Biztonsági figyelmeztetések

SA-CONTRIB-2014-087 - Drupal Commerce - Information disclosure

Biztonsági figyelmeztetések (contrib) - 2014. szeptember 10. 19.23
Description

Drupal Commerce is used to build eCommerce websites and applications of all sizes.

The commerce_order module can be used to create new user accounts where email addresses are used as user names. Since user names are not considered private information in Drupal this is an information disclosure of email addresses.

This vulnerability is mitigated by the fact that the commerce_checkout module must be enabled with the default rule configuration enabled that creates new user accounts when an anonymous user completes the checkout process.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Drupal Commerce 7.x-1.x versions prior to 7.x-1.10.

Drupal core is not affected. If you do not use the contributed Drupal Commerce module,
there is nothing you need to do.

Solution

Drupal Commerce 1.10 includes an update function that will change all user names on the site that look like email addresses. This can be a disruptive process for some sites and therefore must be enabled explicitly by the update administrator. If you don't run the default update function you need to make sure yourself that user names are not valid email addresses.

To enable the username cleaning update function, you must set the commerce_checkout_run_update_7103 variable to TRUE before running update.php or drush updb: You can either use $conf['commerce_checkout_run_update_7103'] = TRUE; in settings.php or drush vset commerce_checkout_run_update_7103 1.

Then install the latest version:

In case you don't want to apply the default update function you can just run update.php without the variable and the update function will be skipped.

Also see the Drupal Commerce project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: Drupal 7.x

SA-CONTRIB-2014-086 - Custom BreadCrumbs - Cross Site Scripting (XSS)

Biztonsági figyelmeztetések (contrib) - 2014. szeptember 10. 17.04
Description

Custom Breadcrumbs allows administrators to set up parametrized breadcrumb trails for different content types, views, panels, taxonomy vocabularies and terms, paths, and a simple API that allows contributed modules to enable custom breadcrumbs for module pages and theme templates.

User input is not properly sanitized in all use cases, opening a Cross Site Scripting (XSS) vulnerability.

The vulnerability is only present when the custom breadcrumb is configured with the <none> special identifier so that some of the breadcrumb items are not links. Typical example is that the last breadcrumb element is showing the current page title but is not a link. The XSS vulnerability is not triggered if all items of the breadcrumb are links and special identifier <none> is not used.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Custom Breadcrumbs 6.x-1.x versions prior to 6.x-1.6
  • Custom Breadcrumbs 6.x-2.x versions are NOT affected
  • Custom Breadcrumbs 7.x-2.x versions prior to 7.x-2.0-beta1

Drupal core is not affected. If you do not use the contributed Custom Breadcrumbs module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Custom Breadcrumbs project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies,
writing secure code for Drupal, and
securing your site.

Drupal version: Drupal 6.xDrupal 7.x

SA-CONTRIB-2014-085 - Ubercart - Information disclosure

Biztonsági figyelmeztetések (contrib) - 2014. szeptember 10. 16.58
Description

The Ubercart module for Drupal provides a shopping cart and e-commerce features for Drupal.

The per-user order history view is not properly protected.

This vulnerability is mitigated by the fact that an attacker must have an account with the "view own orders" permission and can only view order IDs, dates, statuses and totals with the default configuration.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Ubercart 7.x-3.x versions prior to 7.x-3.7.

Drupal core is not affected. If you do not use the contributed Ubercart module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Ubercart project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies,
writing secure code for Drupal, and
securing your site.

Drupal version: Drupal 7.x

SA-CONTRIB-2014-084 - Avatar Uploader - Information Disclosure

Biztonsági figyelmeztetések (contrib) - 2014. szeptember 3. 16.08
Description

The Avatar Uploader enables you to upload user pictures in a user-friendly way, like Quora and Facebook.

The module doesn't sufficiently check the picture path when a user crops the picture in the uploader panel allowing a malicious user to make specially crafted requests to obtain sensitive server files that are readable by the webserver user.

This vulnerability is mitigated by the fact that an attacker must know or guess the relative path out of the temporary directory and to the sensitive files.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Avatar_Uploader 6.x-1.x versions prior to 6.x-1.2
  • Avatar_Uploader 7.x-1.x versions prior to 7.x-1.0-beta5

Drupal core is not affected. If you do not use the contributed Avatar Uploader module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Avatar Uploader project page.

