MenuMenu

Feed aggregator

Services - Critical - Multiple Vulnerabilites - SA-CONTRIB-2015-096

Project Security Advisories - Wed, 04/15/2015 - 2:18pm
Description

Services module enables you to expose an API to third party systems.

Access bypass (file upload and execution)

The resource/endpoint for uploading files does not properly sanitize the filename of uploaded files. This vulnerability is mitigated by the fact that the "File > Create" resource must be enabled and an attacker must have a role with the Services "Save file information" permission.

Private fields information displayed

Services does not check field_access when displaying entities so some private field information may be displayed. This vulnerability only affects sites using the field access system (for example, via the Field Permissions module) to hide fields from anonymous users.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected

Services 7.x-3.x versions prior to 7.x-3.12.

Drupal core is not affected. If you do not use the contributed Services module,
there is nothing you need to do.

Solution

Install the latest version of Services: Services 7.x-3.12.

As a reminder, Services for Drupal 6 is no longer maintained.

Also see the Services project page.

Reported by Access Bypass/file upload Private fields information displayed Fixed by Access Bypass/file upload Private fields information displayed Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Display Suite - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-095

Project Security Advisories - Wed, 04/15/2015 - 10:30am
Description

Display Suite allows you to take full control over how your content is displayed using a drag and drop interface.

In certain situations, Display Suite does not properly sanitize some of the output, allowing a malicious user to embed scripts within a page, resulting in a Cross-site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker has to be able to configure field display settings, which usually needs a higher level permission such as administer taxonomy.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Display Suite version 7.x-2.7. Versions prior to Display Suite 7.x-2.7 are not vulnerable.

Drupal core is not affected. If you do not use the contributed Display Suite module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Display Suite project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

CiviCRM private report - Moderately Critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2015-094

Project Security Advisories - Wed, 04/08/2015 - 11:53am
Description

CiviCRM private report module enables users to create their own private copies of CiviCRM reports, which they can modify and save to meet their needs without requiring the "Administer reports" permission.

The module doesn't sufficiently protect some links against CSRF. A malicious user can cause another user to delete reports by getting their browser to make a request to a specially-crafted URL.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • CiviCRM private report 6.x-1.x versions prior to 6.x-1.2.
  • CiviCRM private report 7.x-1.x versions prior to 7.x-1.3.

Drupal core is not affected. If you do not use the contributed CiviCRM private report module, there is nothing you need to do.

Solution

Install the latest version:

Also see the CiviCRM private report project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x

User Import - Moderately Critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2015-093

Project Security Advisories - Wed, 04/01/2015 - 1:16pm
Description

This module enables the import of users into Drupal, or the update of existing users, with data from a CSV file (comma separated file).

Some management URLs were not properly protected. A malicious user could trick an administrator into continuing or deleting an ongoing import by getting them to request certain URLs, thereby leading to a Cross Site Request Forgery (CSRF) vulnerability.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • User Import 6.x-4.x versions prior to 6.x-4.4
  • User Import 7.x-2.x versions prior to 7.x-2.3

Drupal core is not affected. If you do not use the contributed User Import module, there is nothing you need to do.

Solution

Install the latest version:

Also see the User Import project page.

Reported by Fixed by
  • Robert Castelo module maintainer and member of the Drupal Security Team
Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x

Open Graph Importer - Moderately Critical - Access bypass - Unsupported - SA-CONTRIB-2015-092

Project Security Advisories - Wed, 04/01/2015 - 12:11pm
Description

This module enables you to import content from a web page by scraping its Open Graph data.

The module doesn't sufficiently check for "create" permission to the content type that is configured as the destination for imported content, thus allowing a user with the "import og_tag_importer" permission to create content regardless of other permissions.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • og_tag_importer 7.x-1.x versions.

Drupal core is not affected. If you do not use the contributed Open Graph Importer module,
there is nothing you need to do.

Solution

Disable the module. There is no safe version of the module to use.

Also see the Open Graph Importer project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Current Search Links - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-091

Project Security Advisories - Wed, 04/01/2015 - 11:06am
Description

Current Search Links module is an extension to the Facet API Current Search Blocks module. Instead of just showing the current search it turns the current search keywords into links that you can drop from the search.

The module doesn't sufficiently sanitize the entered search query, thereby exposing a XSS vulnerability. An attacker could exploit this vulnerability by getting the victim to visit a specially-crafted URL.

