+ Telepítés

 WindowsLinuxMac

+ Keresés

Biztonsági figyelmeztetések (contrib)

Feliratkozás Biztonsági figyelmeztetések (contrib) hírcsatorna csatornára
Webcím: http://drupal.org/security/contrib
Frissítve: 56 perc 45 másodperc

SA-CONTRIB-2012-085 - BrowserID - Multiple Vulnerabilities

2012. május 23. 19.56
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-085
  • Project: BrowserID (Mozilla Persona) (third-party module)
  • Version: 7.x
  • Date: 2012-May-23
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Request Forgery (results in Privilege Escalation)
Description

CVE: Requested

The BrowserID module provides integration with BrowserID (also known as Mozilla Persona) -- a Mozilla project that lets users of your site quickly and easily log in without needing to remember a password specific to your site.

The module did not sufficiently validate requests for authentication to log in, potentially allowing a Cross Site Request Forgery (CSRF) attack and introducing the possibility that logging in to a malicious site with BrowserID could give that site the ability to log in to other websites using your BrowserID identity.

Versions affected
  • BrowserID (Mozilla Persona) 7.x-1.x versions prior to 7.x-1.3.

Drupal core is not affected. If you do not use the contributed BrowserID (Mozilla Persona) module, there is nothing you need to do.

Solution

Install the latest version:

This version adds a dependency on the Session API module. Make sure you install Session API before upgrading to BrowserID 7.x-1.3.

Also see the BrowserID (Mozilla Persona) project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategóriák: Biztonsági figyelmeztetések

SA-CONTRIB-2012-084 - Search API - Cross Site Scripting (XSS)

2012. május 23. 19.09
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-084
  • Project: Search API (third-party module)
  • Version: 7.x
  • Date: 2012-May-23
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

CVE: Requested

This module enables you to build searches using a wide range of features, data sources and backends.

The module doesn't sufficiently sanitize user input in some cases when throwing exceptions or logging errors. This enables attackers to insert arbitrary data into a page by manipulating its URL. Users would have to open such a manipulated URL to see the changed content.

This is only possible in some setups of Search API, specifically when users can manually enter field identifiers in some way – e.g., through an exposed Views sort or with the old Facets module.

Versions affected
  • Search API 7.x-1.x versions prior to 7.x-1.1.

Drupal core is not affected. If you do not use the contributed Search API module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Search API module (especially with Views, the old Facets module or other advanced search forms) for Drupal 7.x, upgrade to Search API 7.x-1.1
  • Run update.php to also ensure that previously stored log messages are sanitized.

Also see the Search API project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategóriák: Biztonsági figyelmeztetések

SA-CONTRIB-2012-083 - Taxonomy List - Cross Site Scripting (XSS)

2012. május 23. 18.08
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-083
  • Project: Taxonomy List (third-party module)
  • Version: 6.x
  • Date: 2012-May-23
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

CVE: Requested

This module enables you to display the terms (and optionally nodes) under categories.

The module doesn't sufficiently sanitize user supplied text in the taxonomy information.

This vulnerability is mitigated by the fact that an attacker must have a role with permissions to create or edit taxonomy terms.

Versions affected
  • Taxonomy List 6.x-1.x versions prior to 6.x-1.4.

The 6.x-2.x branch is not affected.

Drupal core is not affected. If you do not use the contributed Taxonomy List module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Taxonomy List project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategóriák: Biztonsági figyelmeztetések

SA-CONTRIB-2012-082 - Zen - Cross Site Scripting

2012. május 16. 22.38
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-082
  • Project: Zen (third-party theme)
  • Version: 6.x
  • Date: 2012-May-16
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

CVE: Requested.

The Zen theme provides a configurable breadcrumb which is commonly used as an additional navigation tool for users.

The theme outputs the breadcrumb, but does not provide sufficient filtering to prevent a Cross site scripting (XSS) attack.

