The Gold Coast Media Security Feed aggregates security feeds for popular frameworks and applications to provide an easy way of staying up-to-date with the latest security bulletins. It currently displays daily updates for for Drupal, MODx, Magento and Wordpress.

Version Feed | Security Feed

Latest Version

Name Latest Version Date
Drupal 7

7.41

Wed, 21 Oct 2015 23:39:37 GMT

Magento

1.9.1.0

Fri, 25 Sep 2015 23:35:51 GMT

MODx Evolution

1.0.15

Wed, 14 Oct 2015 23:39:24 GMT

MODx Revolution

2.4.2-pl

Wed, 7 Oct 2015 23:37:00 GMT

Wordpress

4.3.1

Tue, 15 Sep 2015 23:36:18 GMT

Security News

Headline Date
Drupal Core - Overlay - Less Critical - Open Redirect - SA-CORE-2015-004

Wed, 21 Oct 2015 20:16:50 BST

Details

Description

The Overlay module in Drupal core displays administrative pages as a layer over the current page (using JavaScript), rather than replacing the page in the browser window. The Overlay module does not sufficiently validate URLs prior to displaying their contents, leading to an open redirect vulnerability.

This vulnerability is mitigated by the fact that it can only be used against site users who have the "Access the administrative overlay" permission, and that the Overlay module must be enabled.

An incomplete fix for this issue was released as part of SA-CORE-2015-002.

CVE identifier(s) issued

  • CVE-2015-7943

Versions affected

  • Drupal core 7.x versions prior to 7.41.

Solution

Install the latest version:

Also see the Drupal core project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 
WordPress 4.3.1 Security and Maintenance Release

Tue, 15 Sep 2015 16:22:37 BST

Details

WordPress 4.3.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

This release addresses three issues, including two cross-site scripting vulnerabilities and a potential privilege escalation.

  • WordPress versions 4.3 and earlier are vulnerable to a cross-site scripting vulnerability when processing shortcode tags (CVE-2015-5714). Reported by Shahar Tal and Netanel Rubin of Check Point.
  • A separate cross-site scripting vulnerability was found in the user list table. Reported by Ben Bidner of the WordPress security team.
  • Finally, in certain cases, users without proper permissions could publish private posts and make them sticky (CVE-2015-5715). Reported by Shahar Tal and Netanel Rubin of Check Point.

Our thanks to those who have practiced responsible disclosure of security issues.

WordPress 4.3.1 also fixes twenty-six bugs. For more information, see the release notes or consult the list of changes.

Download WordPress 4.3.1 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.3.1.

Thanks to everyone who contributed to 4.3.1:

Adam Silverstein, Andrea FerciaAndrew Ozz, Boone Gorges, Brandon Kraft, chriscct7, Daisuke Takahashi, Dion Hulse, Dominik Schilling, Drew Jaynes, dustinbolton, Gary Pendergast, hauvong, James Huff, Jeremy Felt, jobst, Marin Atanasov, Nick Halsey, nikeo, Nikolay Bachiyski, Pascal Birchler, Paul Ryan, Peter Wilson, Robert Chapin, Samuel Wood, Scott Taylor, Sergey Biryukov, tmatsuur, Tracy Levesque, Umesh Nevase, vortfu, welcher, Weston Ruter

Drupal Core - Critical - Multiple Vulnerabilities - SA-CORE-2015-003

Wed, 19 Aug 2015 20:27:05 BST

Details

This security advisory fixes multiple vulnerabilities. See below for a list.

Cross-site Scripting - Ajax system - Drupal 7

A vulnerability was found that allows a malicious user to perform a cross-site scripting attack by invoking Drupal.ajax() on a whitelisted HTML element.

This vulnerability is mitigated on sites that do not allow untrusted users to enter HTML.

Drupal 6 core is not affected, but see the similar advisory for the Drupal 6 contributed Ctools module: SA-CONTRIB-2015-141.

Cross-site Scripting - Autocomplete system - Drupal 6 and 7

A cross-site scripting vulnerability was found in the autocomplete functionality of forms. The requested URL is not sufficiently sanitized.

This vulnerability is mitigated by the fact that the malicious user must be allowed to upload files.

SQL Injection - Database API - Drupal 7

A vulnerability was found in the SQL comment filtering system which could allow a user with elevated permissions to inject malicious code in SQL comments.

This vulnerability is mitigated by the fact that only one contributed module that the security team found uses the comment filtering system in a way that would trigger the vulnerability. That module requires you to have a very high level of access in order to perform the attack.

Cross-site Request Forgery - Form API - Drupal 6 and 7

A vulnerability was discovered in Drupal's form API that could allow file upload value callbacks to run with untrusted input, due to form token validation not being performed early enough. This vulnerability could allow a malicious user to upload files to the site under another user's account.

This vulnerability is mitigated by the fact that the uploaded files would be temporary, and Drupal normally deletes temporary files automatically after 6 hours.

Information Disclosure in Menu Links - Access system - Drupal 6 and 7

Users without the "access content" permission can see the titles of nodes that they do not have access to, if the nodes are added to a menu on the site that the users have access to.

CVE identifier(s) issued

  • Cross-site Scripting (Ajax system - Drupal 7): CVE-2015-6665
  • Cross-site Scripting (Autocomplete system - Drupal 6 and 7): CVE-2015-6658
  • SQL Injection (Database API - Drupal 7): CVE-2015-6659
  • Cross-site Request Forgery (Form API - Drupal 6 and 7): CVE-2015-6660
  • Information Disclosure in Menu Links (Access system - Drupal 6 and 7): CVE-2015-6661

Versions affected

  • Drupal core 6.x versions prior to 6.37
  • Drupal core 7.x versions prior to 7.39

Solution

Install the latest version:

Also see the Drupal core project page.

Credits

Cross-site Scripting - Ajax system - Drupal 7

Reported by

Fixed by

Cross-site Scripting - Autocomplete system - Drupal 6 and 7

Reported by

Fixed by

SQL Injection - Database API - Drupal 7

Reported by

Fixed by

Cross-site Request Forgery - Form API - Drupal 6 and 7

Reported by

Fixed by

Information Disclosure in Menu Links - Access system - Drupal 6 and 7

Reported by

Fixed by

Coordinated by

  • Alex Bronstein, Angie Byron, Michael Hess, Pere Orga, David Rothstein and Peter Wolanin of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 
WordPress 4.2.4 Security and Maintenance Release

Tue, 04 Aug 2015 13:10:40 BST

Details

WordPress 4.2.4 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

This release addresses six issues, including three cross-site scripting vulnerabilities and a potential SQL injection that could be used to compromise a site, which were discovered by Marc-Alexandre Montpas of Sucuri, Helen Hou-Sandí of the WordPress security team, Netanel Rubin of Check Point, and Ivan Grigorov. It also includes a fix for a potential timing side-channel attack, discovered by Johannes Schmitt of Scrutinizer, and prevents an attacker from locking a post from being edited, discovered by Mohamed A. Baset.

Our thanks to those who have practiced responsible disclosure of security issues.

WordPress 4.2.4 also fixes four bugs. For more information, see the release notes or consult the list of changes.

Download WordPress 4.2.4 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.2.4.

Already testing WordPress 4.3? The second release candidate is now available (zip) and it contains these fixes. For more on 4.3, see the RC 1 announcement post.

WordPress 4.2.3 Security and Maintenance Release

Thu, 23 Jul 2015 12:21:10 BST

Details

WordPress 4.2.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.2.2 and earlier are affected by a cross-site scripting vulnerability, which could allow users with the Contributor or Author role to compromise a site. This was initially reported by Jon Cave and fixed by Robert Chapin, both of the WordPress security team, and later reported by Jouko Pynnönen.

We also fixed an issue where it was possible for a user with Subscriber permissions to create a draft through Quick Draft. Reported by Netanel Rubin from Check Point Software Technologies.

Our thanks to those who have practiced responsible disclosure of security issues.

WordPress 4.2.3 also contains fixes for 20 bugs from 4.2. For more information, see the release notes or consult the list of changes.

Download WordPress 4.2.3 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.2.3.

Thanks to everyone who contributed to 4.2.3:

Aaron Jorbin, Andrew Nacin, Andrew Ozz, Boone Gorges, Chris Christoff, Dion Hulse, Dominik Schilling, Ella Iseulde Van Dorpe, Gabriel Pérez, Gary Pendergast, Mike Adams, Robert Chapin, Nikolay Bachiyski, Ross Wintle, and Scott Taylor.

Drupal Core - Critical - Multiple Vulnerabilities - SA-CORE-2015-002

Wed, 17 Jun 2015 17:12:25 BST

Details

Description

Impersonation (OpenID module - Drupal 6 and 7 - Critical)

A vulnerability was found in the OpenID module that allows a malicious user to log in as other users on the site, including administrators, and hijack their accounts.

