Biztonsági figyelmeztetések

SA-CONTRIB-2014-065 - Custom Meta - Cross Site Scripting (XSS)

Biztonsági figyelmeztetések (contrib) - 2014. június 18. 16.37
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-065
  • Project: Custom Meta (third-party module)
  • Version: 6.x, 7.x
  • Date: 2014-June-18
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

The module allows you to define and manage custom meta tags.

The module does not sufficiently sanitize user input before displaying the attribute and content values for meta tags on the administration page.

This vulnerability is mitigated by the fact that an attacker must have access to an account with the permission "administer custom meta settings".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Custom Meta 6.x-1.x versions prior to 6.x-1.2.
  • Custom Meta 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Custom Meta module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Custom Meta project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x

SA-CONTRIB-2014-065 - Custom Meta - Cross Site Scripting (XSS)

Biztonsági figyelmeztetések (contrib) - 2014. június 18. 16.37
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-065
  • Project: Custom Meta (third-party module)
  • Version: 6.x, 7.x
  • Date: 2014-June-18
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

The module allows you to define and manage custom meta tags.

The module does not sufficiently sanitize user input before displaying the attribute and content values for meta tags on the administration page.

This vulnerability is mitigated by the fact that an attacker must have access to an account with the permission "administer custom meta settings".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Custom Meta 6.x-1.x versions prior to 6.x-1.2.
  • Custom Meta 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Custom Meta module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Custom Meta project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x

SA-CONTRIB-2014-064 -Course - Access bypass

Biztonsági figyelmeztetések (contrib) - 2014. június 18. 16.04
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-064
  • Project: Course (third-party module)
  • Version: 6.x, 7.x
  • Date: 2014-June-18
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

This module enables you to create e-learning courses with any number of requirements for completion. A "Course object" is a relationship entity between a Course and a learning object, such as a Node.

The module doesn't sufficiently check access on Course object edit forms. The configuration options of any Course object are visible to any user including the anonymous user.

This vulnerability is mitigated by the fact that while the form and its configuration options can be viewed, no changes can be saved.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Course 6.x-1.x versions prior to 6.x-1.1.
  • Course 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Course module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Course module for Drupal 6.x, upgrade to Course 6.x-1.1
  • If you use the Course module for Drupal 7.x, upgrade to Course 7.x-1.2

Also see the Course project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

SA-CONTRIB-2014-064 -Course - Access bypass

Biztonsági figyelmeztetések (contrib) - 2014. június 18. 16.04
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-064
  • Project: Course (third-party module)
  • Version: 6.x, 7.x
  • Date: 2014-June-18
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

This module enables you to create e-learning courses with any number of requirements for completion. A "Course object" is a relationship entity between a Course and a learning object, such as a Node.

The module doesn't sufficiently check access on Course object edit forms. The configuration options of any Course object are visible to any user including the anonymous user.

This vulnerability is mitigated by the fact that while the form and its configuration options can be viewed, no changes can be saved.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Course 6.x-1.x versions prior to 6.x-1.1.
  • Course 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Course module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Course module for Drupal 6.x, upgrade to Course 6.x-1.1
  • If you use the Course module for Drupal 7.x, upgrade to Course 7.x-1.2

Also see the Course project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

SA-CONTRIB-2014-063 - Easy Breadcrumb - Cross Site Scripting (XSS)

Biztonsági figyelmeztetések (contrib) - 2014. június 18. 15.07
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-063
  • Project: Easy Breadcrumb (third-party module)
  • Version: 7.x
  • Date: 2014-June-18
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

The Easy Breadcrumb module generates breadcrumbs from path aliases.

This module does not properly sanitize user-supplied values creating a Cross Site Scripting (XSS) vulnerability.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Easy breadcrumbs 7.x-2.x versions prior to 7.x-2.10.

Drupal core is not affected. If you do not use the contributed Easy Breadcrumb module, there is nothing you need to do.

Solution

If you use the Easy Breadcrumb module for Drupal 7 upgrade to 7.x-2.10.