This vulnerability is mitigated by the fact that the "Append the content title to the end of the breadcrumb" checkbox is not enabled by default and needs to be enabled for this to be exploited.

Versions affected
  • Zen 6.x-1.x versions prior to 6.x-1.1

Drupal core is not affected. Zen versions 6.x-2.x are not affected. If you do not use the contributed Zen theme, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Zen theme for Drupal 6.x, upgrade to theme 6.x-1.1 or any later version.

If you copied code from the zen_breadcrumb function into a custom sub-theme's template.php file you should compare your code to the changes to ensure that menu_get_active_title() is properly wrapped in check plain like:

check_plain(menu_get_active_title());

Also see the Zen project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategóriák: Biztonsági figyelmeztetések

SA-CONTRIB-2012-081 - Aberdeen - Cross Site Scripting

2012. május 16. 22.38
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-081
  • Project: Aberdeen (third-party theme)
  • Version: 6.x
  • Date: 2012-May-16
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

CVE: Requested.

The Aberdeen theme provides a configurable breadcrumb which is commonly used as an additional navigation tool for users.

The theme outputs the breadcrumb, but does not provide sufficient filtering to prevent a Cross site scripting (XSS) attack.

This vulnerability is mitigated by the fact that the "Append the content title to the end of the breadcrumb" checkbox is not enabled by default and needs to be enabled for this to be exploited.

Versions affected
  • Aberdeen 6.x-1.x versions prior to 6.x-1.11

Drupal core is not affected. If you do not use the contributed Aberdeen theme, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Aberdeen theme for Drupal 6.x, upgrade to theme 6.x-1.11

If you copied code from the aberdeen_breadcrumb function into a custom sub-theme's template.php file you should compare your code to the changes to ensure that menu_get_active_title() is properly wrapped in check plain like:

check_plain(menu_get_active_title());

Also see the Aberdeen project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategóriák: Biztonsági figyelmeztetések

SA-CONTRIB-2012-080 - Hostmaster (Aegir) - Access Bypass and Cross Site Scripting (XSS)

2012. május 16. 18.35
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-080
  • Project: Hostmaster (Aegir) (third-party module)
  • Version: 6.x
  • Date: 2012-May-16
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities
Description Cross Site Scripting

CVE: Requested.

Hostmaster displays a log from tasks executed in Aegir's backend component, provision. In certain circumstances these log messages were not escaped properly before being displayed to the user. This vulnerability is mitigated by the fact that people wishing to exploit this must have access to the PHP code of either provision itself or one of the sites hosted by Aegir.

Access Bypass

CVE: Requested.

Hostmaster doesn't allow people to edit or create certain node types that are used for the internal representation of data. The implementation of this wasn't fully complete and would still allow privileged users to edit these nodes. This can cause some data corruption in the front-end, leading to tasks that would appear to never finish running. This vulnerability is mitigated by the fact that people wishing to exploit this must have the 'edit package' or 'administer nodes' permissions, which are not given to any roles by the default Aegir install.

Versions affected
  • Hostmaster 6.x-1.x versions prior to 6.x-1.9.

Drupal core is not affected. If you do not use the contributed Hostmaster (Aegir) module, there is nothing you need to do.

Solution

Follow the upgrade instructions in the release notes for the Aegir 1.9 release which can be found at: http://community.aegirproject.org/1.9

Also see the Hostmaster (Aegir) project page.

Reported by
  • The Cross Site Scripting vulnerability was reported by Steven Jones one of the module maintainers.
  • The Access Bypass vulnerability was reported by Ivo Van Geertruyen of the Drupal Security Team.
Fixed by
  • The Cross Site Scripting vulnerability was fixed by Steven Jones one of the module maintainers.
  • The Access Bypass vulnerability was fixed by Ivo Van Geertruyen of the Drupal Security Team and mig5 one of the module maintainers.
Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategóriák: Biztonsági figyelmeztetések

SA-CONTRIB-2012-079 - Post Affiliate Pro - Cross Site Scripting (XSS) and Access Bypass - Unsupported

2012. május 16. 18.21
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-079
  • Project: Post Affiliate Pro (third-party module)
  • Version: 6.x
  • Date: 2012-May-16
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting, Access bypass
Description

CVE: Requested.