This vulnerability is mitigated by the fact that the victim must have an account with an associated OpenID identity from a particular set of OpenID providers (including, but not limited to, Verisign, LiveJournal, or StackExchange).

Open redirect (Field UI module - Drupal 7 - Less critical)

The Field UI module uses a "destinations" query string parameter in URLs to redirect users to new destinations after completing an action on a few administration pages. Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks.

This vulnerability is mitigated by the fact that only sites with the Field UI module enabled are affected.

Drupal 6 core is not affected, but see the similar advisory for the Drupal 6 contributed CCK module: SA-CONTRIB-2015-126

Open redirect (Overlay module - Drupal 7 - Less critical)

The Overlay module displays administrative pages as a layer over the current page (using JavaScript), rather than replacing the page in the browser window. The Overlay module does not sufficiently validate URLs prior to displaying their contents, leading to an open redirect vulnerability.

This vulnerability is mitigated by the fact that it can only be used against site users who have the "Access the administrative overlay" permission, and that the Overlay module must be enabled.

Information disclosure (Render cache system - Drupal 7 - Less critical)

On sites utilizing Drupal 7's render cache system to cache content on the site by user role, private content viewed by user 1 may be included in the cache and exposed to non-privileged users.

This vulnerability is mitigated by the fact that render caching is not used in Drupal 7 core itself (it requires custom code or the contributed Render Cache module to enable) and that it only affects sites that have user 1 browsing the live site. Exposure is also limited if an administrative role has been assigned to the user 1 account (which is done, for example, by the Standard install profile that ships with Drupal core).

CVE identifier(s) issued

  • Impersonation (OpenID module - Drupal 6 and 7): CVE-2015-3234
  • Open redirect (Field UI module - Drupal 7): CVE-2015-3232
  • Open redirect (Overlay module - Drupal 7: CVE-2015-3233
  • Information disclosure (Render cache system - Drupal 7): CVE-2015-3231

Versions affected

  • Drupal core 6.x versions prior to 6.36
  • Drupal core 7.x versions prior to 7.38

Solution

Install the latest version:

Also see the Drupal core project page.

Reported by

Impersonation in the OpenID module:

Open redirect in the Field UI module:

Open redirect in the Overlay module:

Information disclosure in the render cache system:

Fixed by

Impersonation in the OpenID module:

Open redirect in the Field UI module:

Open redirect in the Overlay module:

Information disclosure in the render cache system:

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 
WordPress 4.2.2 Security and Maintenance Release

Thu, 07 May 2015 03:24:10 BST

Details

WordPress 4.2.2 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.

Version 4.2.2 addresses two security issues:

  • The Genericons icon font package, which is used in a number of popular themes and plugins, contained an HTML file vulnerable to a cross-site scripting attack. All affected themes and plugins hosted on WordPress.org (including the Twenty Fifteen default theme) have been updated today by the WordPress security team to address this issue by removing this nonessential file. To help protect other Genericons usage, WordPress 4.2.2 proactively scans the wp-content directory for this HTML file and removes it. Reported by Robert Abela of Netsparker.
  • WordPress versions 4.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. WordPress 4.2.2 includes a comprehensive fix for this issue. Reported separately by Rice Adu and Tong Shi from Baidu[X-team].

The release also includes hardening for a potential cross-site scripting vulnerability when using the visual editor. This issue was reported by Mahadev Subedi.

Our thanks to those who have practiced responsible disclosure of security issues.

WordPress 4.2.2 also contains fixes for 13 bugs from 4.2. For more information, see the release notes or consult the list of changes.

Download WordPress 4.2.2 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.2.2.

Thanks to everyone who contributed to 4.2.2:

Aaron Jorbin, Andrew Ozz, Andrew Nacin, Boone Gorges, Dion Hulse, Ella Iseulde Van Dorpe, Gary Pendergast, Hinaloe, Jeremy Felt, John James Jacoby, Konstantin Kovshenin, Mike Adams, Nikolay Bachiyski, taka2, and willstedt.

WordPress 4.2.1 Security Release

Mon, 27 Apr 2015 19:34:51 BST

Details

WordPress 4.2.1 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.

A few hours ago, the WordPress team was made aware of a cross-site scripting vulnerability, which could enable commenters to compromise a site. The vulnerability was discovered by Jouko Pynnönen.

WordPress 4.2.1 has begun to roll out as an automatic background update, for sites that support those.

For more information, see the release notes or consult the list of changes.

Download WordPress 4.2.1 or venture over to Dashboard → Updates and simply click “Update Now”.

WordPress 4.1.2 Security Release

Tue, 21 Apr 2015 14:44:58 BST

Details

WordPress 4.1.2 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.1.1 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. This was reported by Cedric Van Bockhaven and fixed by Gary Pendergast, Mike Adams, and Andrew Nacin of the WordPress security team.

We also fixed three other security issues:

  • In WordPress 4.1 and higher, files with invalid or unsafe names could be uploaded. Discovered by Michael Kapfer and Sebastian Kraemer of HSASec.
  • In WordPress 3.9 and higher, a very limited cross-site scripting vulnerability could be used as part of a social engineering attack. Discovered by Jakub Zoczek.
  • Some plugins were vulnerable to an SQL injection vulnerability. Discovered by Ben Bidner of the WordPress security team.

We also made four hardening changes, discovered by J.D. Grimes, Divyesh Prajapati, Allan Collins, Marc-Alexandre Montpas and Jeff Bowen.

We appreciated the responsible disclosure of these issues directly to our security team. For more information, see the release notes or consult the list of changes.

Download WordPress 4.1.2 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.1.2.

Thanks to everyone who contributed to 4.1.2: Allan Collins, Alex Concha, Andrew Nacin, Andrew Ozz, Ben Bidner, Boone Gorges, Dion Hulse, Dominik Schilling, Drew Jaynes, Gary Pendergast, Helen Hou-Sandí, John Blackbourn, and Mike Adams.

A number of plugins also released security fixes yesterday. Keep everything updated to stay secure. If you’re a plugin author, please read this post to confirm that your plugin is not affected by the same issue. Thank you to all of the plugin authors who worked closely with our security team to ensure a coordinated response.

Already testing WordPress 4.2? The third release candidate is now available (zip) and it contains these fixes. For more on 4.2, see the RC 1 announcement post.

Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2015-001

Wed, 18 Mar 2015 18:04:56 GMT

Details

Description

Access bypass (Password reset URLs - Drupal 6 and 7)

Password reset URLs can be forged under certain circumstances, allowing an attacker to gain access to another user's account without knowing the account's password.

In Drupal 7, this vulnerability is mitigated by the fact that it can only be exploited on sites where accounts have been imported or programmatically edited in a way that results in the password hash in the database being the same for multiple user accounts. In Drupal 6, it can additionally be exploited on sites where administrators have created multiple new user accounts with the same password via the administrative interface, or where accounts have been imported or programmatically edited in a way that results in the password hash in the database being empty for at least one user account.

Drupal 6 sites that have empty password hashes, or a password field with a guessable string in the database, are especially prone to this vulnerability. This could apply to sites that use external authentication so that the password field is set to a fixed, invalid value.

Open redirect (Several vectors including the "destination" URL parameter - Drupal 6 and 7)

Drupal core and contributed modules frequently use a "destination" query string parameter in URLs to redirect users to a new destination after completing an action on the current page. Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks.

In addition, several URL-related API functions in Drupal 6 and 7 can be tricked into passing through external URLs when not intending to, potentially leading to additional open redirect vulnerabilities.

This vulnerability is mitigated by the fact that many common uses of the "destination" parameter are not susceptible to the attack. However, all confirmation forms built using Drupal 7's form API are vulnerable via the Cancel action that appears at the bottom of the form, and some Drupal 6 confirmation forms are vulnerable too.

CVE identifier(s) issued

  • Access bypass via password reset URLs: CVE-2015-2559
  • Open redirect via the "destination" URL parameter: CVE-2015-2749
  • Open redirect via URL-related API functions: CVE-2015-2750

Versions affected

  • Drupal core 6.x versions prior to 6.35
  • Drupal core 7.x versions prior to 7.35

Solution

Install the latest version:

Also see the Drupal core project page.

Reported by

Access bypass via password reset URLs:

Open redirect via vectors including the "destination" URL parameter:

Fixed by

Access bypass via password reset URLs:

Open redirect via vectors including the "destination" URL parameter:

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

WordPress 4.0.1 Security Release

Thu, 20 Nov 2014 18:55:18 GMT

Details

WordPress 4.0.1 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.

