Biztonsági figyelmeztetések

High-performance JavaScript callback handler - Highly Critical - Multiple vulnerabilities - SA-CONTRIB-2016-063

Biztonsági figyelmeztetések (contrib) - 2016. december 7. 18.57
Description

The High-performance JavaScript callback handler module is a light weight callback to bypass most, if not all, of Drupal's bootstrapping process to achieve improved performance.

The module does not sufficiently check whether or not a callback is being properly accessed or filtering for potential XSS or CSRF exploits.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • High-performance JavaScript callback handler (js) 7.x-1.x versions prior to 7.x-2.1.

Drupal core is not affected. If you do not use the contributed High-performance JavaScript callback handler module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the js module for Drupal 7.x, upgrade to js 7.x-2.1

Note: this upgrade is not backwards compatible with 7.x-1.x. Existing contrib and custom module implementations of this API will either need to be upgraded, replaced or removed.

Also see the High-performance JavaScript callback handler project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Elysia Cron - Critical - Arbitrary PHP code execution - SA-CONTRIB-2016-062

Biztonsági figyelmeztetések (contrib) - 2016. november 30. 20.36
Description

This module enables you to manage cron jobs.

The module allows users with the permission "Administer elysia cron" to execute arbitrary PHP code via cron.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer elysia cron". This permission is not marked as "restricted".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Elysia cron 7.x-2.x versions prior to 7.x-2.4.

Drupal core is not affected. If you do not use the contributed Elysia Cron module, there is nothing you need to do.

Solution

Revoke the permission "Administer elysia cron" for untrusted users.

Elysia cron 7.x-2.4 and up will indicate that the permission is restricted.

Also see the Elysia Cron project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2016-005

Biztonsági figyelmeztetések (core) - 2016. november 16. 18.37
Description Inconsistent name for term access query (Less critical - Drupal 7 and Drupal 8)

Drupal provides a mechanism to alter database SELECT queries before they are executed. Contributed and custom modules may use this mechanism to restrict access to certain entities by implementing hook_query_alter() or hook_query_TAG_alter() in order to add additional conditions. Queries can be distinguished by means of query tags. As the documentation on EntityFieldQuery::addTag() suggests, access-tags on entity queries normally follow the form ENTITY_TYPE_access (e.g. node_access). However, the taxonomy module's access query tag predated this system and used term_access as the query tag instead of taxonomy_term_access.

As a result, before this security release modules wishing to restrict access to taxonomy terms may have implemented an unsupported tag, or needed to look for both tags (term_access and taxonomy_term_access) in order to be compatible with queries generated both by Drupal core as well as those generated by contributed modules like Entity Reference. Otherwise information on taxonomy terms might have been disclosed to unprivileged users.

Incorrect cache context on password reset page (Less critical - Drupal 8)

The user password reset form does not specify a proper cache context, which can lead to cache poisoning and unwanted content on the page.

Confirmation forms allow external URLs to be injected (Moderately critical - Drupal 7)

Under certain circumstances, malicious users could construct a URL to a confirmation form that would trick users into being redirected to a 3rd party website after interacting with the form, thereby exposing the users to potential social engineering attacks.

Denial of service via transliterate mechanism (Moderately critical - Drupal 8)

A specially crafted URL can cause a denial of service via the transliterate mechanism.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Drupal core 7.x versions prior to 7.52
  • Drupal core 8.x versions prior to 8.2.3
Solution

Install the latest version:

Also see the Drupal core project page.

Reported by

Inconsistent name for term access query:

Incorrect cache context on password reset page:

Confirmation forms allow external URLs to be injected:

Denial of service via transliterate mechanism:

Fixed by

Inconsistent name for term access query:

Incorrect cache context on password reset page:

Confirmation forms allow external URLs to be injected:

Denial of service via transliterate mechanism:

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.xDrupal 8.x

Views Send - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-061

Biztonsági figyelmeztetések (contrib) - 2016. november 9. 19.01
Description

The Views Send module enables you to send mail to multiple users from a View.

The module doesn't sufficiently filter potential user-supplied data when previewing the e-mail which can lead to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "mass mailing with views_send".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Views Send 7.x-1.x versions prior to 7.x-1.3.

Drupal core is not affected. If you do not use the contributed Views Send module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Views Send project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Workbench Moderation - Moderately Critical - Information Disclosure - SA-CONTRIB-2016-060

Biztonsági figyelmeztetések (contrib) - 2016. november 2. 21.40
Description

This module enables you to create and manage custom editorial workflows around a site's content.

The module could result in unpublished content being temporarily made visible via content lists, e.g. as generated by Views, when its editorial status was being changed, e.g. from "draft" to "needs work".