Post Affiliate Pro (PAP) is a module providing affiliate functionality for Ubercart and Post Affiliate Pro application.
The module doesn't sufficiently filter user supplied text provided by users registering on the site and also allows unauthorized users to view other user's commission.

Versions affected
  • All versions of the module.

Drupal core is not affected. If you do not use the contributed Post Affiliate Pro module, there is nothing you need to do.

Solution

The module is no longer supported. Users should disable it. Users interested in continuing to use it should see the project page for more information.

Also see the Post Affiliate Pro project page.

Reported by Fixed by

No fix was provided.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategóriák: Biztonsági figyelmeztetések

SA-CONTRIB-2012-078 - Smart Breadcrumb - Cross Site Scripting (XSS)

2012. május 16. 17.30
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-078
  • Project: Smart Breadcrumb (third-party module)
  • Version: 6.x
  • Date: 2012-May-16
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

CVE: Requested.

The function filter_titles() incorrectly attempts to set a title to plain-text, but does not properly filter user supplied text.

This vulnerability is mitigated by the fact that an attacker must have the permission to create or edit a node to exploit the issue.

Versions affected
  • Smart Breadcrumb 6.x-2.x versions prior to 6.x-1.3.

Drupal core is not affected. If you do not use the contributed Smart Breadcrumb module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Smart Breadcrumb project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategóriák: Biztonsági figyelmeztetések

SA-CONTRIB-2012-77 - Advertisement - Cross Site Scripting & Information Disclosure

2012. május 16. 17.16
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-077
  • Project: Advertisement (third-party module)
  • Version: 6.x
  • Date: 2012-May-16
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting, Information Disclosure, Multiple vulnerabilities
Description

CVE: Requested.

This module enables you to serve advertisements, define pools of ads and show certain ads on certain pages.
The module could, under certain conditions, expose limited site configuration information and a debugging mode did not sufficiently sanitize input, allowing for potential cross-site scripting (XSS).
This vulnerability is mitigated by the fact that exposed data must have been explicitly set in the $conf variable in settings.php.

Versions affected
  • Advertisement 6.x-2.x versions prior to 6.x-2.2.

Drupal core is not affected. If you do not use the contributed Advertisement module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Advertisement project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategóriák: Biztonsági figyelmeztetések

SA-CONTRIB-2012-076 - Ubercart Product Keys Access Bypass

2012. május 16. 17.07
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-076
  • Project: Ubercart Product Keys (third-party module)
  • Version: 6.x
  • Date: 2012-May-16
  • Security risk: Moderately Critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

CVE: Requested.

This module enables you to sell product keys from an Ubercart store.

Under certain circumstances, a user can view all unassigned product keys which could grant them access to the software circumventing the process of selling the key.

Versions affected
  • Ubercart Product Keys 6.x-1.x versions prior to 6.x-1.1.

Drupal core is not affected. If you do not use the contributed Ubercart Product Keys module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Ubercart Product Keys project page.

Reported by
  • Daniel Glucksman
Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategóriák: Biztonsági figyelmeztetések

SA-CONTRIB-2012-075 - Take Control - Cross Site Request Forgery (CSRF)

2012. május 9. 18.40
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-075
  • Project: Take Control (third-party module)
  • Version: 6.x
  • Date: 2012-May-09
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Request Forgery
Description

This module enables you to manage your Drupal file-system from within Drupal itself.
The module does not sufficiently validate Ajax calls leading to possibility of a Cross Site Request Forgery CSRF attack.
This vulnerability is mitigated by the fact that the attacker must be able to guess your Drupal file-system root path exactly. Further, if your site follows the secure file-system permissions recommendations and the web-server account does not have write access to Drupal root, only files/folders in Drupal's "files" directory are open to manipulation.