This is mitigated by the fact that only sites with the option "Append the keywords passed by the user to the list" disabled are affected.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Current Search Links 7.x-1.x versions prior to 7.x-1.1.

Drupal core is not affected. If you do not use the contributed Current Search Links module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Current Search Links project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Password Policy - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-090

Project Security Advisories - Wed, 04/01/2015 - 10:52am
Description

The Password Policy module allows enforcing restrictions on user passwords by defining password policies.

The module doesn't sufficiently sanitize usernames in some administration pages, thereby exposing a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that only sites with a policy that uses the username constraint are affected. Also, only sites importing users from an external source (like distributed authentication) may allow non-standard usernames that might contain malicious characters, as Drupal core has validation when creating users via the user interface.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Password Policy 6.x-1.x versions prior to 6.x-1.11.
  • Password Policy 7.x-1.x versions prior to 7.x-1.11.

Drupal core is not affected. If you do not use the contributed Password policy module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Password policy project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x

EntityBulkDelete - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-089

Project Security Advisories - Wed, 04/01/2015 - 10:48am
Description

EntityBulkDelete module allows you to delete entities in bulk using the Batch API.

The module doesn't sufficiently sanitize user supplied text in some administration pages, thereby exposing a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must be allowed to create/edit comments, create/edit taxonomy terms or create/edit nodes.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • EntityBulkDelete 7.x-1.0

Drupal core is not affected. If you do not use the contributed EntityBulkDelete module, there is nothing you need to do.

Solution

Install the latest version:

Also see the EntityBulkDelete project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Imagefield Info - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-088

Project Security Advisories - Wed, 04/01/2015 - 10:43am
Description

Imagefield Info module enables you to view image field paths so you can easily use them with a WYSIWYG editor.

The module doesn't sufficiently sanitize user supplied text in some administration pages, thereby exposing a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer image styles".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Imagefield Info 7.x-1.x versions prior to 7.x-1.2

Drupal core is not affected. If you do not use the contributed Imagefield Info module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Imagefield Info project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Ubercart Webform Checkout Pane - Moderately Critical - Cross Site Scripting (XSS) - Unsupported - SA-CONTRIB-2015-087

Project Security Advisories - Wed, 03/25/2015 - 12:24pm
Description

Ubercart Webform Checkout Pane module allows you to define Webform nodes as checkout/order panes in Ubercart.

The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a user with permission to create/edit Ubercart products or webforms.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions of Ubercart Webform Checkout Pane module

Drupal core is not affected. If you do not use the contributed Ubercart Webform Checkout Pane module, there is nothing you need to do.

Solution

If you use the Ubercart Webform Checkout Pane module you should uninstall it.

Also see the Ubercart Webform Checkout Pane project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x

Decisions - Moderately Critical - Cross Site Scripting (XSS) - Unsupported - SA-CONTRIB-2015-086

Project Security Advisories - Wed, 03/25/2015 - 12:20pm
Description

Decisions module is a replacement for the Poll module and provides advanced voting systems and decision-making tools.

The module doesn't sufficiently protect some links against CSRF. A malicious user can cause another user to remove individual voters by getting their browser to make a request to a specially-crafted URL.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions of Decisions module

Drupal core is not affected. If you do not use the contributed Decisions module, there is nothing you need to do.

Solution

If you use the Decisions module you should uninstall it.

Also see the Decisions project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x

Invoice - Moderately Critical - Multiple vulnerabilities - Unsupported - SA-CONTRIB-2015-085

Project Security Advisories - Wed, 03/25/2015 - 12:14pm
Description

Invoice module allows you to create invoices in Drupal.

The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability.

Additionally, some URLs were not protected against CSRF. A malicious user can cause another user to create, delete and alter invoices by getting their browser to make a request to a specially-crafted URL.

The XSS vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer own invoices" and be able to create/edit nodes of the "Invoice" content type.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions of Invoice module

Drupal core is not affected. If you do not use the contributed Invoice module, there is nothing you need to do.

Solution

If you use the Invoice module you should uninstall it.

Also see the Invoice project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x

Linear Case - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-084

Project Security Advisories - Wed, 03/25/2015 - 12:08pm
Description

Linear Case module allows you to organize Closed Question documents in case studies.

The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a user with permission to edit/create Linear Case nodes.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Linear Case 6.x-1.x versions prior to 6.x-1.3.