Sites that support automatic background updates will be updated to WordPress 4.0.1 within the next few hours. If you are still on WordPress 3.9.2, 3.8.4, or 3.7.4, you will be updated to 3.9.3, 3.8.5, or 3.7.5 to keep everything secure. (We don’t support older versions, so please update to 4.0.1 for the latest and greatest.)

WordPress versions 3.9.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. This was reported by Jouko Pynnonen. This issue does not affect version 4.0, but version 4.0.1 does address these eight security issues:

  • Three cross-site scripting issues that a contributor or author could use to compromise a site. Discovered by Jon Cave, Robert Chapin, and John Blackbourn of the WordPress security team.
  • A cross-site request forgery that could be used to trick a user into changing their password.
  • An issue that could lead to a denial of service when passwords are checked. Reported by Javier Nieto Arevalo and Andres Rojas Guerrero.
  • Additional protections for server-side request forgery attacks when WordPress makes HTTP requests. Reported by Ben Bidner (vortfu).
  • An extremely unlikely hash collision could allow a user’s account to be compromised, that also required that they haven’t logged in since 2008 (I wish I were kidding). Reported by David Anderson.
  • WordPress now invalidates the links in a password reset email if the user remembers their password, logs in, and changes their email address. Reported separately by Momen Bassel, Tanoy Bose, and Bojan Slavković of ManageWP.

Version 4.0.1 also fixes 23 bugs with 4.0, and we’ve made two hardening changes, including better validation of EXIF data we are extracting from uploaded photos. Reported by Chris Andrè Dale.

We appreciated the responsible disclosure of these issues directly to our security team. For more information, see the release notes or consult the list of changes.

Download WordPress 4.0.1 or venture over to Dashboard → Updates and simply click “Update Now”.

Already testing WordPress 4.1? The second beta is now available (zip) and it contains these security fixes. For more on 4.1, see the beta 1 announcement post.

Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2014-006

Wed, 19 Nov 2014 18:21:51 GMT

Details

Description

Session hijacking (Drupal 6 and 7)

A specially crafted request can give a user access to another user's session, allowing an attacker to hijack a random session.

This attack is known to be possible on certain Drupal 7 sites which serve both HTTP and HTTPS content ("mixed-mode"), but it is possible there are other attack vectors for both Drupal 6 and Drupal 7.

Denial of service (Drupal 7 only)

Drupal 7 includes a password hashing API to ensure that user supplied passwords are not stored in plain text.

A vulnerability in this API allows an attacker to send specially crafted requests resulting in CPU and memory exhaustion. This may lead to the site becoming unavailable or unresponsive (denial of service).

This vulnerability can be exploited by anonymous users.

CVE identifier(s) issued

  • Session hijacking (Drupal 6 and 7): CVE-2014-9015
  • Denial of service (Drupal 7): CVE-2014-9016

Versions affected

  • Drupal core 6.x versions prior to 6.34.
  • Drupal core 7.x versions prior to 7.34.

Solution

Install the latest version:

If you have configured a custom session.inc file for your Drupal 6 or Drupal 7 site you also need to make sure that it is not prone to the same session hijacking vulnerability disclosed in this security advisory.

If you have configured a custom password.inc file for your Drupal 7 site you also need to make sure that it is not prone to the same denial of service vulnerability disclosed in this security advisory. See also the similar security advisory for the Drupal 6 contributed Secure Password Hashes module: SA-CONTRIB-2014-113

Also see the Drupal core project page.

Reported by

Session hijacking:

Denial of service:

Fixed by

Session hijacking:

Denial of service:

Coordinated by

  • The Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Edits to this advisory since publishing

  • Edited to mention the effect on sites that have configured a custom session.inc file.
Drupal version: 
SA-CORE-2014-005 - Drupal core - SQL injection

Wed, 15 Oct 2014 17:02:50 BST

Details

Description

Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks.

A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks.

This vulnerability can be exploited by anonymous users.

Update: Multiple exploits have been reported in the wild following the release of this security advisory, and Drupal 7 sites which did not update soon after the advisory was released may be compromised. See this follow-up announcement for more information: https://www.drupal.org/PSA-2014-003

CVE identifier(s) issued

  • CVE-2014-3704

Versions affected

  • Drupal core 7.x versions prior to 7.32.

Solution

Install the latest version:

If you are unable to update to Drupal 7.32 you can apply this patch to Drupal's database.inc file to fix the vulnerability until such time as you are able to completely upgrade to Drupal 7.32.

Also see the Drupal core project page and the follow-up public service announcement.

Reported by

  • Stefan Horst

Fixed by

Coordinated by

Contact and More Information

We've prepared a FAQ on this release. Read more at https://www.drupal.org/node/2357241.

The Drupal security team can be reached at security at drupal.org or via the contact form at
https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Edits to this advisory since publishing

  • Updated risk factor from 20/25 to 25/25 once exploits did appear
  • Edited to add link to PSA.
Drupal version: 
WordPress 3.9.2 Security Release

Wed, 06 Aug 2014 20:04:27 BST

Details

WordPress 3.9.2 is now available as a security release for all previous versions. We strongly encourage you to update your sites immediately.

This release fixes a possible denial of service issue in PHP’s XML processing, reported by Nir Goldshlager of the Salesforce.com Product Security Team. It  was fixed by Michael Adams and Andrew Nacin of the WordPress security team and David Rothstein of the Drupal security team. This is the first time our two projects have coordinated joint security releases.

WordPress 3.9.2 also contains other security changes:

  • Fixes a possible but unlikely code execution when processing widgets (WordPress is not affected by default), discovered by Alex Concha of the WordPress security team.
  • Prevents information disclosure via XML entity attacks in the external GetID3 library, reported by Ivan Novikov of ONSec.
  • Adds protections against brute attacks against CSRF tokens, reported by David Tomaschik of the Google Security Team.
  • Contains some additional security hardening, like preventing cross-site scripting that could be triggered only by administrators.

We appreciated responsible disclosure of these issues directly to our security team. For more information, see the release notes or consult the list of changes.

Download WordPress 3.9.2 or venture over to Dashboard → Updates and simply click “Update Now”.

Sites that support automatic background updates will be updated to WordPress 3.9.2 within 12 hours. (If you are still on WordPress 3.8.3 or 3.7.3, you will also be updated to 3.8.4 or 3.7.4. We don’t support older versions, so please update to 3.9.2 for the latest and greatest.)

Already testing WordPress 4.0? The third beta is now available (zip) and it contains these security fixes.

SA-CORE-2014-004 - Drupal core - Denial of service

Wed, 06 Aug 2014 18:41:46 BST

Details

Description

Drupal 6 and Drupal 7 include an XML-RPC endpoint which is publicly available (xmlrpc.php). The PHP XML parser used by this XML-RPC endpoint is vulnerable to an XML entity expansion attack and other related XML payload attacks which can cause CPU and memory exhaustion and the site's database to reach the maximum number of open connections. Any of these may lead to the site becoming unavailable or unresponsive (denial of service).

All Drupal sites are vulnerable to this attack whether XML-RPC is used or not.

In addition, a similar vulnerability exists in the core OpenID module (for sites that have this module enabled).

This is a joint release as the XML-RPC vulnerability also affects WordPress (see the announcement).

CVE identifier(s) issued

  • CVE-2014-5265 has been issued for the code changes in xmlrpc.inc which prevent entity declarations and therefore address the "vulnerable to an XML entity expansion attack ... can cause CPU and memory exhaustion" concern.
  • CVE-2014-5266 has been issued for the "Skip parsing if there is an unreasonably large number of tags" in both xmlrpc.inc and xrds.inc.
  • CVE-2014-5267 has been issued for the code change to reject any XRDS document with a /<!DOCTYPE/i match.

Versions affected

  • Drupal core 7.x versions prior to 7.31.
  • Drupal core 6.x versions prior to 6.33.

Solution

Install the latest version:

If you are unable to install the latest version of Drupal immediately, you can alternatively remove the xmlrpc.php file from the root of Drupal core (or add a rule to .htaccess to prevent access to xmlrpc.php) and disable the OpenID module. These steps are sufficient to mitigate the vulnerability in Drupal core if your site does not require the use of XML-RPC or OpenID functionality. However, this mitigation will not be effective if you are using a contributed module that exposes Drupal's XML-RPC API at a different URL (for example, the Services module); updating Drupal core is therefore strongly recommended.

Also see the Drupal core project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at href="http://drupal.org/contact">http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, href="http://drupal.org/writing-secure-code">writing secure code for Drupal, and href="http://drupal.org/security/secure-configuration">securing your site.