This vulnerability is mitigated by the fact that the content lists must be regenerated at exactly the moment when a person saves the node.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Workbench Moderation 7.x-1.x versions and 7.x-3.x versions prior to 7.x-3.0.

Drupal core is not affected. If you do not use the contributed Workbench Moderation module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Workbench Moderation project page.

Reported by Fixed by Coordinated by
  • The Drupal Security Team.
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

D8 Editor File upload - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-059

Biztonsági figyelmeztetések (contrib) - 2016. november 2. 20.38
Description

This module enables you to upload files directly within the CKEditor and create a link to download the given file.

The module doesn't sufficiently check the uploaded file extensions when the allowed extensions list is not the default one.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to use a text filter that enables this CKEditor plugin and does not use the default allowed extensions.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • D8 Editor File Upload 8.x-1.x versions prior to 8.x-1.2.

Drupal core is not affected. If you do not use the contributed D8 Editor File upload module, there is nothing you need to do.

Solution

Install the latest version:

Also see the D8 Editor File upload project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Bootstrap - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-058

Biztonsági figyelmeztetések (contrib) - 2016. november 2. 19.04
Description

The Bootstrap theme enables you to integrate the Bootstrap framework with Drupal.

The theme does not sufficiently filter potential user-supplied data when it's passed to certain templates can which lead to a Persistent Cross Site Scripting (XSS) vulnerability.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Bootstrap 7.x-3.x versions prior to 7.x-3.7

Drupal core is not affected. If you do not use the contributed Bootstrap theme, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Bootstrap theme from the 7.x-3.x branch, upgrade to Bootstrap 7.x-3.8

Also see the Bootstrap project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Profile 2 Registration Path - Critical - Unsupported - DRUPAL-SA-CONTRIB-2015-057

Biztonsági figyelmeztetések (contrib) - 2016. november 2. 18.47
Description

This module enables administrators to set unique registration paths per Profile2 profile type.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
    All versions are affected.

Drupal core is not affected. If you do not use the contributed Profile2 Registration Path module, there is nothing you need to do.

Solution

Uninstall the module

Also see the Profile2 Registration Path project page.

Reported by Fixed by

N/A

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Like/Dislike - Critical - Unsupported- SA-CONTRIB-2016-056

Biztonsági figyelmeztetések (contrib) - 2016. november 2. 18.38
Description

Like/Dislike module can be used to Like and Dislike actions on any content. It is powered by Drupal field concept.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions of like/dislike module.

Drupal core is not affected. If you do not use the contributed Like/Dislike module, there is nothing you need to do.

Solution

If you use the like/dislike module for Drupal 7.x you should uninstall it.

Also see the Like/Dislike project page.

Reported by Fixed by

Not applicable.

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Menu Views - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-055

Biztonsági figyelmeztetések (contrib) - 2016. november 2. 18.21
Description

This module enables users to create menu items that render views instead of links. This is useful for creating "mega-menus".

The module doesn't sufficiently filter title and breadcrumb fields for possible cross-site scripting.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer menu views".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Menu Views 7.x-2.x versions prior to 7.x-2.4.

Drupal core is not affected. If you do not use the contributed Menu Views module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Menu Views project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Tripal BLAST UI - Highly Critical - Remote Code Execution - SA-CONTRIB-2016-054

Biztonsági figyelmeztetések (contrib) - 2016. október 26. 18.20
Description

This module enables you to run NCBI BLAST jobs on the host system.

The module doesn't sufficiently validate advanced options available to users submitting BLAST jobs, thereby exposing the ability to enter a short snippet of shell code that will be executed when the BLAST job is run.

This vulnerability only requires the attacker to have minimal permissions on the site (for example, "View published content") and therefore can be exploited by untrusted or unauthenticated users in most cases.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Tripal BLAST UI 7.x-1.x versions prior to 7.x-1.2

Drupal core is not affected. If you do not use the contributed Tripal BLAST UI module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Tripal BLAST UI project page.

Reported by Fixed by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Webform - Less Critical - Access Bypass - SA-CONTRIB-2016-053

Biztonsági figyelmeztetések (contrib) - 2016. október 19. 16.27
Description

This module provides a user interface to create and configure forms called Webforms.

When using forms with private file uploads, Webform wasn't explicitly denying access to files it managed which could allow access to be granted by other modules.

The vulnerability is mitigated by the fact that another module has to explicitly grant access to those files.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Webform 7.x-3.x versions prior to 7.x-3.25.
  • Webform 7.x-4.x is unaffected.

Drupal core is not affected. If you do not use the contributed Webform module, there is nothing you need to do.