Also see the Easy Breadcrumb project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

SA-CONTRIB-2014-063 - Easy Breadcrumb - Cross Site Scripting (XSS)

Biztonsági figyelmeztetések (contrib) - 2014. június 18. 15.07
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-063
  • Project: Easy Breadcrumb (third-party module)
  • Version: 7.x
  • Date: 2014-June-18
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

The Easy Breadcrumb module generates breadcrumbs from path aliases.

This module does not properly sanitize user-supplied values creating a Cross Site Scripting (XSS) vulnerability.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Easy breadcrumbs 7.x-2.x versions prior to 7.x-2.10.

Drupal core is not affected. If you do not use the contributed Easy Breadcrumb module, there is nothing you need to do.

Solution

If you use the Easy Breadcrumb module for Drupal 7 upgrade to 7.x-2.10.

Also see the Easy Breadcrumb project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

SA-CONTRIB-2014-062 -Passsword Policy - Multiple vulnerabilities

Biztonsági figyelmeztetések (contrib) - 2014. június 18. 14.58
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-062
  • Project: Password policy (third-party module)
  • Version: 6.x, 7.x
  • Date: 2014-June-18
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities
Description

The Password Policy module enables you to define and enforce password policies with various constraints on allowable user passwords.

Access bypass and information disclosure (7.x only)

The module has a history constraint, which when enabled, disallows a user's password from being changed to match a specified number of their previous passwords. For this to work, the module stores a history of all previous user password hashes from the time the module is enabled (regardless of whether the history constraint is enabled).

Upon upgrading from 6.x to 7.x, the module does not convert these hashes from the Drupal 6 format to the Drupal 7 format. This has two consequences:
1. Users can change their passwords to old passwords used in Drupal 6 in violation of the history constraint.
2. Previous user passwords from Drupal 6 are kept indefinitely in Drupal 7 as weak MD5 hashes. If a site is compromised, past user passwords are at high risk of exposure.

This vulnerability is mitigated by the fact that only sites using 7.x that have previously used 6.x are affected.

Access bypass (6.x)

The module has a feature that lets an administrator force a password change for one or more users at their next login. These users are unable to access the website beyond their account page until changing their password.

A bug exists in 6.x where a password change will not be enforced when a user_save() is performed between the time when the administrator forces the password change and the time the affected user logs in. This can lead to users retaining insecure passwords.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Password Policy 6.x-1.x versions prior to 6.x-1.7.
  • Password Policy 7.x-1.x versions prior to 7.x-1.7.
  • Password Policy 7.x-2.x versions prior to 7.x-2.0-alpha2.

Drupal core is not affected. If you do not use the contributed Password policy module, there is nothing you need to do.

Solution

Warning: If you are using 7.x, and have used 6.x in the past on the same site, you are advised to back up your database prior to upgrading to the latest version to reduce the risk of an unforeseen upgrade problem causing permanent loss of password history.

Install the latest version:

  • If you use the Password Policy module for Drupal 6.x, upgrade to 6.x-1.7
  • If you use the Password Policy 1.x module for Drupal 7.x, upgrade to 7.x-1.7
  • If you use the Password Policy 2.x module for Drupal 7.x, upgrade to 7.x-2.0-alpha2

Also see the Password policy project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x

SA-CONTRIB-2014-062 -Passsword Policy - Multiple vulnerabilities

Biztonsági figyelmeztetések (contrib) - 2014. június 18. 14.58
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-062
  • Project: Password policy (third-party module)
  • Version: 6.x, 7.x
  • Date: 2014-June-18
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities
Description

The Password Policy module enables you to define and enforce password policies with various constraints on allowable user passwords.

Access bypass and information disclosure (7.x only)

The module has a history constraint, which when enabled, disallows a user's password from being changed to match a specified number of their previous passwords. For this to work, the module stores a history of all previous user password hashes from the time the module is enabled (regardless of whether the history constraint is enabled).

Upon upgrading from 6.x to 7.x, the module does not convert these hashes from the Drupal 6 format to the Drupal 7 format. This has two consequences:
1. Users can change their passwords to old passwords used in Drupal 6 in violation of the history constraint.
2. Previous user passwords from Drupal 6 are kept indefinitely in Drupal 7 as weak MD5 hashes. If a site is compromised, past user passwords are at high risk of exposure.