Drupal version: 
Critical Login XSS+CSRF Revolution 2.2.1.4 and Prior

Wed, 16 Jul 2014 16:02:20 BST

Details
Product: MODX Revolution
Severity: Critical
Versions: 2.0.0–2.2.14
Vulnerability type: CSRF & XSS
Report date: 2014-Jul-10
Fixed date: 2014-Jul-15

Description
A significant vulnerability was discovered in the Manager login of MODX Revolution that also affects the use of the Login Extra. A malicious user could formulate a link that automatically logs the user into their own account, then redirects the user to a site the attacker controls immediately, exposing the user's CSRF token. This can be exploited with or without getting the user to enter their credentials in the form.

Affected Releases
All MODX Revolution releases prior to and including 2.2.14.

Solution
Upgrade to MODX Revolution 2.2.15. Due to the nature of this issue and the number of files requiring changes the solution is to upgrade. No installable patch or fileset is available for prior versions.

Acknowledgement
We would like to thank Narendra Bhati, of Suma Soft for bringing this issue to our attention.

Additional Information
For additional information, please use the MODX Contact Form
SA-CORE-2014-003 - Drupal core - Multiple vulnerabilities

Wed, 16 Jul 2014 15:48:30 BST

Details
  • Advisory ID: DRUPAL-SA-CORE-2014-003
  • Project: Drupal core
  • Version: 6.x, 7.x
  • Date: 2014-July-16
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities

Description

Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7.

Denial of service with malicious HTTP Host header (Base system - Drupal 6 and 7 - Critical)

Drupal core's multisite feature dynamically determines which configuration file to use based on the HTTP Host header.

The HTTP Host header validation does not sufficiently check maliciously-crafted header values, thereby exposing a denial of service vulnerability. This vulnerability also affects sites that don't actually use the multisite feature.

Access bypass (File module - Drupal 7 - Critical)

The File module included in Drupal 7 core allows attaching files to pieces of content. The module doesn't sufficiently check permission to view the attached file when attaching a file that was previously uploaded. This could allow attackers to gain access to private files.

This vulnerability is mitigated by the fact that the attacker must have permission to create or edit content with a file field.

Note: The Drupal 6 FileField module is affected by a similar issue (see SA-CONTRIB-2014-071 - FileField - Access bypass) and requires an update to the current security release of Drupal 6 core in order for the fix released there to work correctly. However, Drupal 6 core itself is not directly affected.

Cross-site scripting (Form API option groups - Drupal 6 and 7 - Moderately critical)

A cross-site scripting vulnerability was found due to Drupal's form API failing to sanitize option group labels in select elements. This vulnerability affects Drupal 6 core directly, and likely affects Drupal 7 forms provided by contributed or custom modules.

This vulnerability is mitigated by the fact that it requires the "administer taxonomy" permission to exploit in Drupal 6 core, and there is no known exploit within Drupal 7 core itself.

Cross-site scripting (Ajax system - Drupal 7 - Moderately critical)

A reflected cross-site scripting vulnerability was found in certain forms containing a combination of an Ajax-enabled textfield (for example, an autocomplete field) and a file field.

This vulnerability is mitigated by the fact that an attacker can only trigger the attack in a limited set of circumstances, usually requiring custom or contributed modules.

CVE identifier(s) issued

  • Denial of service (Base system - Drupal 6 and 7 - Critical): CVE-2014-5019
  • Access bypass (File module - Drupal 7 - Critical): CVE-2014-5020
  • Cross-site scripting (Form API - Drupal 6 and 7 - Moderately critical): CVE-2014-5021
  • Cross-site scripting (Ajax system - Drupal 7 - Moderately critical): CVE-2014-5022

Versions affected

  • Drupal core 6.x versions prior to 6.32.
  • Drupal core 7.x versions prior to 7.29.

Solution

Install the latest version:

Also see the Drupal core project page.

Reported by

  • The denial of service vulnerability using malicious HTTP Host headers was reported by Régis Leroy.
  • The access bypass vulnerability in the File module was reported by Ivan Ch.
  • The cross-site scripting vulnerability with Form API option groups was reported by Károly Négyesi.
  • The cross-site scripting vulnerability in the Ajax system was reported by mani22test.

Fixed by

  • The denial of service vulnerability using malicious HTTP Host headers was fixed by Régis Leroy, and by Klaus Purer of the Drupal Security Team.
  • The access bypass vulnerability in the File module was fixed by Nate Haug and Ivan Ch, and by Drupal Security Team members David Rothstein, Heine Deelstra and David Snopek.
  • The cross-site scripting vulnerability with Form API option groups was fixed by Greg Knaddison of the Drupal Security Team.
  • The cross-site scripting vulnerability in the Ajax system was fixed by Neil Drumm of the Drupal Security Team.

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.


Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 
Important Update to AjaxSearch Exploit in Evo 1.0.13 (and prior)

Tue, 10 Jun 2014 15:22:37 BST

Details
Last week we announced an exploit found in AjaxSearch that could allow a Remote Code Execution in MODX Evolution.

We originally suggested the removal of the index-ajax.php file was a sufficient method to protect your site from vulnerability. It has come to our attention that this was not correct. The correct methods to close this vulnerability are: remove all AjaxSearch files (if you don't use this snippet on your site), upgrade the AjaxSearch files to 1.10.1, or upgrade to Evolution 1.0.14.

Please share this message to ensure every Evo site owner knows.
MODX Evolution 1.0.13 (and prior) AjaxSearch Vulnerability

Mon, 09 Jun 2014 17:36:33 BST

Details
Product: MODX Evolution
Risk: Very High
Severity: Critical
Versions: <=1.0.13
Vulnerabilty Type: Remote Code Execution
Report Date: 2014-May-29
Fixed Date: 2014-June-5

Description
The AjaxSearch component distributed with all versions of MODX Evolution (and 0.9.x) contains a vulnerability that allows remote code execution.

Affected Releases
All MODX 0.9.x/Evolution releases prior to and including MODX Evolution 1.0.13 (with AjaxSearch installed) are affected.

Solutions
There are two ways to resolve or mitigate the issue:

  1. Upgrade AjaxSearch to version 1.10.1
  2. Upgrade to MODX Evolution 1.0.14.

NOTE
A special thanks to Semko Vitaliy for identifying the vector and community member Thomas Jakobi for the resolution.
MODX Revolution 2.2.13 (and prior) Blind SQL Injection

Mon, 21 Apr 2014 16:18:45 BST

Details
Product: MODX Revolution
Severity: Critical
Versions: 2.0.0–2.2.13
Vulnerability type: SQL Injection
Report date: 2014-Mar-10
Fixed date: 2014-Apr-04

Description
Multiple vulnerabilities were discovered in MODX Revolution that allow users to inject and manipulate the database. This includes an issue exploitable through the session ID supplied by the user and is exploitable without authentication. Another issue relates to messaging and connectors for authenticated users.

Affected Releases
All MODX Revolution releases prior to and including 2.2.13.

Solution
Upgrade to MODX Revolution 2.2.14. Due to the nature of this issue and the number of files requiring changes the solution is to upgrade. No installable patch or fileset is available for prior versions.

Acknowledgement
We would like to thank Craig Arendt, of Stratum Security for bringing this issue to our attention.

Additional Information
For additional information, please use the MODX Contact Form
SA-CORE-2014-002 - Drupal core - Information Disclosure

Wed, 16 Apr 2014 20:50:51 BST

Details
  • Advisory ID: DRUPAL-SA-CORE-2014-002
  • Project: Drupal core
  • Version: 6.x, 7.x
  • Date: 2014-April-16
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Information Disclosure

Description

Drupal's form API has built-in support for temporary storage of form state, for example user input. This is often used on multi-step forms, and is required on Ajax-enabled forms in order to allow the Ajax calls to access and update interim user input on the server.

When pages are cached for anonymous users (either by Drupal or by an external system), form state may leak between anonymous users. As a consequence there is a chance that interim form input recorded for one anonymous user (which may include sensitive or private information, depending on the nature of the form) will be disclosed to other users interacting with the same form at the same time. This especially affects multi-step Ajax forms because the window of opportunity (i.e. the time span between user input and final form submission) is indeterminable.

This vulnerability is mitigated by the fact that Drupal core does not expose any such forms to anonymous users by default. However, contributed modules or individual sites which leverage the Drupal Form API under the aforementioned conditions might be vulnerable.

Note: This security release introduces small API changes which may require code updates on sites that expose Ajax or multi-step forms to anonymous users, and where the forms are displayed on pages that are cached (either by Drupal or by an external system). See the Drupal 6.31 release notes and Drupal 7.27 release notes for more information.

CVE identifier(s) issued

  • CVE-2014-2983

Versions affected

  • Drupal core 6.x versions prior to 6.31.
  • Drupal core 7.x versions prior to 7.27.

Solution

Install the latest version:

Also see the Drupal core project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 
WordPress 3.8.2 Security Release

Tue, 08 Apr 2014 20:04:44 BST

Details

WordPress 3.8.2 is now available. This is an important security release for all previous versions and we strongly encourage you to update your sites immediately.