Solution

If you use webform-7.x-3.x you may …

Also see the Webform project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Elysia Cron - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-052

Biztonsági figyelmeztetések (contrib) - 2016. október 12. 16.08
Description

This module enables you to manage cron jobs.

The module doesn't sufficiently sanitize the cron rules which are entered into "Predefined rules" field thereby exposing a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer elysia cron".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Elysia Cron 7.x-2.x versions prior to 7.x-2.2.

Drupal core is not affected. If you do not use the contributed Elysia Cron module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Elysia Cron project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Drupal Core - Critical - Multiple Vulnerabilities - SA-CORE-2016-004

Biztonsági figyelmeztetések (core) - 2016. szeptember 21. 18.35
Description

Users who have rights to edit a node, can set the visibility on comments for that node.

Description

Users without "Administer comments" can set comment visibility on nodes they can edit. (Less critical)

Users who have rights to edit a node, can set the visibility on comments for that node. This should be restricted to those who have the administer comments permission.

Cross-site Scripting in http exceptions (critical)

An attacker could create a specially crafted url, which could execute arbitrary code in the victim’s browser if loaded. Drupal was not properly sanitizing an exception

Full config export can be downloaded without administrative permissions (critical)
The system.temporary route would allow the download of a full config export. The full config export should be limited to those with Export configuration permission.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected

8.x

Solution

Upgrade to Drupal 8.1.10

Reported by

Users without "Administer comments" can set comment visibility on nodes they can edit.

XSS in http exceptions

Full config export can be downloaded without administrative permissions

Fixed by

Users without "Administer comments" can set comment visibility on nodes they can edit.

XSS in http exceptions

Full config export can be downloaded without administrative permissions

Coordinated by

The Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 8.x

Flag Lists - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2016-051

Biztonsági figyelmeztetések (contrib) - 2016. szeptember 7. 19.45
Description

This module enables regular users to create unlimited private flags called lists.

The flag_lists module doesn't sufficiently filter the output when applying token strings to flag_lists links leading to a persistent Cross Site Scripting (XSS) attack.

This vulnerability is mitigated by the fact that an attacker must have a role with the "Create flag lists" permission.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • flag_lists 7.x-3.x versions prior to 7.x-3.1.
  • flag_lists 7.x-1.x versions prior to 7.x-1.3.

Please note that there are two different versions available of the flag_lists module. One 7.x-3.x which is used together with flag 7.x-3.x and one for the earlier flag module prior to 7.x-3.x.

Drupal core is not affected. If you do not use the contributed Flag lists module, there is nothing you need to do.

Drupal core is not affected. If you do not use the contributed Flag Lists module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Flag Lists project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Flag - Moderately Critical - Access Bypass - SA-CONTRIB-2016-050

Biztonsági figyelmeztetések (contrib) - 2016. augusztus 31. 19.23
Description

Flag enables users to mark content with any number of admin-defined flags, such as 'bookmarks' or 'spam'. Flag Bookmark is a submodule within Flag, which provides a 'bookmarks' flag, and default views to list bookmarked content.

The provided view that lists each user's bookmarked content as a tab on their user profile has for its access control the permission to use the 'bookmarks' flag. This means that any user who has permission to use the 'bookmarks' flag can see the list of content that any user has bookmarked.

This vulnerability is mitigated by the fact that the site must have enabled the Flag Bookmark module to create this view, and an attacker must have a role with the permission "Flag node entities as bookmarks".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Flag 7.x-3.x versions prior to 7.x-3.8.

Drupal core is not affected. If you do not use the contributed Flag module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Flag module for Drupal 7.x, upgrade to Flag 7.x-3.8

If you have Flag Bookmark enabled, or have enabled it in the past and still have the flag_bookmarks_tab view active, edit this and change the User: uid contextual filter's as follows:

  1. set the validator to 'Current user ID matches argument value'
  2. set the action to take if the filter value does not validate to 'Show "Page not found"'.

Also see the Flag project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Workbench Scheduler - Moderately Critical - Access Bypass - SA-CONTRIB-2016-049

Biztonsági figyelmeztetések (contrib) - 2016. augusztus 24. 16.47
Description

Workbench Scheduler module provides users with the ability to create schedules that change moderated content from one workbench moderation state to another.

An authenticated user could add a schedule to a node even when that content type has schedules disabled.

The vulnerability is mitigated by the fact that a attacker must have access to an account in the system with permission to edit content and create schedules. Also, only sites with a specific combination of permissions and modules are affected.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Workbench Scheduler 7.x-1.x versions prior to 7.x-1.9.

Drupal core is not affected. If you do not use the contributed Workbench Scheduler module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Workbench Scheduler project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x