Reported by Fixed by Coordinated by
  • Greg Knaddison of the Drupal Security Team
  • Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    Drupal version: Drupal 6.xDrupal 7.x

    SA-CONTRIB-2014-083 - Rules Link - Cross Site Scripting (XSS)

    Biztonsági figyelmeztetések (contrib) - 2014. augusztus 27. 16.17
    Description

    This module allows you to create links which trigger arbitrary functionality with the help of the Rules module.

    The module doesn't sufficiently sanitize the question and description strings when confirmation forms are displayed for triggering Rules links.

    This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer rules links".

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance
      with Drupal Security Team processes.
    Versions affected
    • Rules Link 7.x-1.x versions prior to 7.x-1.1.

    Drupal core is not affected. If you do not use the contributed Rules Link module,
    there is nothing you need to do.

    Solution

    Install the latest version:

    Also see the Rules Link project page.

    Reported by Fixed by Coordinated by Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

    Learn more about the Drupal Security team and their policies,
    writing secure code for Drupal, and securing your site.

    Drupal version: Drupal 7.x

    SA-CONTRIB-2014-082 - Marketo MA - Cross Site Scripting (XSS)

    Biztonsági figyelmeztetések (contrib) - 2014. augusztus 20. 18.16
    Description

    The Marketo MA module adds Marketo marketing automation tracking capability to your website as well as the ability to capture lead data during user registration and via webform integration. It consists of a base module as well as Marketo MA User Webform and Marketo MA User sub-modules.

    The Marketo MA Webform and Marketo MA User modules included with the Marketo MA module incorrectly print field titles without proper sanitization thereby opening a Cross Site Scripting (XSS) vulnerability.

    The vulnerability in Marketo MA Webform is mitigated by the fact that an attacker must have permissions which allows them to create Webform fields, "create webform content" and manage their Marketo relationship, "administer marketo webform settings".

    The vulnerability in Marketo MA User is mitigated by the fact that an attacker must have a permission which allows them to create fields (such as "administer users") and manage Marketo MA configuration, "administer marketo".

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance
      with Drupal Security Team processes.
    Versions affected
    • Marketo MA 7.x-1.3 and all earlier version.

    Drupal core is not affected. If you do not use the contributed Marketo MA module,
    there is nothing you need to do.

    Solution

    Install the latest version:

    Also see the Marketo MA project page.

    Reported by Fixed by Coordinated by Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    SA-CONTRIB-2014-081 - Site Banner - Cross Site Scripting (XSS)

    Biztonsági figyelmeztetések (contrib) - 2014. augusztus 20. 16.08
    Description

    The Site Banner module enables you to display a banner at the top and bottom of a Drupal site.

    This module incorrectly prints existing context settings without proper sanitization, opening a Cross Site Scripting (XSS) vulnerability.

    This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer contexts" from the Context UI module.

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance
      with Drupal Security Team processes.
    Versions affected
    • Site Banner 7.x-4.x versions prior to 7.x-4.0.
    • Site Banner 7.x-1.x versions prior to 7.x-1.1.

    Drupal core is not affected. If you do not use the contributed module,
    there is nothing you need to do.

    Solution

    Install the latest version:

    Also see the project page.

    Reported by Fixed by Coordinated by Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    Drupal version: Drupal 7.x

    SA-CONTRIB-2013-080 - Social Stats - Cross Site Scripting (XSS)

    Biztonsági figyelmeztetések (contrib) - 2014. augusztus 20. 16.02
    Description

    The Social Stats module enables you to collect statistics from various social networks and use that data with the Views module as field data, sort criteria, or filter criteria.

    The module does not sufficiently filter user-supplied text that is stored in the configuration, resulting in a persistent Cross Site Scripting vulnerability (XSS).

    This vulnerability is mitigated by the fact that an attacker must have a role with the permission "[Content Type]: Create new content".

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance
      with Drupal Security Team processes.
    Versions affected
    • Social Stats 7.x-1.x versions prior to 7.x-1.5.

    Drupal core is not affected. If you do not use the contributed Social Stats module,
    there is nothing you need to do.

    Solution

    Install the latest version:

    • If you use the Social Stats module for Drupal 7.x, upgrade to 7.x-1.5

    Also see the Social Stats project page.