This releases fixes a weakness that could let an attacker force their way into your site by forging authentication cookies. This was discovered and fixed by Jon Cave of the WordPress security team.

It also contains a fix to prevent a user with the Contributor role from improperly publishing posts. Reported by edik.

This release also fixes nine bugs and contains three other security hardening changes:

  • Pass along additional information when processing pingbacks to help hosts identify potentially abusive requests.
  • Fix a low-impact SQL injection by trusted users. Reported by Tom Adams of dxw.
  • Prevent possible cross-domain scripting through Plupload, the third-party library WordPress uses for uploading files. Reported by Szymon Gruszecki.

We appreciated responsible disclosure of these security issues directly to our security team. For more information on all of the changes, see the release notes or consult the list of changes.

Download WordPress 3.8.2 or venture over to Dashboard → Updates and simply click “Update Now.”

Sites that support automatic background updates will be updated to WordPress 3.8.2 within 12 hours. If you are still on WordPress 3.7.1, you will be updated to 3.7.2, which contains the same security fixes as 3.8.2. We don’t support older versions, so please update to 3.8.2 for the latest and greatest.

Already testing WordPress 3.9? The first release candidate is now available (zip) and it contains these security fixes. Look for a full announcement later today; we expect to release 3.9 next week.

MODX Revolution 2.X SQL Injection

Fri, 07 Mar 2014 10:30:22 GMT

Details
Product: MODX Revolution
Severity: Extremely Critical
Versions: 2.0.0–2.2.12
Vulnerability type: SQL Injection
Report date: 2014-Mar-5
Fixed date: 2014-Mar-6

Description
A vulnerability was discovered in MODX Revolution that allows users to inject and manipulate the database. Attackers could exploit this to alter or destroy data in the database.

Affected Releases
All MODX Revolution releases prior to and including 2.2.12.

Solutions

  1. Upgrade to MODX Revolution 2.2.13
  2. To quickly patch 2.2.12 before a complete upgrade you can replace the modx.class.php from 2.2.13 via: https://raw.github.com/modxcms/revolution/v2.2.13-pl/core/model/modx/modx.class.php
  3. For releases between 2.2.6 and 2.2.11 inclusive, you can replace the modx.class.php with the one from the relevant 'pl2' tag in the MODX Revolution repository. E.g. for v2.2.10-pl it would be https://raw.github.com/modxcms/revolution/v2.2.10-pl2/core/model/modx/modx.class.php".
  4. For releases prior to 2.2.6, please contact MODX Support for assistance patching your version, or to get help with an upgrade to 2.2.13

Special Note for MODX Cloud Users
If your sites are on MODX Cloud, we've taken steps to protect all sites from this issue, as always we recommend you upgrade to 2.2.13 at your earliest convenience.

Acknowledgement
We would like to thank MODX community member, Mark Ernst, for bringing this issue to our attention.

Additional Information
For additional information, please use the MODX Contact Form
SA-CORE-2014-001 - Drupal core - Multiple vulnerabilities

Wed, 15 Jan 2014 19:33:33 GMT

Details
  • Advisory ID: DRUPAL-SA-CORE-2014-001
  • Project: Drupal core
  • Version: 6.x, 7.x
  • Date: 2014-January-15
  • Security risk: Highly critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities

Description

Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7.

Impersonation (OpenID module - Drupal 6 and 7 - Highly critical)

A vulnerability was found in the OpenID module that allows a malicious user to log in as other users on the site, including administrators, and hijack their accounts.

This vulnerability is mitigated by the fact that the malicious user must have an account on the site (or be able to create one), and the victim must have an account with one or more associated OpenID identities.

Access bypass (Taxonomy module - Drupal 7 - Moderately critical)

The Taxonomy module provides various listing pages which display content tagged with a particular taxonomy term. Custom or contributed modules may also provide similar lists. Under certain circumstances, unpublished content can appear on these pages and will be visible to users who should not have permission to see it.

This vulnerability is mitigated by the fact that it only occurs on Drupal 7 sites which upgraded from Drupal 6 or earlier.

Security hardening (Form API - Drupal 7 - Not critical)

The form API provides a method for developers to submit forms programmatically using the function drupal_form_submit(). During programmatic form submissions, all access checks are deliberately bypassed, and any form element may be submitted regardless of the current user's access level.

This is normal and expected behavior for most uses of programmatic form submissions; however, there are cases where custom or contributed code may need to send data provided by the current (untrusted) user to drupal_form_submit() and therefore need to respect access control on the form.

To facilitate this, a new, optional $form_state['programmed_bypass_access_check'] element has been added to the Drupal 7 form API. If this is provided and set to FALSE, drupal_form_submit() will perform the normal form access checks against the current user while submitting the form, rather than bypassing them.

This change does not fix a security issue in Drupal core itself, but rather provides a method for custom or contributed code to fix security issues that would be difficult or impossible to fix otherwise.

CVE identifier(s) issued

  • Impersonation (OpenID module - Drupal 6 and 7 - Highly critical): CVE-2014-1475
  • Access bypass (Taxonomy module - Drupal 7 - Moderately critical): CVE-2014-1476
  • Security hardening (Form API - Drupal 7 - Not critical): No CVE necessary.

Versions affected

  • Drupal core 6.x versions prior to 6.30.
  • Drupal core 7.x versions prior to 7.26.

Solution

Install the latest version:

Also see the Drupal core project page.

Reported by

  • The OpenID module impersonation issue was reported by Christian Mainka and Vladislav Mladenov.
  • The Taxonomy module access bypass issue was reported by Matt Vance, and by Damien Tournoud of the Drupal Security Team.
  • The form API access bypass issue was reported by David Rothstein of the Drupal Security Team.

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.


Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 
SA-CORE-2013-003 - Drupal core - Multiple vulnerabilities

Wed, 20 Nov 2013 20:41:50 GMT

Details
  • Advisory ID: DRUPAL-SA-CORE-2013-003
  • Project: Drupal core
  • Version: 6.x, 7.x
  • Date: 2013-November-20
  • Security risk: Highly critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities

Description

Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7.

Multiple vulnerabilities due to optimistic cross-site request forgery protection (Form API validation - Drupal 6 and 7)

Drupal's form API has built-in cross-site request forgery (CSRF) validation, and also allows any module to perform its own validation on the form. In certain common cases, form validation functions may execute unsafe operations. Given that the CSRF protection is an especially important validation, the Drupal core form API has been changed in this release so that it now skips subsequent validation if the CSRF validation fails.

This vulnerability is mitigated by the fact that a form validation callback with potentially unsafe side effects must be active on the site, and none exist in core. However, issues were discovered in several popular contributed modules which allowed remote code execution that made it worthwhile to fix this issue in core. Other similar issues with varying impacts are likely to have existed in other contributed modules and custom modules and therefore will also be fixed by this Drupal core release.

Multiple vulnerabilities due to weakness in pseudorandom number generation using mt_rand() (Form API, OpenID and random password generation - Drupal 6 and 7)

Drupal core directly used the mt_rand() pseudorandom number generator for generating security related strings used in several core modules. It was found that brute force tools could determine the seeds making these strings predictable under certain circumstances.

This vulnerability has no mitigation; all Drupal sites are affected until the security update has been applied.

Code execution prevention (Files directory .htaccess for Apache - Drupal 6 and 7)

Drupal core attempts to add a "defense in depth" protection to prevent script execution by placing a .htaccess file into the files directories that stops execution of PHP scripts on the Apache web server. This protection is only necessary if there is a vulnerability on the site or on a server that allows users to upload malicious files. The configuration in the .htaccess file did not prevent code execution on certain Apache web server configurations. This release includes new configuration to prevent PHP execution on several additional common Apache configurations. If you are upgrading a site and the site is run by Apache you must fix the file manually, as described in the "Solution" section below.

This vulnerability is mitigated by the fact that it only relates to a defense in depth mechanism, and sites would only be vulnerable if they are hosted on a server which contains code that does not use protections similar to those found in Drupal's file API to manage uploads in a safe manner.

Access bypass (Security token validation - Drupal 6 and 7)

The function drupal_valid_token() can return TRUE for invalid tokens if the caller does not make sure that the token is a string.

This vulnerability is mitigated by the fact that a contributed or custom module must invoke drupal_validate_token() with an argument that can be manipulated to not be a string by an attacker. There is currently no known core or contributed module that would suffer from this vulnerability.

Cross-site scripting (Image module - Drupal 7)

Image field descriptions are not properly sanitized before they are printed to HTML, thereby exposing a cross-site scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a permission to administer field descriptions, for example the "administer taxonomy" permission to edit fields on taxonomy terms.

