Biztonsági figyelmeztetések

Search API - Moderately Critical - Multiple Vulnerabilities - SA-CONTRIB-2016-022

Biztonsági figyelmeztetések (contrib) - 2016. április 20. 15.31
Description

This module enables you to build searches using a wide range of features, data sources and backends.

Search index not updated by node access changes

The module doesn't sufficiently re-index nodes when using the "Node access" or "Access check" data alterations and non-standard ways of changing node access are used. This could lead to nodes or comments being listed in search results to which the visitor viewing the results should not have access.

This vulnerability is mitigated by the fact that this only occurs in uncommon setups, and that only nodes that were already accessible to the user at some point can be displayed.

XSS vulnerability in Views search results

The module doesn't sufficiently sanitize field values returned directly from the search server (e.g., Solr).

This vulnerability is mitigated by the fact that several components/modules need to be configured in a specific way to allow this vulnerability to be exploited.

Doesn't check for "access comments" permission when searching for comments

The module doesn't sufficiently check the user's permissions when comments are searched.

This vulnerability is mitigated by the fact that it only occurs in specific site configurations:

  • A search index with item type "Comment".
  • Using the "Access check" data alteration for protection.
  • The site allowing certain users to view content (nodes), but not comments.
  • A search page for the comment index must be accessible for these users.
CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Search API 7.x-1.x versions prior to 7.x-1.18.

Drupal core is not affected. If you do not use the contributed Search API module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Search API project page.

Reported by Fixed by Coordinated by
  • Mike Potter provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Boost - Moderately Critical - Information Disclosure - SA-CONTRIB-2016-021

Biztonsági figyelmeztetések (contrib) - 2016. április 13. 20.30
Description

This module provides static page caching for Drupal enabling a very significant performance and scalability boost for sites that receive mostly anonymous traffic.

The module doesn't prevent form cache from leaking between anonymous users which could result in information disclosure, where one user sees form data generated for another.

This vulnerability is mitigated by the fact that it only affects AJAX forms which expose sensitive data to anonymous users.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Boost 7.x-1.x versions prior to 7.x-1.1.

Drupal core is not affected. If you do not use the contributed Boost module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Boost module for Drupal 7.x, upgrade to Boost 7.x-1.1

Also see the Boost project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Features - Less Critical - Denial of Service (DoS) - SA-CONTRIB-2016-020

Biztonsági figyelmeztetések (contrib) - 2016. április 13. 17.50
Description

This module enables you to organize and export configuration data.

The module doesn't sufficiently protect the admin/structure/features/cleanup path with a token. If an attacker can trick an admin with the "manage features" permission to request a special URL, it could lead to clearing the cache repeatedly and a Denial of Service (DoS) attack.

This vulnerability is mitigated by the fact that the admin with the "manage features" permissions must be logged in when they request the special URL.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Features 7.x-2.x versions prior to 7.x-2.9.
  • Features 7.x-1.x which is no longer supported.

Drupal core is not affected. If you do not use the contributed Features module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Features project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Drupal Commerce - Less Critical - Information disclosure - SA-CONTRIB-2016-019

Biztonsági figyelmeztetések (contrib) - 2016. április 6. 18.16
Description

This module enables you to build an online store that uses nodes to display products through the use of product reference fields. The default widget for those fields is an autocomplete textfield similar to the taxonomy term reference field's autocomplete widget. As you type in the textfield, the Commerce Product module returns a JSON array of matching product SKUs / titles for you to select.

The module doesn't sufficiently restrict access to the autocomplete path under the default configuration of the field. A visitor to the website could browse directly to the autocomplete path to see a list of products that would ordinarily be returned to the autocomplete JavaScript to populate the autocomplete dropdown. Default parameters on the function used to generate this list cause it to bypass the product access control check that would ordinarily restrict product visibility to end users based on your site's permissions.

This vulnerability is mitigated by the fact that an attacker must know what the autocomplete path is and what arguments to include in it to generate a valid response based on your site's architecture. Additionally, in most eCommerce sites, product SKUs and titles are not by themselves considered private information.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Drupal Commerce 7.x-1.x versions prior to 7.x-1.13.

Drupal core is not affected. If you do not use the contributed Drupal Commerce module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Drupal Commerce project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

HybridAuth - Less critical - Multiple vulnerabilities - SA-CONTRIB-2016-018

Biztonsági figyelmeztetések (contrib) - 2016. április 6. 17.13
Description

The HybridAuth Social Login module enables you to allow visitors to authenticate or login to a Drupal site using their identities from social networks like Facebook or Twitter.

Open redirect

The module doesn't verify the "destination" redirect after a login to be a non-external URL causing an open redirect vulnerability. This vulnerability can be used by any attacker crafting a special login link.

Information disclosure

The module doesn't check the tokens in the "destination" redirect value allowing an attacker to specify arbitrary tokens. Any token value is exposed in the redirect URL.

This vulnerability is mitigated by the fact that there must be secret data on the site that is exposed through the token system (for example an access protected field). An attacker must have a knowledge on what fields/tokens contain secret information.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • HybridAuth Social Login 7.x-2.x versions prior to 7.x-2.15.

Drupal core is not affected. If you do not use the contributed HybridAuth Social Login module, there is nothing you need to do.

Solution

Install the latest version:

Also see the HybridAuth Social Login project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x