Versions affected
  • Take Control 6.x-2.x versions prior to 6.x-2.2.

Drupal core is not affected. If you do not use the contributed Take Control module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Take Control project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategóriák: Biztonsági figyelmeztetések

SA-CONTRIB-2012-074 - Contact Forms - Access Bypass

2012. május 9. 18.36
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-074
  • Project: Contact Forms (third-party module)
  • Version: 7.x
  • Date: 2012-May-09
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

This module expands the features of the site wide contact form. It eliminates the drop down category menu by generating a clean looking contact form (without a drop down menu) with a unique path for each of the contact form categories.
The module allowed users to edit the Contact Form settings if they have permission to 'access the site-wide contact form' instead of more appropriate 'Administer contact forms and contact form settings' permission.
This vulnerability is only mitigated by the fact that an attacker must know the correct url to access the Contact Forms settings page (though it is the same on all Drupal sites).

Versions affected
  • Contact Forms 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Contact Forms module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Contact Forms project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategóriák: Biztonsági figyelmeztetések

SA-CONTRIB-2012-073 - Glossary - Cross-Site Scripting (XSS)

2012. május 9. 18.24
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-073
  • Project: Glossary (third-party module)
  • Version: 6.x
  • Date: 2012-May-09
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

The glossary module scans posts for glossary terms, adding an indicator. By hovering over the indicator, users may learn the definition of that term.

The module does not sufficiently sanitize the taxonomy information. This leaves sites vulnerable to Cross-Site Scripting attacks.

This vulnerability is mitigated by the fact that an attacker must have a role with permissions to create or edit taxonomy terms.

Versions affected
  • Glossary 6.x-1.x versions prior to 6.x-1.8.

Drupal core is not affected. If you do not use the contributed Glossary module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Glossary project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategóriák: Biztonsági figyelmeztetések

SA-CONTRIB-2012-072 - cctags - Cross Site Scripting (XSS)

2012. május 2. 21.36
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-072
  • Project: cctags (third-party module)
  • Version: 6.x, 7.x
  • Date: 2012-May-02
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

This module enables you to create "tag clouds" with taxonomy terms displayed in different sizes depending on how frequently they are used on a site.
The module doesn't sufficiently filter user supplied text leading to a Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the ability to create or edit vocabularies or terms.

Versions affected
  • cctags 6.x-1.x versions prior to 6.x-1.10.
  • cctags 7.x-1.x versions prior to 7.x-1.10.

Drupal core is not affected. If you do not use the contributed cctags module, there is nothing you need to do.

Solution

Install the latest version:

Also see the cctags project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategóriák: Biztonsági figyelmeztetések

SA-CONTRIB-2012-071 - Glossify - Cross Site Scripting (XSS) - Unsupported

2012. május 2. 16.34
Description

This module generates internal node to node, node to taxonomy or node to external URL links (crosslinks) automatically - ideal for SEO of your site's pages and partner pages.
This module does not protect against an Cross Site Scripting (XSS) attack. The vulnerability is mitigated by the fact that the attacker must be able to create or edit any of: content (nodes), vocabularies, or terms.

Versions affected
  • 6.x-2.5 and before

Drupal core is not affected. If you do not use the contributed Glossify Internal Links Auto SEO module, there is nothing you need to do.

Solution

Uninstall the module, it is no longer supported.

Also see the Glossify Internal Links Auto SEO project page.

Reported by
  • Andrei Turcanu
Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategóriák: Biztonsági figyelmeztetések

SA-CONTRIB-2012-070 - Taxonomy Grid : Catalog - Cross Site Scripting (XSS) - Unsupported

2012. május 2. 16.33
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-070
  • Project: Taxonomy Grid : Catalog (third-party module)
  • Version: 6.x
  • Date: 2012-May-02
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

This module provides a page where you can see each content types you've selected under terms from vocabularies you've selected.
This module does not properly filter user supplied text resulting in a Cross Site scripting bug. This vulnerability is mitigated by the fact that an attacker would need the ability to create or edit a vocabulary or term.