Cross-site scripting (Color module - Drupal 7)

A cross-site scripting vulnerability was found in the Color module. A malicious attacker could trick an authenticated administrative user into visiting a page containing specific JavaScript that could lead to a reflected cross-site scripting attack via JavaScript execution in CSS.

This vulnerability is mitigated by the fact that it can only take place in older browsers, and in a restricted set of modern browsers, namely Opera through user interaction, and Internet Explorer under certain conditions.

Open redirect (Overlay module - Drupal 7)

The Overlay module displays administrative pages as a layer over the current page (using JavaScript), rather than replacing the page in the browser window. The Overlay module did not sufficiently validate URLs prior to displaying their contents, leading to an open redirect vulnerability.

This vulnerability is mitigated by the fact that it can only be used against site users who have the "Access the administrative overlay" permission.

CVE identifier(s) issued

  • Multiple vulnerabilities due to optimistic cross-site request forgery protection (Form API validation): CVE-2013-6385
  • Multiple vulnerabilities due to weakness in pseudorandom number generation using mt_rand() (Form API, OpenID and random password generation - Drupal 6 and 7): CVE-2013-6386
  • Code execution prevention (Files directory .htaccess for Apache - Drupal 6 and 7): No CVE; considered remediated through "security hardening"
  • Access bypass (Security token validation - Drupal 6 and 7): No CVE; considered remediated through "security hardening."
  • Cross-site scripting (Image module - Drupal 7): CVE-2013-6387
  • Cross-site scripting (Color module - Drupal 7): CVE-2013-6388
  • Open redirect (Overlay module - Drupal 7): CVE-2013-6389

Versions affected

  • Drupal core 6.x versions prior to 6.29.
  • Drupal core 7.x versions prior to 7.24.

Solution

Install the latest version:

Also see the Drupal core project page.

Warning: Fixing the code execution prevention may require server configuration; please read:

To fix the code execution prevention vulnerability on existing Apache installations also requires changes to your site's .htaccess files in the files directories. Until you do this, your site's status report page at admin/reports/status will display error messages about the problem. Please note that if you are using a different web server such as Nginx the .htaccess files have no effect and you need to configure PHP execution protection yourself in the respective server configuration files.

To fix this issue, you must edit or replace the old .htaccess files manually. Copies of the .htaccess files are found in the site's files directory and temporary files directory, and (for Drupal 7 only) the separate private files directory if your site is configured to use one. To find the location of these directories, consult the error messages at admin/reports/status, or visit the file system configuration page at admin/settings/file-system (Drupal 6) or admin/config/media/file-system (Drupal 7). Note that you should only make changes to the .htaccess files that are found in the directories specified on that page. Do not change the top-level .htaccess file (at the root of your Drupal installation).

Go onto your server, navigate to each directory, and replace or create the .htaccess file in this directory with the contents described below. Alternatively, you can remove the .htaccess file from each directory using SFTP or SSH and then visit the file system configuration page (admin/settings/file-system in Drupal 6 or admin/config/media/file-system in Drupal 7) and click the save button to have Drupal create the file automatically.

The recommended .htaccess file contents are as follows.

For Drupal 6:

# Turn off all options we don't need.
Options None
Options +FollowSymLinks

# Set the catch-all handler to prevent scripts from being executed.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
<Files *>
  # Override the handler again if we're run later in the evaluation list.
  SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003
</Files>

# If we know how to do it safely, disable the PHP engine entirely.
<IfModule mod_php5.c>
  php_flag engine off
</IfModule>
# PHP 4, Apache 1.
<IfModule mod_php4.c>
  php_flag engine off
</IfModule>
# PHP 4, Apache 2.
<IfModule sapi_apache2.c>
  php_flag engine off
</IfModule>

For Drupal 7:

# Turn off all options we don't need.
Options None
Options +FollowSymLinks

# Set the catch-all handler to prevent scripts from being executed.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
<Files *>
  # Override the handler again if we're run later in the evaluation list.
  SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003
</Files>

# If we know how to do it safely, disable the PHP engine entirely.
<IfModule mod_php5.c>
  php_flag engine off
</IfModule>

Additionally, the .htaccess of the temporary files directory and private files directory (if used) should include this command:

Deny from all

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: 
WordPress 3.7.1 Maintenance Release

Tue, 29 Oct 2013 21:04:59 GMT

Details

WordPress 3.7.1 is now available! This maintenance release addresses 11 bugs in WordPress 3.7, including:

  • Images with captions no longer appear broken in the visual editor.
  • Allow some sites running on old or poorly configured servers to continue to check for updates from WordPress.org.
  • Avoid fatal errors with certain plugins that were incorrectly calling some WordPress functions too early.
  • Fix hierarchical sorting in get_pages(), exclusions in wp_list_categories(), and in_category() when called with empty values.
  • Fix a warning that may occur in certain setups while performing a search, and a few other notices.

For a full list of changes, consult the list of tickets and the changelog.

If you are one of the nearly two million already running WordPress 3.7, we will start rolling out the all-new automatic background updates for WordPress 3.7.1 in the next few hours. For sites that support them, of course.

Download WordPress 3.7.1 or venture over to Dashboard → Updates and simply click “Update Now.”

Just a few fixes
Your new update attitude:
Zero clicks given

Security Bypass and Remote Execution

Tue, 04 Jun 2013 15:55:36 BST

Details
Product: MODX Revolution
Severity: Extremely Critical
Versions: 2.1.0–2.2.7
Vulnerability type: Security Bypass
Report date: 2013-Jun-4
Fixed date: 2013-Jun-4

Description
Two vulnerabilities were discovered in MODX that allow users to bypass security. Attackers could exploit this to remotely execute arbitrary code on the targeted server.

Affected Releases
All MODX Revolution releases from and including 2.1.0–2.2.7 are affected. Revolution 2.0.8 and below are not affected.

Solutions
There are two possible solutions:

  1. Upgrade to MODX Revolution 2.2.8, or
  2. Install this plugin patch until upgrade to 2.2.8+ is completed.

Acknowledgement
We would like to thank valued community members Fi1osof and Agel_Nash for bringing this issue to our attention.

Additional Information
For additional information, please use the MODX Contact Form
SA-CORE-2013-002 - Drupal core - Denial of service

Wed, 20 Feb 2013 20:50:06 GMT

Details
  • Advisory ID: DRUPAL-SA-CORE-2013-002
  • Project: Drupal core
  • Version: 7.x
  • Date: 2013-February-20
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Denial of service

Description

Drupal core's Image module allows for the on-demand generation of image derivatives. This capability can be abused by requesting a large number of new derivatives which can fill up the server disk space, and which can cause a very high CPU load. Either of these effects may lead to the site becoming unavailable or unresponsive.

Please see the Drupal 7.20 release notes for important notes about the changes which were made to fix this issue, since some sites will require extra testing and care when deploying this Drupal core release.

CVE identifier(s) issued

  • CVE-2013-0316

Versions affected

  • Drupal core 7.x versions prior to 7.20.

Solution

Install the latest version:

Also see the Drupal core project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: 
SA-CORE-2013-001 - Drupal core - Multiple vulnerabilities

Wed, 16 Jan 2013 22:07:10 GMT

Details
  • Advisory ID: DRUPAL-SA-CORE-2013-001
  • Project: Drupal core
  • Version: 6.x, 7.x
  • Date: 2013-January-16
  • Security risk: Highly critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting, Access bypass

Description

Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7.

Cross-site scripting (Various core and contributed modules - Drupal 6 and 7)

A reflected cross-site scripting vulnerability (XSS) was identified in certain Drupal JavaScript functions that pass unexpected user input into jQuery causing it to insert HTML into the page when the intended behavior is to select DOM elements. Multiple core and contributed modules are affected by this issue.

jQuery versions 1.6.3 and higher provide protection against common forms of this problem; thus, the vulnerability is mitigated if your site has upgraded to a recent version of jQuery. However, the versions of jQuery that are shipped with Drupal 6 and Drupal 7 core do not contain this protection.

Although the fix added to Drupal as part of this security release prevents the most common forms of this issue in the same way as newer versions of jQuery do, developers should be aware that passing untrusted user input directly to jQuery functions such as jQuery() and $() is unsafe and should be avoided.

CVE: CVE-2013-0244 (a CVE was also separately issued for jQuery)

Access bypass (Book module printer friendly version - Drupal 6 and 7)

A vulnerability was identified that exposes the title or, in some cases, the content of nodes that the user should not have access to.

This vulnerability is mitigated by the fact that the bypass is only accessible to users who already have the 'access printer-friendly version' permission (which is not granted to Anonymous or Authenticated users by default) and it only affects nodes that are part of a book outline.