    Reported by Fixed by Coordinated by Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    Drupal version: Drupal 7.x

    SA-CONTRIB-2013-079 - RedHen CRM - Cross Site Scripting (XSS)

    Biztonsági figyelmeztetések (contrib) - 2014. augusztus 20. 15.58
    Description

    The RedHen CRM project contains the redhen_dedup module which enables you to find duplicate contacts in the CRM.

    The redhen_dedup module doesn't sufficiently filter administrator-entered text when deduping contacts as which creates a Cross Site Scripting (XSS) vulnerability.

    The vulnerability is mitigated by the fact that an attacker needs the permission "administer redhen contacts".

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance
      with Drupal Security Team processes.
    Versions affected
    • RedHen CRM 7.x-1.x versions prior to 7.x-1.8.

    Drupal core is not affected. If you do not use the contributed RedHen CRM module,
    there is nothing you need to do.

    Solution

    Install the latest version:

    Also see the RedHen CRM project page.

    Reported by Fixed by Coordinated by Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    Drupal version: Drupal 7.x

    SA-CONTRIB-2014-078 - Notify - Access bypass

    Biztonsági figyelmeztetések (contrib) - 2014. augusztus 13. 18.39
    Description

    The notify module allows users to subscribe to periodic emails which include all new or revised content and/or comments of specific content types, much like the daily newsletters sent by some websites.

    The Notify module does not sufficiently check whether the user has access to recently added or updated nodes and all the fields within the node before including the nodes in notification emails to a given user. This will expose node titles and potentially node teasers and fields to users who should not see them.

    This vulnerability is mitigated by the fact that a site must use some form of access control and must be configured to include nodes with protected content in notifications.

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance
      with Drupal Security Team processes.
    Versions affected
    • Notify 7.x-1.0.

    Drupal core is not affected. If you do not use the contributed Notify module,
    there is nothing you need to do.

    Solution

    Install the latest version:

    • If you use the Notify module for Drupal 7.x, upgrade to Notify 7.x-1.1

    Also see the Notify project page.

    Reported by Fixed by Coordinated by Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    Drupal version: Drupal 7.x

    SA-CONTRIB-2014-077 - TableField - Cross Site Scripting (XSS)

    Biztonsági figyelmeztetések (contrib) - 2014. augusztus 13. 15.40
    Description

    This module enables you to create a field attached to a entity which stores tabular data. The module doesn't sufficiently sanitize the field help text when presented to a privileged user.

    This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer content types" or "administer taxonomy".

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance
      with Drupal Security Team processes.
    Versions affected
    • TableField 7.x-2.x versions prior to 7.x-2.3.
    • TableField versions for Drupal 6 are NOT affected.

    Drupal core is not affected. If you do not use the contributed TableField module,
    there is nothing you need to do.

    Solution

    Install the latest version:

    Also see the TableField project page.

    Reported by Fixed by Coordinated by Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    Drupal version: Drupal 7.x

    SA-CONTRIB-2014-076 - Fasttoggle - Access bypass

    Biztonsági figyelmeztetések (contrib) - 2014. augusztus 6. 22.16
    Description

    This module enables you to quickly toggle various user, node and field related settings via ajax links.

    The recent 7.x-1.3 and 1.4 releases of the module include a rewrite of the access control which doesn't correctly implement support for the user status (allow/block) link.

    This vulnerability is mitigated by the fact that the administrator must enable the link in the fasttoggle configuration and allow user profiles to be viewed by anonymous or logged in users. For user 1 to be affected, the administrator must also enable the fasttoggle setting that allows that account to be blocked via fasttoggle.

    All uses of the Fasttoggle module are logged, so any invocations of the exploit will be recorded. Accounts can only be blocked or unblocked via the exploit.

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance
      with Drupal Security Team processes.
    Versions affected

    Drupal core is not affected. If you do not use the contributed Fasttoggle module,
    there is nothing you need to do.

    Solution

    Install the latest version:

    Also see the Fasttoggle project page.

    Reported by Fixed by Coordinated by Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    SA-CONTRIB-2014-075 - Biblio Autocomplete - SQL injection and Access Bypass

    Biztonsági figyelmeztetések (contrib) - 2014. augusztus 6. 21.42
    Description

    This module provides functionality for AJAX based auto-completion of fields in the Biblio node type (provided by the Biblio module) using previously entered values and third party services.

