was reported by Ivan Ch.
  • The cross-site scripting vulnerability with Form API option groups was reported by Károly Négyesi.
  • The cross-site scripting vulnerability in the Ajax system was reported by mani22test.
Fixed by
  • The denial of service vulnerability using malicious HTTP Host headers was fixed by Régis Leroy, and by Klaus Purer of the Drupal Security Team.
  • The access bypass vulnerability in the File module was fixed by Nate Haug and Ivan Ch, and by Drupal Security Team members David Rothstein, Heine Deelstra and David Snopek.
  • The cross-site scripting vulnerability with Form API option groups was fixed by Greg Knaddison of the Drupal Security Team.
  • The cross-site scripting vulnerability in the Ajax system was fixed by Neil Drumm of the Drupal Security Team.
Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x

SA-CONTRIB-2014-070 - Password Policy - Access Bypass

Biztonsági figyelmeztetések (contrib) - 2014. július 16. 15.19
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-070
  • Project: Password Policy (third-party module)
  • Version: 6.x, 7.x
  • Date: 2014-July-16
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

The Password Policy module enables you to define and enforce password policies with various constraints on allowable user passwords.

Access Bypass (7.x only)

Password Policy has a Password Change Tab submodule which provides a tab for a user to change their password. Password Policy also has a history constraint which disallows a user from changing their password to one of a specified number of their previous passwords.

When the Password Change Tab module and the history constraint are both enabled, password history will not be stored for a user who changes their password using the password tab. This will allow the user to change their password to one of their previous passwords in violation of the history constraint.

This vulnerability is mitigated by the fact that it only exists when both the Password Change Tab module and the history constraint are enabled.

Access Bypass (6.x and 7.x)

Password Policy has a feature that allows an administrator to force one or more users to change their password at their next login. Under certain circumstances, the users may not actually be forced to change their passwords.

Specifically, if between the time the administrator flags a user for a forced password change and the time that user logs in, an update operation is programmatically performed on the user, the user will be no longer be flagged for a forced password change. For instance, executing the Drush command drush user-add-role to add a role to a user who is flagged for a password change would cause that user to no longer be forced to change their password.

This vulnerability is mitigated by the fact that it only affects users for whom an administrator has forced a password change.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Password Policy 6.x-1.x versions prior to 6.x-1.8.
  • Password Policy 7.x-1.x versions prior to 7.x-1.9.

Drupal core is not affected. If you do not use the contributed Password Policy module, there is nothing you need to do.

Solution
  1. Install the latest version:
  2. Force users who may have been affected by the force password change vulnerability to change their passwords.

Also see the Password Policy project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x

SA-CONTRIB-2014-069 - Logintoboggan - Access Bypass and Cross Site Scripting (XSS)

Biztonsági figyelmeztetések (contrib) - 2014. július 9. 19.17
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-069
  • Project: LoginToboggan (third-party module)
  • Version: 7.x
  • Date: 2014-July-09
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting, Access bypass
Description

This module enables you to customise the standard Drupal registration and login processes.

Cross Site Scripting

The module doesn't filter user-supplied information from the URL resulting in a reflected Cross Site Scripting (XSS) vulnerability.

Access Bypass

The module introduces a concept of a "pre-authorized role" which can have different permissions than the normal Drupal core authorized role. Logintoboggan usually removes permissions for a user if those permissions are in the "authorized user" role and not in the "pre-authorized role". The module failed to remove those permissions for users in a pre-authorized state on all "Page Not Found" (i.e. 404) pages.

This vulnerability is mitigated by the fact that a site must use the "pre-authorized role" feature and an attacker would only gain permissions available to authenticated users and would only gain them on 404 pages which do not show private information in a default Drupal installation.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Logintoboggan 7.x-1.x versions prior to 7.x-1.4

Drupal core is not affected. If you do not use the contributed LoginToboggan module, there is nothing you need to do.

Solution

Install the latest version:

Also see the LoginToboggan project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.


Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

SA-CONTRIB-2014-068 - Pane - XSS

Biztonsági figyelmeztetések (contrib) - 2014. július 2. 22.09
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-068
  • Project: Pane (third-party module)
  • Version: 7.x
  • Date: 2014-July-02
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

This module did not properly sanitize content entered for title. It allowed sufficiently privileged users to add arbitrary HTML which could result in XSS attacks.< /p>

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks" or ability to edit Panel panes.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Pane 7.x-2.x versions prior to 7.x-2.5.

Drupal core is not affected. If you do not use the contributed Pane module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Pane module for Drupal 7.x, upgrade to Pane 7.x-2.5

Also see the Pane project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

SA-CONTRIB-2014-067 - Meta Tags Quick - Multiple vulnerabilities

Biztonsági figyelmeztetések (contrib) - 2014. július 2. 15.39
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-067
  • Project: Meta tags quick (third-party module)
  • Version: 7.x
  • Date: 2014-July-02
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting, Open Redirect
Description

Meta tags quick adds meta tags editing to all non-administrative pages of Drupal site.

Redirector abuse in path-based meta tag editing form

When editing a path-based meta tag, module does not check destination parameter of the URL, allowing attacker to pass arbitrary URL to meta tag editing form.

XSS in path-based meta tag editing form

It is possible to inject arbitrary Javascript via the module's Path-based Metatags edit form that executes when a user attempts to delete a Path-based Metatag.

Both vulnerabilities are mitigated by the fact that an attacker must have a role with the permission "Edit path based meta tags".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Meta tags quick 7.x-2.x versions from and including 7.x-2.1 to 7.x-2.7 (7.x-1.x and 7.x-2.0 are not affected)

Drupal core is not affected. If you do not use the contributed Meta tags quick module, there is nothing you need to do.

Solution

If you use the Meta tags quick 7.x-2.x for Drupal 7, upgrade to Meta tags quick 7.x-2.8

Also see the Meta tags quick project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

SA-CONTRIB-2014-066 - Node Access Keys - Access Bypass

Biztonsági figyelmeztetések (contrib) - 2014. július 2. 15.32
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-066
  • Project: Node Access Keys (third-party module)
  • Version: 7.x
  • Date: 2014-July-02
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

Node Access Keys helps to grant users temporary view permissions to selected content types on a per user role basis.

It was found that unpublished nodes of content types that that did not have an access key were visible to all. Also, If an unpublished node of a content type that was protected by an access key was visited with the access key then access was granted.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Node Access Keys 7.x-1.x versions prior to 7.x-1.1.

Drupal core is not affected. If you do not use the contributed Node Access Keys module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Node Access Keys project page.

Reported by
  • This issue was disclosed publicly.
Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Oldalak

Feliratkozás drupal.hu hírolvasó - Biztonsági figyelmeztetések csatornájára