This vulnerability is mitigated by the fact that only sites using 7.x that have previously used 6.x are affected.

Access bypass (6.x)

The module has a feature that lets an administrator force a password change for one or more users at their next login. These users are unable to access the website beyond their account page until changing their password.

A bug exists in 6.x where a password change will not be enforced when a user_save() is performed between the time when the administrator forces the password change and the time the affected user logs in. This can lead to users retaining insecure passwords.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Password Policy 6.x-1.x versions prior to 6.x-1.7.
  • Password Policy 7.x-1.x versions prior to 7.x-1.7.
  • Password Policy 7.x-2.x versions prior to 7.x-2.0-alpha2.

Drupal core is not affected. If you do not use the contributed Password policy module, there is nothing you need to do.

Solution

Warning: If you are using 7.x, and have used 6.x in the past on the same site, you are advised to back up your database prior to upgrading to the latest version to reduce the risk of an unforeseen upgrade problem causing permanent loss of password history.

Install the latest version:

  • If you use the Password Policy module for Drupal 6.x, upgrade to 6.x-1.7
  • If you use the Password Policy 1.x module for Drupal 7.x, upgrade to 7.x-1.7
  • If you use the Password Policy 2.x module for Drupal 7.x, upgrade to 7.x-2.0-alpha2

Also see the Password policy project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x

SA-CONTRIB-2014-061 - VideoWhisper Webcam Plugins - Cross Site Scripting (XSS) - Unsupported

Biztonsági figyelmeztetések (contrib) - 2014. június 18. 14.54
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-061
  • Project: VideoWhisper Webcam Plugins (third-party module)
  • Version: 7.x
  • Date: 2014-June-18
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

Includes multiple modules for video communications including room listing, pay per view access control.

The module doesn't sufficiently filter user supplied text from the url (reflected cross site scripting). No special permissions are required to exploit this issue.

There are no mitigating factors for this vulnerability.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions of VideoWhisper Webcam Plugins.

Drupal core is not affected. If you do not use the contributed module, there is nothing you need to do.

Solution

If you use the VideoWhisper Webcam Plugins module you should uninstall it.

Also see the VideoWhisper Webcam Plugins project page.

Reported by

This issue was publicly disclosed as CVE-2014-2715 outside of the process to report security issues in Drupal. Issues reported via the Drupal Security Team process normally include the original reporter.

Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

SA-CONTRIB-2014-061 - VideoWhisper Webcam Plugins - Cross Site Scripting (XSS) - Unsupported

Biztonsági figyelmeztetések (contrib) - 2014. június 18. 14.54
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-061
  • Project: VideoWhisper Webcam Plugins (third-party module)
  • Version: 7.x
  • Date: 2014-June-18
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

Includes multiple modules for video communications including room listing, pay per view access control.

The module doesn't sufficiently filter user supplied text from the url (reflected cross site scripting). No special permissions are required to exploit this issue.

There are no mitigating factors for this vulnerability.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions of VideoWhisper Webcam Plugins.

Drupal core is not affected. If you do not use the contributed module, there is nothing you need to do.

Solution

If you use the VideoWhisper Webcam Plugins module you should uninstall it.

Also see the VideoWhisper Webcam Plugins project page.

Reported by

This issue was publicly disclosed as CVE-2014-2715 outside of the process to report security issues in Drupal. Issues reported via the Drupal Security Team process normally include the original reporter.

Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

SA-CONTRIB-2014-060- Petitions - Cross Site Request Forgery (CSRF)

Biztonsági figyelmeztetések (contrib) - 2014. június 11. 20.41
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-060
  • Project: - Petitions - (third-party distribution)
  • Version: 7.x
  • Date: 2014-June-11
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Request Forgery
Description

This distribution enables you to build an application that lets users create and sign petitions.
The contained wh_petitions module doesn't sufficiently verify the intent of the user when signing a petition. A malicious user could trick another user into signing a petition they did not intend to sign by getting them to visit a specially-crafted URL while logged in.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • petitions 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed - Petitions - distribution, there is nothing you need to do.