    The submodule "Biblio self autocomplete" for previously entered values doesn't sufficiently sanitize user input as it is used in a database query.

    Additionally, the AJAX autocompletion callback itself was not properly secured, thus potentially allowing any visitor access to the data, including the anonymous user.

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance
      with Drupal Security Team processes.
    Versions affected

    Drupal core is not affected. If you do not use the contributed Biblio Autocomplete module,
    there is nothing you need to do.

    Solution

    Install the latest version:

    Additionally there is a new permission "access biblio autocomplete" for accessing the search. You need to give this permission to users with write permissions on Biblio nodes.

    Also see the Biblio Autocomplete project page.

    Reported by Fixed by Coordinated by Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    SA-CORE-2014-004 - Drupal core - Denial of service

    Biztonsági figyelmeztetések (core) - 2014. augusztus 6. 19.41
    Description

    Drupal 6 and Drupal 7 include an XML-RPC endpoint which is publicly available (xmlrpc.php). The PHP XML parser used by this XML-RPC endpoint is vulnerable to an XML entity expansion attack and other related XML payload attacks which can cause CPU and memory exhaustion and the site's database to reach the maximum number of open connections. Any of these may lead to the site becoming unavailable or unresponsive (denial of service).

    All Drupal sites are vulnerable to this attack whether XML-RPC is used or not.

    In addition, a similar vulnerability exists in the core OpenID module (for sites that have this module enabled).

    This is a joint release as the XML-RPC vulnerability also affects WordPress (see the announcement).

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance
      with Drupal Security Team processes.
    Versions affected
    • Drupal core 7.x versions prior to 7.31.
    • Drupal core 6.x versions prior to 6.33.
    Solution

    Install the latest version:

    If you are unable to install the latest version of Drupal immediately, you can alternatively remove the xmlrpc.php file from the root of Drupal core (or add a rule to .htaccess to prevent access to xmlrpc.php) and disable the OpenID module. These steps are sufficient to mitigate the vulnerability in Drupal core if your site does not require the use of XML-RPC or OpenID functionality. However, this mitigation will not be effective if you are using a contributed module that exposes Drupal's XML-RPC API at a different URL (for example, the Services module); updating Drupal core is therefore strongly recommended.

    Also see the Drupal core project page.

    Reported by Fixed by Coordinated by Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    Drupal version: Drupal 6.xDrupal 7.x

    SA-CONTRIB-2014-074 - Storage API - Code execution prevention

    Biztonsági figyelmeztetések (contrib) - 2014. július 30. 21.24
    • Advisory ID: DRUPAL-SA-CONTRIB-2014-074
    • Project: (third-party module)
    • Version: 7.x
    • Date: 2014-July-30
    • Security risk: (Less Critical)
    • Vulnerability: Arbitrary PHP code execution
    Description

    Storage API is a low-level framework for managed file storage and serving.

    The module creates an .htaccess file in the files directory to prevent code execution, but copied the Drupal core file and wasn't updated to include the improved file contents after SA-CORE-2013-003.

    This vulnerability is mitigated by the fact that it only relates to a defense in depth mechanism, and sites would only be vulnerable if they are hosted on a server which contains code that does not use protections similar to those found in Drupal's file API to manage uploads in a safe manner.

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance
      with Drupal Security Team processes.
    Versions affected

    Drupal core is not affected. If you do not use the contributed module,
    there is nothing you need to do.

    Solution

    Install the latest version:

    Also see the project page.

    Reported by

    Reported publicly outside the Drupal Security Team reporting process.

    Fixed by Coordinated by Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    SA-CONTRIB-2014-073- Date - Cross Site Scripting (XSS)

    Biztonsági figyelmeztetések (contrib) - 2014. július 30. 17.25
    • Advisory ID: DRUPAL-SA-CONTRIB-2014-073
    • Project: Date (third-party module)
    • Version: 7.x
    • Date: 2014-July-30
    • Security risk: Moderately Critical
    • Vulnerability: Cross Site Scripting
    Description

    Date module provides flexible date/time field type Date field and a Date API that other modules can use.

    The module incorrectly prints date field titles without proper sanitization thereby opening a Cross Site Scripting (XSS) vulnerability.