CVE: CVE-2013-0245

Access bypass (Image module - Drupal 7)

Drupal core provides the ability to have private files, including images. A vulnerability was identified in which derivative images (which Drupal automatically creates from these images based on "image styles" and which may differ, for example, in size or saturation) did not always receive the same protection. Under some circumstances, this would allow users to access image derivatives for images they should not be able to view.

This vulnerability is mitigated by the fact that it only affects sites which use the Image module and which store images in a private file system.

CVE: CVE-2013-0246

CVE identifier(s) issued

  • CVE-2013-0244
  • CVE-2013-0245
  • CVE-2013-0246

Versions affected

  • Drupal core 6.x versions prior to 6.28.
  • Drupal core 7.x versions prior to 7.19.

Solution

Install the latest version:

Also see the Drupal core project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: 
MODX Evolution 1.0.7 (and prior) ForgotManager plugin Vulnerability

Tue, 08 Jan 2013 10:28:14 GMT

Details
Product: MODX Evolution
Risk: Very High
Severity: Critical
Versions: 1.0.7
Vulnerabilty Type: Permissions, Privileges, and Access Control; Input Validation; SQL Injection
Report Date: 2013-Jan-4
Fixed Date: 2013-Jan-8

Description
The Forgot Manager Login plugin distributed with all versions of MODX Evolution (and 0.9.x) contains a vulnerability that allows users to gain unauthorized access to the MODX Manager.

Affected Releases
All MODX 0.9.x/Evolution releases prior to and including MODX Evolution 1.0.7 (with ForgotManager plugin active) are affected.

Solutions
There are three ways to resolve or mitigate the issue:

  1. Disable Forgot Manager Login plugin
  2. Upgrade Forgot Manager Login to version 1.1.6
  3. Upgrade to MODX Evolution 1.0.8.

NOTE
A special thanks to community member Jako for reporting this issue directly to MODX so a resolution could be made available before details were.
SA-CORE-2012-004 - Drupal core - Multiple vulnerabilities

Wed, 19 Dec 2012 18:46:26 GMT

Details
  • Advisory ID: DRUPAL-SA-CORE-2012-004
  • Project: Drupal core
  • Version: 6.x, 7.x
  • Date: 2012-December-19
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass, Arbitrary PHP code execution

Description

Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7.

Access bypass (User module search - Drupal 6 and 7)

A vulnerability was identified that allows blocked users to appear in user search results, even when the search results are viewed by unprivileged users.

This vulnerability is mitigated by the fact that the default Drupal core user search results only display usernames (and disclosure of usernames is not considered a security vulnerability). However, since modules or themes may override the search results to display more information from each user's profile, this could result in additional information about blocked users being disclosed on some sites.

Access bypass (Upload module - Drupal 6)

A vulnerability was identified that allows information about uploaded files to be displayed in RSS feeds and search results to users that do not have the "view uploaded files" permission.

This issue affects Drupal 6 only.

Arbitrary PHP code execution (File upload modules - Drupal 6 and 7)

Drupal core's file upload feature blocks the upload of many files that can be executed on the server by munging the filename. A malicious user could name a file in a manner that bypasses this munging of the filename in Drupal's input validation.

This vulnerability is mitigated by several factors: The attacker would need the permission to upload a file to the server. Certain combinations of PHP and filesystems are not vulnerable to this issue, though we did not perform an exhaustive review of the supported PHP versions. Finally: the server would need to allow execution of files in the uploads directory. Drupal core has protected against this with a .htaccess file protection in place from SA-2006-006 - Drupal Core - Execution of arbitrary files in certain Apache configurations. Users of IIS should consider updating their web.config. Users of Nginx should confirm that only the index.php and other known good scripts are executable. Users of other webservers should review their configuration to ensure the goals are achieved in some other way.

CVE identifier(s) issued

  • Access bypass (User module search - Drupal 6 and 7): CVE-2012-5651
  • Access bypass (Upload module - Drupal 6): CVE-2012-5652
  • Arbitrary PHP code execution (File upload modules - Drupal 6 and 7): CVE-2012-5653

Versions affected

  • Drupal core 6.x versions prior to 6.27.
  • Drupal core 7.x versions prior to 7.18.

Solution

Install the latest version:

Also see the Drupal core project page.

Reported by

  • The access bypass issue in the User module search results was reported by Derek Wright of the Drupal Security Team.
  • The access bypass issue in the Drupal 6 Upload module was reported by Simon Rycroft, and by Damien Tournoud of the Drupal Security Team.
  • The arbitrary code execution issue was reported by Amit Asaravala.

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: 
MODX Evolution 1.0.6 (and prior) Unauthorized Manager Access

Mon, 26 Nov 2012 09:33:34 GMT

Details
Product: MODX Evolution
Risk: Very High
Severity: Critical
Versions: 1.0.6 and all previous releases
Vulnerabilty Type: Permissions, Privileges, and Access Control; Input Validation; SQL Injection
Report Date: 2012-Nov-26
Fixed Date: 2012-Nov-26

Description
The Forgot Manager Login plugin distributed with all versions of MODX Evolution (and 0.9.x) contains a vulnerability that allows users to gain unauthorized access to the MODX Manager.

Affected Releases
All MODX 0.9.x/Evolution releases prior to and including MODX Evolution 1.0.6 are affected.

Solutions
There are three ways to resolve or mitigate the issue:

  1. Disable Forgot Manager Login plugin
  2. Upgrade Forgot Manager Login to version 1.1.4
  3. Upgrade to MODX Evolution 1.0.7.

NOTE
A special thanks to community member Agel_Nash for reporting the full scope of this issue directly to MODX so a resolution could be made available before details were.
SA-CORE-2012-003 - Drupal core - Arbitrary PHP code execution and Information disclosure

Wed, 17 Oct 2012 22:29:30 BST

Details
  • Advisory ID: DRUPAL-SA-CORE-2012-003
  • Project: Drupal core
  • Version: 7.x
  • Date: 2012-October-17
  • Security risk: Highly critical
  • Exploitable from: Remote
  • Vulnerability: Information Disclosure, Arbitrary PHP code execution

Description

Multiple vulnerabilities were discovered in Drupal core.

Arbitrary PHP code execution

A bug in the installer code was identified that allows an attacker to re-install Drupal using an external database server under certain transient conditions. This could allow the attacker to execute arbitrary PHP code on the original server.

This vulnerability is mitigated by the fact that the re-installation can only be successful if the site's settings.php file or sites directories are writeable by or owned by the webserver user. Configuring the Drupal installation to be owned by a different user than the webserver user (and not to be writeable by the webserver user) is a recommended security best practice. However, in all cases the transient conditions expose information to an attacker who accesses install.php, and therefore this security update should be applied to all Drupal 7 sites.

CVE: CVE-2012-4553

Information disclosure - OpenID module

For sites using the core OpenID module, an information disclosure vulnerability was identified that allows an attacker to read files on the local filesystem by attempting to log in to the site using a malicious OpenID server.

CVE: CVE-2012-4554

Versions affected

  • Drupal core 7.x versions prior to 7.16.

Drupal 6 is not affected.

Solution

Install the latest version:

If you are unable to deploy the security release immediately, removing or blocking access to install.php is a sufficient mitigation step for the arbitrary PHP code execution vulnerability.

Also see the Drupal core project page.

Reported by

  • The arbitrary PHP code execution vulnerability was reported by Heine Deelstra and Noam Rathaus working with Beyond Security's SecuriTeam Secure Disclosure Program. Heine Deelstra is also a member of the Drupal Security Team.
  • The information disclosure vulnerability in the OpenID module was reported by Reginaldo Silva.

Fixed by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: 
MODX Website Compromise Update: Revolution Still Safe

Tue, 11 Sep 2012 17:10:08 BST

Details
MODX Revolution is Still Safe
After exhaustive investigation, at this point we have determined the recent modx.com security breach used custom code authored specifically for our website. It was not a result of code contained in any core releases of MODX Revolution. While we have taken additional steps to further secure our website, we will follow up with a more complete response in the coming weeks.
MODX Website Compromise

Mon, 03 Sep 2012 17:12:01 BST

Details
On Wednesday August 29, a hacker exploited a Local File Inclusion (LFI) vector in an older release of MODX Revolution we had running on one of our servers. This issue had already been fixed as part of the MODX Revolution 2.2.4 release. We locked down the site while we investigated the compromise.

Yes, one of the MODX web properties was not up to date and this was really not smart. We got burned, and this is our mea culpa. We have upgraded our websites to 2.2.4, changed all passwords related to our internal infrastructure, and set new policies going forward.

Your Passwords are Safe

No passwords or hashed passwords were disclosed. MODX does not store passwords on the affected websites by design (see Update 2 below), using a custom SSO application hosted on an external, secure server. Passwords are hashed and salted multiple times, with unique salts per user. Despite no access to passwords being disclosed, you may consider changing any non-unique passwords used across multiple websites.