Solution

Install the latest version:

Note that petitions 7.x-1.2 is the last release for the first version of petitions. petitions 7.x-1.x is no longer maintained, and you are strongly encouraged to upgrade to the latest version petitions 7.x-2.0-beta19. Also see the - Petitions - project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

SA-CONTRIB-2014-060- Petitions - Cross Site Request Forgery (CSRF)

Biztonsági figyelmeztetések (contrib) - 2014. június 11. 20.41
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-060
  • Project: - Petitions - (third-party distribution)
  • Version: 7.x
  • Date: 2014-June-11
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Request Forgery
Description

This distribution enables you to build an application that lets users create and sign petitions.
The contained wh_petitions module doesn't sufficiently verify the intent of the user when signing a petition. A malicious user could trick another user into signing a petition they did not intend to sign by getting them to visit a specially-crafted URL while logged in.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • petitions 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed - Petitions - distribution, there is nothing you need to do.

Solution

Install the latest version:

Note that petitions 7.x-1.2 is the last release for the first version of petitions. petitions 7.x-1.x is no longer maintained, and you are strongly encouraged to upgrade to the latest version petitions 7.x-2.0-beta19. Also see the - Petitions - project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

SA-CONTRIB-2014-059 - Touch Theme - Cross Site Scripting (XSS)

Biztonsági figyelmeztetések (contrib) - 2014. június 11. 17.31
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-059
  • Project: Touch (third-party module)
  • Version: 7.x
  • Date: 2014-June-11
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

Touch Theme is a light weight theme with modern look and feel.

The theme does not sufficiently sanitize theme settings input for Twitter and Facebook username.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer themes".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Touch 7.x-1.x versions prior to 7.x-1.9.

Drupal core is not affected. If you do not use the contributed Touch module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Touch theme for Drupal 7.x, upgrade to Touch 7.x-1.9

Also see the Touch project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

SA-CONTRIB-2014-059 - Touch Theme - Cross Site Scripting (XSS)

Biztonsági figyelmeztetések (contrib) - 2014. június 11. 17.31
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-059
  • Project: Touch (third-party module)
  • Version: 7.x
  • Date: 2014-June-11
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

Touch Theme is a light weight theme with modern look and feel.

The theme does not sufficiently sanitize theme settings input for Twitter and Facebook username.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer themes".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Touch 7.x-1.x versions prior to 7.x-1.9.

Drupal core is not affected. If you do not use the contributed Touch module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Touch theme for Drupal 7.x, upgrade to Touch 7.x-1.9

Also see the Touch project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

SA-CONTRIB-2014-058 - Webserver Auth - Access Bypass

Biztonsági figyelmeztetések (contrib) - 2014. május 28. 16.26
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-058
  • Project: Webserver authentication (third-party module)
  • Version: 7.x
  • Date: 2014-May-28
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

This module allows you to delegate user authentication to the web server. The module can be configured to automatically create users that have been authenticated by the web server.
There was an issue where a configuration variable did not have consistent default values in the code meaning that in a new install users would be created by default even though the config screen would suggest otherwise.
This vulnerability is mitigated by the fact that the issue is only present if the site owner has not saved the configuration page and it is very common to configure a module after installing it.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Webserver authentication before version 7.x-1.4

Drupal core is not affected. If you do not use the contributed Webserver authentication module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Webserver authentication project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.


Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

SA-CONTRIB-2014-058 - Webserver Auth - Access Bypass

Biztonsági figyelmeztetések (contrib) - 2014. május 28. 16.26
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-058
  • Project: Webserver authentication (third-party module)
  • Version: 7.x
  • Date: 2014-May-28
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

This module allows you to delegate user authentication to the web server. The module can be configured to automatically create users that have been authenticated by the web server.
There was an issue where a configuration variable did not have consistent default values in the code meaning that in a new install users would be created by default even though the config screen would suggest otherwise.
This vulnerability is mitigated by the fact that the issue is only present if the site owner has not saved the configuration page and it is very common to configure a module after installing it.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Webserver authentication before version 7.x-1.4

Drupal core is not affected. If you do not use the contributed Webserver authentication module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Webserver authentication project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.


Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

SA-CONTRIB-2014-057 - Password policy - General logic error

Biztonsági figyelmeztetések (contrib) - 2014. május 21. 17.15
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-057
  • Project: Password policy (third-party module)
  • Version: 7.x
  • Date: 2014-May-21
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: General logic error
Description

This module enables you to define password policies with various constraints on allowable user passwords. The history constraint, when enabled, disallows a user's password from being changed to match a specified number of their previous passwords.

Beginning with Password Policy 7.x-1.4, the history constraint had no effect when enabled, and user passwords could be changed to match any previous passwords beyond the most recent. Therefore, passwords of users that were changed since Password Policy 7.x-1.4 or later was installed may match previous passwords in violation of the history constraint.

This vulnerability is mitigated by the fact that it only affects users covered by a password policy with the history constraint enabled.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Password policy 7.x-1.x versions prior to 7.x-1.6.

Drupal core is not affected. If you do not use the contributed Password policy module, there is nothing you need to do.

Solution
  1. Install the latest version:
  2. Force a password change for all users covered by a password policy with the history constraint enabled.

Also see the Password policy project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.


Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

SA-CONTRIB-2014-057 - Password policy - General logic error

Biztonsági figyelmeztetések (contrib) - 2014. május 21. 17.15
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-057
  • Project: Password policy (third-party module)
  • Version: 7.x
  • Date: 2014-May-21
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: General logic error
Description

This module enables you to define password policies with various constraints on allowable user passwords. The history constraint, when enabled, disallows a user's password from being changed to match a specified number of their previous passwords.

Beginning with Password Policy 7.x-1.4, the history constraint had no effect when enabled, and user passwords could be changed to match any previous passwords beyond the most recent. Therefore, passwords of users that were changed since Password Policy 7.x-1.4 or later was installed may match previous passwords in violation of the history constraint.

This vulnerability is mitigated by the fact that it only affects users covered by a password policy with the history constraint enabled.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Password policy 7.x-1.x versions prior to 7.x-1.6.

Drupal core is not affected. If you do not use the contributed Password policy module, there is nothing you need to do.

Solution
  1. Install the latest version:
  2. Force a password change for all users covered by a password policy with the history constraint enabled.

Also see the Password policy project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.


Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

SA-CONTRIB-2014-056 - Commerce Moneris - Information Disclosure

Biztonsági figyelmeztetések (contrib) - 2014. május 21. 17.07
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-056
  • Project: Commerce Moneris (third-party module)
  • Version: 7.x
  • Date: 2014-May-21
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Information Disclosure
Description

Commerce Moneris is a payment module that integrates the Moneris payment system with Drupal Commerce.

The module stores credit card data in a commerce order object unnecessarily for the purpose of passing the credit card information to the payment gateway. The credit card information is never removed from the order object and is later saved in the clear as serialized data in the database.

This vulnerability is mitigated by the fact that an attacker must have access to the database or the ability to execute PHP to output the raw or unserialized data from the commerce order.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Commerce Moneris 7.x-1.x versions prior to 7.x-1.4.

Drupal core is not affected. If you do not use the contributed Commerce Moneris module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Commerce Moneris project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

SA-CONTRIB-2014-055 - Require Login - Access bypass

Biztonsági figyelmeztetések (contrib) - 2014. május 21. 17.07
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-055
  • Project: Require Login (third-party module)
  • Version: 7.x
  • Date: 2014-May-21
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

This module enables you to restrict access to a site for all non-authenticated users.

The module does not protect the front page, thereby exposing any sensitive information on the front page to anonymous users.

This vulnerability is mitigated by the fact that private/sensitive information must be on the site's front page.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Login Redirect 7.x-1.x versions prior to 7.x-1.1.

Drupal core is not affected. If you do not use the contributed Require Login module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Require Login project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Oldalak

Subscribe to drupal.hu hírolvasó - Biztonsági figyelmeztetések