    The vulnerability is mitigated by the fact that an attacker must have a permission to create Date fields, such as "administer taxonomy" to add date fields on taxonomy terms.

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance
      with Drupal Security Team processes.
    Versions affected

    Drupal core is not affected. If you do not use the contributed Date module,
    there is nothing you need to do.

    Solution

    Install the latest version:

    • If you use the date module for Drupal 7.x, upgrade to Date 7.x-2.8

    Also see the Date project page.

    Reported by Fixed by Coordinated by Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    Drupal version: Drupal 7.x

    SA-CONTRIB-2014-072 - Freelinking, Freelinking Case Tracker - Access bypass

    Biztonsági figyelmeztetések (contrib) - 2014. július 23. 19.47
    • Advisory ID: DRUPAL-SA-CONTRIB-2014-072
    • Project: freelinking (third-party module)
    • Project: freelinking case tracker (third-party module)
    • Version: 6.x, 7.x
    • Date: 2014-July-23
    • Security risk: Critical
    • Exploitable from: Remote
    • Vulnerability: Access bypass
    Description

    The freelinking and freelinking case tracker modules implement a filter for the easier creation of HTML links to other pages in the site or external sites with a wiki style format such as [[pluginname:identifier]].

    The module doesn't sufficiently check access to content when displaying links to nodes and users. This makes it possible to see node titles, usernames and potentially other data depending on the site configuration.

    This vulnerability is mitigated by the fact that a site must use node access or permissions to prevent some users from viewing some nodes or users.

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
    Versions affected

    All versions of Freelinking and Freelinking for case tracker

    Drupal core is not affected. If you do not use the contributed freelinking or freelinking Case tracker modules, there is nothing you need to do.

    Solution

    Uninstall the module, it is no longer maintained.

    Also see the freelinking and freelinking case tracker project pages.

    Reported by Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

    SA-CONTRIB-2014-071 - FileField - Access bypass

    Biztonsági figyelmeztetések (contrib) - 2014. július 16. 22.51
    • Advisory ID: DRUPAL-SA-CONTRIB-2014-071
    • Project: FileField (third-party module)
    • Version: 6.x
    • Date: 2014-July-16
    • Security risk: Critical
    • Exploitable from: Remote
    • Vulnerability: Access bypass
    Description

    The FileField module enables you to define and use fields that contain files.

    The module doesn't sufficiently check permission to view the attached file when attaching a file that was previously uploaded. This could allow attackers to gain access to private files.

    This vulnerability is mitigated by the fact that the attacker must have permission to create or edit content with a file field.

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
    Versions affected
    • FileField 6.x-3.x versions prior to 6.x-3.13.

    Drupal core is not affected. If you do not use the contributed FileField module, there is nothing you need to do.

    Solution Reported by Fixed by Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

    Drupal version: Drupal 6.x

    SA-CORE-2014-003 - Drupal core - Multiple vulnerabilities

    Biztonsági figyelmeztetések (core) - 2014. július 16. 16.48
    • Advisory ID: DRUPAL-SA-CORE-2014-003
    • Project: Drupal core
    • Version: 6.x, 7.x
    • Date: 2014-July-16
    • Security risk: Critical
    • Exploitable from: Remote
    • Vulnerability: Multiple vulnerabilities
    Description

    Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7.

    Denial of service with malicious HTTP Host header (Base system - Drupal 6 and 7 - Critical)

    Drupal core's multisite feature dynamically determines which configuration file to use based on the HTTP Host header.

    The HTTP Host header validation does not sufficiently check maliciously-crafted header values, thereby exposing a denial of service vulnerability. This vulnerability also affects sites that don't actually use the multisite feature.

    Access bypass (File module - Drupal 7 - Critical)

    The File module included in Drupal 7 core allows attaching files to pieces of content. The module doesn't sufficiently check permission to view the attached file when attaching a file that was previously uploaded. This could allow attackers to gain access to private files.

    This vulnerability is mitigated by the fact that the attacker must have permission to create or edit content with a file field.

    Note: The Drupal 6 FileField module is affected by a similar issue (see SA-CONTRIB-2014-071 - FileField - Access bypass) and requires an update to the current security release of Drupal 6 core in order for the fix released there to work correctly. However, Drupal 6 core itself is not directly affected.