Drupal core is not affected. If you do not use the contributed Linear Case module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Linear Case project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x

Webform Multiple File Upload - Moderately Critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2015-083

Project Security Advisories - Wed, 03/25/2015 - 12:03pm
Description

Webform Multiple File Upload module enables you to upload multiple files at once in webforms.

The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause a user with edit access to webforms to delete files by getting their browser to make a request to a specially-crafted URL.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Webform Multiple File Upload 6.x-1.x versions prior to 6.x-1.3.
  • Webform Multiple File Upload 7.x-1.x versions prior to 7.x-1.3.

Drupal core is not affected. If you do not use the contributed Webform Multiple File Upload module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Webform Multiple File Upload project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x

Crumbs - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-082

Project Security Advisories - Wed, 03/25/2015 - 11:56am
Description

This module enables you to add navigation to your webpages colloquially referred to as "breadcrumbs".

The module doesn't sufficiently sanitize custom HTML separators for breadcrumbs, thereby exposing a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer Crumbs".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Crumbs 7.x-2.x versions prior to 7.x-2.3

Drupal core is not affected. If you do not use the contributed Crumbs module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Crumbs module for Drupal 7.x, upgrade to Crumbs 7.x-2.3

Also see the Crumbs project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Petition - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-081

Project Security Advisories - Wed, 03/25/2015 - 11:50am
Description

The Petition module enables you to create petitions which users may sign.

The module doesn't sufficiently sanitize user supplied text in some administration pages, thereby exposing a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "create petition".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Petition 6.x-1.x versions prior to 6.x-1.3.

Drupal core is not affected. If you do not use the contributed Petition module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Petition project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x

Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2015-001

Core Security Advisories - Wed, 03/18/2015 - 2:04pm
Description Access bypass (Password reset URLs - Drupal 6 and 7)

Password reset URLs can be forged under certain circumstances, allowing an attacker to gain access to another user's account without knowing the account's password.

In Drupal 7, this vulnerability is mitigated by the fact that it can only be exploited on sites where accounts have been imported or programmatically edited in a way that results in the password hash in the database being the same for multiple user accounts. In Drupal 6, it can additionally be exploited on sites where administrators have created multiple new user accounts with the same password via the administrative interface, or where accounts have been imported or programmatically edited in a way that results in the password hash in the database being empty for at least one user account.

Drupal 6 sites that have empty password hashes, or a password field with a guessable string in the database, are especially prone to this vulnerability. This could apply to sites that use external authentication so that the password field is set to a fixed, invalid value.

Open redirect (Several vectors including the "destination" URL parameter - Drupal 6 and 7)

Drupal core and contributed modules frequently use a "destination" query string parameter in URLs to redirect users to a new destination after completing an action on the current page. Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks.

In addition, several URL-related API functions in Drupal 6 and 7 can be tricked into passing through external URLs when not intending to, potentially leading to additional open redirect vulnerabilities.

This vulnerability is mitigated by the fact that many common uses of the "destination" parameter are not susceptible to the attack. However, all confirmation forms built using Drupal 7's form API are vulnerable via the Cancel action that appears at the bottom of the form, and some Drupal 6 confirmation forms are vulnerable too.

CVE identifier(s) issued
  • Access bypass via password reset URLs: CVE-2015-2559
  • Open redirect via the "destination" URL parameter: CVE-2015-2749
  • Open redirect via URL-related API functions: CVE-2015-2750
Versions affected
  • Drupal core 6.x versions prior to 6.35
  • Drupal core 7.x versions prior to 7.35
Solution

Install the latest version:

Also see the Drupal core project page.

Reported by

Access bypass via password reset URLs:

Open redirect via vectors including the "destination" URL parameter:

Fixed by

Access bypass via password reset URLs:

Open redirect via vectors including the "destination" URL parameter:

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2014-006

Core Security Advisories - Wed, 11/19/2014 - 1:21pm
Description Session hijacking (Drupal 6 and 7)

A specially crafted request can give a user access to another user's session, allowing an attacker to hijack a random session.

This attack is known to be possible on certain Drupal 7 sites which serve both HTTP and HTTPS content ("mixed-mode"), but it is possible there are other attack vectors for both Drupal 6 and Drupal 7.

Denial of service (Drupal 7 only)

Drupal 7 includes a password hashing API to ensure that user supplied passwords are not stored in plain text.

A vulnerability in this API allows an attacker to send specially crafted requests resulting in CPU and memory exhaustion. This may lead to the site becoming unavailable or unresponsive (denial of service).