Versions affected
  • 6.x-1.6 and before

Drupal core is not affected. If you do not use the contributed Taxonomy Grid : Catalog module, there is nothing you need to do.

Solution

Uninstall the module

Also see the Taxonomy Grid : Catalog project page.

Reported by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategóriák: Biztonsági figyelmeztetések

SA-CONTRIB-2012-069 - Addressbook - Multiple vulnerabilities - Unsupported

2012. május 2. 16.31
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-069
  • Project: Addressbook (third-party module)
  • Version: 6.x
  • Date: 2012-May-02
  • Security risk: Highly critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting, Cross Site Request Forgery, SQL Injection
Description

This module contains a simple addressbook.
The module has multiple issues including SQL Injection and Cross Site Request Forgery.

Versions affected
  • 6.x-4.2 and before

Drupal core is not affected. If you do not use the contributed Addressbook module, there is nothing you need to do.

Solution

This module is not supported. Uninstall the module.

Also see the Addressbook project page.

Reported by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategóriák: Biztonsági figyelmeztetések

SA-CONTRIB-2012-068 - Node Gallery - Cross Site Request Forgery (CSRF) - Unsupported

2012. május 2. 16.09
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-068
  • Project: Node Gallery (third-party module)
  • Version: 6.x
  • Date: 2012-May-02
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Request Forgery
Description

Node gallery enable users to create a more flexible and powerful gallery that are fully integrated with Drupal's core node system.
This module does not protect a CSRF attack when creating node galleries.

Versions affected
  • 6.x-3.1 and before

Drupal core is not affected. If you do not use the contributed Node Gallery module, there is nothing you need to do.

Solution

Uninstall the module, this module is no longer supported.

Also see the Node Gallery project page.

Reported by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategóriák: Biztonsági figyelmeztetések

SA-CONTRIB-2012-067 - Linkit - Access bypass

2012. április 25. 21.29
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-067
  • Project: Linkit (third-party module)
  • Version: 7.x
  • Date: 2012-April-25
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

Linkitprovides an easy interface for internal and external linking. Linkit links to nodes, users, managed files, terms and have basic support for all entities by default, using an autocomplete field.

When searching for entities, no access restrictions were added and users may see information about content that they do not normally have access to see. This issue only affects sites using an entity access module to limit access to content for some users.

Versions affected
  • Linkit 7.x-2.x versions prior to 7.x-2.2.

Drupal core is not affected. If you do not use the contributed Linkit module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Linkit module for Drupal 7.x, upgrade to Linkit 7.x-2.3

Also see the Linkit project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategóriák: Biztonsági figyelmeztetések

SA-CONTRIB-2012-066 - Spaces and Spaces OG - Access Bypass

2012. április 25. 21.26
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-066
  • Project: Spaces (third-party module)
  • Version: 6.x
  • Date: 2012-April-25
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

Spaces is an API module intended to make configuration options generally avaliable only at the sitewide level to be configurable and overridden by individual "spaces" on a Drupal site.

The spaces and spaces_og modules (part of the spaces package) in some cases do not apply the expected spaces access permission to pages that are non-objects (e.g. /node)

This vulnerability is mitigated by the fact that node_access and user profile permissions will prevent node or user data from being exposed, but other information (e.g. block data,etc) is still displayed. This issue only affects sites using spaces to limit access to content for some users.

Versions affected
  • Spaces 6.x-3.x versions prior to 6.x-3.4.

Drupal core is not affected. If you do not use the contributed Spaces module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Spaces module for Drupal 6.x, upgrade to Spaces 6.x-3.4

Also see the Spaces project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Kategóriák: Biztonsági figyelmeztetések

Oldalak