    Cross-site scripting (Form API option groups - Drupal 6 and 7 - Moderately critical)

    A cross-site scripting vulnerability was found due to Drupal's form API failing to sanitize option group labels in select elements. This vulnerability affects Drupal 6 core directly, and likely affects Drupal 7 forms provided by contributed or custom modules.

    This vulnerability is mitigated by the fact that it requires the "administer taxonomy" permission to exploit in Drupal 6 core, and there is no known exploit within Drupal 7 core itself.

    Cross-site scripting (Ajax system - Drupal 7 - Moderately critical)

    A reflected cross-site scripting vulnerability was found in certain forms containing a combination of an Ajax-enabled textfield (for example, an autocomplete field) and a file field.

    This vulnerability is mitigated by the fact that an attacker can only trigger the attack in a limited set of circumstances, usually requiring custom or contributed modules.

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
    Versions affected
    • Drupal core 6.x versions prior to 6.32.
    • Drupal core 7.x versions prior to 7.29.
    Solution

    Install the latest version:

    Also see the Drupal core project page.

    Reported by
    • The denial of service vulnerability using malicious HTTP Host headers was reported by Régis Leroy.
    • The access bypass vulnerability in the File module was reported by Ivan Ch.
    • The cross-site scripting vulnerability with Form API option groups was reported by Károly Négyesi.
    • The cross-site scripting vulnerability in the Ajax system was reported by mani22test.
    Fixed by
    • The denial of service vulnerability using malicious HTTP Host headers was fixed by Régis Leroy, and by Klaus Purer of the Drupal Security Team.
    • The access bypass vulnerability in the File module was fixed by Nate Haug and Ivan Ch, and by Drupal Security Team members David Rothstein, Heine Deelstra and David Snopek.
    • The cross-site scripting vulnerability with Form API option groups was fixed by Greg Knaddison of the Drupal Security Team.
    • The cross-site scripting vulnerability in the Ajax system was fixed by Neil Drumm of the Drupal Security Team.
    Coordinated by Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

    Drupal version: Drupal 6.xDrupal 7.x

    SA-CONTRIB-2014-070 - Password Policy - Access Bypass

    Biztonsági figyelmeztetések (contrib) - 2014. július 16. 15.19
    • Advisory ID: DRUPAL-SA-CONTRIB-2014-070
    • Project: Password Policy (third-party module)
    • Version: 6.x, 7.x
    • Date: 2014-July-16
    • Security risk: Less critical
    • Exploitable from: Remote
    • Vulnerability: Access bypass
    Description

    The Password Policy module enables you to define and enforce password policies with various constraints on allowable user passwords.

    Access Bypass (7.x only)

    Password Policy has a Password Change Tab submodule which provides a tab for a user to change their password. Password Policy also has a history constraint which disallows a user from changing their password to one of a specified number of their previous passwords.

    When the Password Change Tab module and the history constraint are both enabled, password history will not be stored for a user who changes their password using the password tab. This will allow the user to change their password to one of their previous passwords in violation of the history constraint.

    This vulnerability is mitigated by the fact that it only exists when both the Password Change Tab module and the history constraint are enabled.

    Access Bypass (6.x and 7.x)

    Password Policy has a feature that allows an administrator to force one or more users to change their password at their next login. Under certain circumstances, the users may not actually be forced to change their passwords.

    Specifically, if between the time the administrator flags a user for a forced password change and the time that user logs in, an update operation is programmatically performed on the user, the user will be no longer be flagged for a forced password change. For instance, executing the Drush command drush user-add-role to add a role to a user who is flagged for a password change would cause that user to no longer be forced to change their password.

    This vulnerability is mitigated by the fact that it only affects users for whom an administrator has forced a password change.

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
    Versions affected
    • Password Policy 6.x-1.x versions prior to 6.x-1.8.
    • Password Policy 7.x-1.x versions prior to 7.x-1.9.

    Drupal core is not affected. If you do not use the contributed Password Policy module, there is nothing you need to do.

    Solution
    1. Install the latest version:
    2. Force users who may have been affected by the force password change vulnerability to change their passwords.

    Also see the Password Policy project page.

    Reported by Fixed by Coordinated by Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

    Drupal version: Drupal 6.xDrupal 7.x

    Oldalak

    Feliratkozás drupal.hu hírolvasó - Biztonsági figyelmeztetések csatornájára