This vulnerability can be exploited by anonymous users.

CVE identifier(s) issued
  • Session hijacking (Drupal 6 and 7): CVE-2014-9015
  • Denial of service (Drupal 7): CVE-2014-9016
Versions affected
  • Drupal core 6.x versions prior to 6.34.
  • Drupal core 7.x versions prior to 7.34.
Solution

Install the latest version:

If you have configured a custom session.inc file for your Drupal 6 or Drupal 7 site you also need to make sure that it is not prone to the same session hijacking vulnerability disclosed in this security advisory.

If you have configured a custom password.inc file for your Drupal 7 site you also need to make sure that it is not prone to the same denial of service vulnerability disclosed in this security advisory. See also the similar security advisory for the Drupal 6 contributed Secure Password Hashes module: SA-CONTRIB-2014-113

Also see the Drupal core project page.

Reported by

Session hijacking:

Denial of service:

Fixed by

Session hijacking:

Denial of service:

Coordinated by
  • The Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Edits to this advisory since publishing
  • Edited to mention the effect on sites that have configured a custom session.inc file.
Drupal version: Drupal 6.xDrupal 7.x

SA-CORE-2014-005 - Drupal core - SQL injection

Core Security Advisories - Wed, 10/15/2014 - 12:02pm
Description

Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks.

A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks.

This vulnerability can be exploited by anonymous users.

Update: Multiple exploits have been reported in the wild following the release of this security advisory, and Drupal 7 sites which did not update soon after the advisory was released may be compromised. See this follow-up announcement for more information: https://www.drupal.org/PSA-2014-003

CVE identifier(s) issued

  • CVE-2014-3704
Versions affected
  • Drupal core 7.x versions prior to 7.32.
Solution

Install the latest version:

If you are unable to update to Drupal 7.32 you can apply this patch to Drupal's database.inc file to fix the vulnerability until such time as you are able to completely upgrade to Drupal 7.32.

Also see the Drupal core project page and the follow-up public service announcement.

Reported by
  • Stefan Horst
Fixed by Coordinated by Contact and More Information

We've prepared a FAQ on this release. Read more at https://www.drupal.org/node/2357241.

The Drupal security team can be reached at security at drupal.org or via the contact form at
https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Edits to this advisory since publishing
  • Updated risk factor from 20/25 to 25/25 once exploits did appear
  • Edited to add link to PSA.
Drupal version: Drupal 7.x

SA-CORE-2014-004 - Drupal core - Denial of service

Core Security Advisories - Wed, 08/06/2014 - 1:41pm
Description

Drupal 6 and Drupal 7 include an XML-RPC endpoint which is publicly available (xmlrpc.php). The PHP XML parser used by this XML-RPC endpoint is vulnerable to an XML entity expansion attack and other related XML payload attacks which can cause CPU and memory exhaustion and the site's database to reach the maximum number of open connections. Any of these may lead to the site becoming unavailable or unresponsive (denial of service).

All Drupal sites are vulnerable to this attack whether XML-RPC is used or not.

In addition, a similar vulnerability exists in the core OpenID module (for sites that have this module enabled).

This is a joint release as the XML-RPC vulnerability also affects WordPress (see the announcement).

CVE identifier(s) issued
  • CVE-2014-5265 has been issued for the code changes in xmlrpc.inc which prevent entity declarations and therefore address the "vulnerable to an XML entity expansion attack ... can cause CPU and memory exhaustion" concern.
  • CVE-2014-5266 has been issued for the "Skip parsing if there is an unreasonably large number of tags" in both xmlrpc.inc and xrds.inc.
  • CVE-2014-5267 has been issued for the code change to reject any XRDS document with a /<!DOCTYPE/i match.
Versions affected
  • Drupal core 7.x versions prior to 7.31.
  • Drupal core 6.x versions prior to 6.33.
Solution

Install the latest version:

If you are unable to install the latest version of Drupal immediately, you can alternatively remove the xmlrpc.php file from the root of Drupal core (or add a rule to .htaccess to prevent access to xmlrpc.php) and disable the OpenID module. These steps are sufficient to mitigate the vulnerability in Drupal core if your site does not require the use of XML-RPC or OpenID functionality. However, this mitigation will not be effective if you are using a contributed module that exposes Drupal's XML-RPC API at a different URL (for example, the Services module); updating Drupal core is therefore strongly recommended.

Also see the Drupal core project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: Drupal 6.xDrupal 7.x

Pages