We’re Sorry

We sincerely and profusely apologize for any inconvenience our lapse in diligence caused. We promise to do our utmost to be proactive going forward, taking every step we can to ensure we do not repeat this in the future.

Please Upgrade Your Sites

Security requires constantly staying on top of your websites; it’s an ongoing process and not a destination. As with any software, it’s important to to keep up to date when new updates come out. Upgrade your sites to the latest MODX versions when they’re released—no excuses.

Update 1: We clarified wording to accurately reflect that the actual passwords/hashed passwords were not disclosed.

Update 2: Further clarification that the user table field shared publicly by the culprit does not contain any passwords (we repurposed the field). It does contain:

  • Salts not used by our SSO
  • "cachepwd" (also not used by our SSO) which expires within minutes of creation.
SA-CORE-2012-002 - Drupal core multiple vulnerabilities

Wed, 02 May 2012 16:17:48 BST

Details
  • Advisory ID: DRUPAL-SA-CORE-2012-002
  • Project: Drupal core
  • Version: 7.x
  • Date: 2012-May-2
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Denial of Service, Access bypass, Unvalidated form redirect

Description

Denial of Service

CVE: CVE-2012-1588

Drupal core's text filtering system provides several features including removing inappropriate HTML tags and automatically linking content that appears to be a link. A pattern in Drupal's text matching was found to be inefficient with certain specially crafted strings. This vulnerability is mitigated by the fact that users must have the ability to post content sent to the filter system such as a role with the "post comments" or "Forum topic: Create new content" permission.

Unvalidated form redirect

CVE: CVE-2012-1589

Drupal core's Form API allows users to set a destination, but failed to validate that the URL was internal to the site. This weakness could be abused to redirect the login to a remote site with a malicious script that harvests the login credentials and redirects to the live site. This vulnerability is mitigated only by the end user's ability to recognize a URL with malicious query parameters to avoid the social engineering required to exploit the problem.

Access bypass - forum listing

CVE: CVE-2012-1590

Drupal core's forum lists fail to check user access to nodes when displaying them in the forum overview page. If an unpublished node was the most recently updated in a forum then users who should not have access to unpublished forum posts were still be able to see meta-data about the forum post such as the post title.

Access bypass - private images

CVE: CVE-2012-1591

Drupal core provides the ability to have private files, including images, and Image Styles which create derivative images from an original image that may differ, for example, in size or saturation. Drupal core failed to properly terminate the page request for cached image styles allowing users to access image derivatives for images they should not be able to view. Furthermore, Drupal didn't set the right headers to prevent image styles from being cached in the browser.

Access bypass - content administration

CVE: CVE-2012-2153

Drupal core provides the ability to list nodes on a site at admin/content. Drupal core failed to confirm a user viewing that page had access to each node in the list. This vulnerability only concerns sites running a contributed node access module and is mitigated by the fact that users must have a role with the "Access the content overview page" permission. Unpublished nodes were not displayed to users who only had the "Access the content overview page" permission.

Versions affected

  • Drupal core 7.x versions prior to 7.13.

Solution

Install the latest version:

Also see the Drupal core project page.

Reported by

  • The Denial of Service vulnerability was reported by Jay Wineinger and Lin Clark.
  • The unvalidated form redirect vulnerability was reported by Károly Négyesi of the Drupal Security Team and Katsuhiko Nakanishi.
  • The access bypass in forum listing vulnerability was reported by Glen W.
  • The access bypass for private images vulnerability was reported by frega, Andreas Gonell, Jeremy Meier and Xenza.
  • The access bypass for the content administration vulnerability was reported by Jennifer Hodgdon.

Fixed by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: 
MODX Evolution 1.0.5 (and prior) Remote Script Execution Vulnerability

Mon, 20 Feb 2012 10:44:07 GMT

Details
Product: MODX Evolution
Risk: Very High
Severity: Critical
Versions: 1.0.5 and all previous releases
Vunerability type: Remote Script Execution*
Report Date: 2012-Feb-16
Fixed Date: 2012-Feb-20

Description

A vigilant community member sent us a security notice to let us know that he found a security issue in a compromised site running MODX Evolution 1.0.5.

Upon investigation, we determined that MODX Evolution had been sanitizing global GPC (GET/POST/Cookie or Request) variables in a way that allowed any Snippet within MODX that echoed user input (i.e. a website form field) from the GPC variables back to the output (for display) to inadvertently execute the MODX tags provided in the input field.

*Remote script execution requires specific configurations of add-ons included in the core.

Affected Releases
All MODX 0.9.x/Evolution releases prior to and including MODX Evolution 1.0.5 are affected.

Solution
Upgrade to MODX Evolution 1.0.6
SA-CORE-2012-001 - Drupal core multiple vulnerabilities

Wed, 01 Feb 2012 22:06:54 GMT

Details
  • Advisory ID: DRUPAL-SA-CORE-2012-001
  • Project: Drupal core
  • Version: 6.x, 7.x
  • Date: 2012-February-01
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass, Cross Site Request Forgery, Multiple vulnerabilities

Description

Cross Site Request Forgery vulnerability in Aggregator module

CVE: CVE-2012-0826
An XSRF vulnerability can force an aggregator feed to update. Since some services are rate-limited (e.g. Twitter limits requests to 150 per hour) this could lead to a denial of service.

This issue affects Drupal 6.x and 7.x.

OpenID not verifying signed attributes in SREG and AX

CVE: CVE-2012-0825
A group of security researchers identified a flaw in how some OpenID relying parties implement Attribute Exchange (AX). Not verifying that attributes being passed through AX have been signed could allow an attacker to modify users' information.

This issue affects Drupal 6.x and 7.x.

Access bypass in File module

CVE: CVE-2012-0827
When using private files in combination with certain field access modules, the File module will allow users to download the file even if they do not have access to view the field it was attached to.

This issue affects Drupal 7.x only.

Versions affected

  • Drupal 6.x core prior to 6.23.
  • Drupal 7.x core prior to 7.11.

Solution

Install the latest version:

  • If you use Drupal 6.x upgrade to 6.23
  • If you use Drupal 7.x upgrade to 7.11

See also the Drupal core project page.

Reported by

Fixed by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: 
SA-CORE-2011-003 - Drupal core - Access bypass

Wed, 27 Jul 2011 20:32:17 BST

Details
  • Advisory ID: DRUPAL-SA-CORE-2011-003
  • Project: Drupal core
  • Version: 7.x
  • Date: 2011-July-27
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass

Description

CVE: CVE-2011-2726

Access bypass in private file fields on comments.

Drupal 7 contains two new features: the ability to attach File upload fields to any entity type in the system and the ability to point individual File upload fields to the private file directory.

If a Drupal site is using these features on comments, and the parent node is denied access (either by a node access module or by being unpublished), the file attached to the comment can still be downloaded by non-privileged users if they know or guess its direct URL.

This issue affects Drupal 7.x only.

Versions affected

  • Drupal 7.x before version 7.5.

Solution

Install the latest version:

  • If you are running Drupal 7.x then upgrade to Drupal 7.5 or 7.6 7.7.

The Security Team has released both a pure security update without other bug fixes and a security update combined with other bug fixes and improvements. You can choose to either only include the security update for an immediate fix (which might require less quality assurance and testing) or more fixes and improvements alongside the security fixes by choosing between Drupal 7.5 and Drupal 7.6 7.7. Read the announcement for more information.

See also the Drupal core project page.

Reported by

Fixed by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: 
SA-CORE-2011-002 - Drupal core - Access bypass

Thu, 30 Jun 2011 01:13:40 BST

Details
  • Advisory ID: DRUPAL-SA-CORE-2011-002
  • Project: Drupal core
  • Version: 7.x
  • Date: 2011-JUNE-29
  • Security risk: Highly critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass

Description

CVE: CVE-2011-2687

Access bypass in node listings

Listings showing nodes but not JOINing the node table show all nodes regardless of restrictions imposed by the node_access system. In core, this affects the taxonomy and the forum subsystem.

This issue only affects sites using a node access module such as content access or forum access. If you do not use any node access system then your site is not affected by this vulnerability. It is still considered a best practice to run the latest release and all site owners are encouraged to upgrade when they can regardless of whether or not they are affected.

Note that fixing this issue in contributed modules requires a backwards-compatible API change for modules listing nodes. See http://drupal.org/node/1204572 for more details.

This issue affects Drupal 7.x only.

Versions affected

  • Drupal 7.0, 7.1 and 7.2.

Solution

Install the latest version:

  • If you are running Drupal 7.x then upgrade to Drupal 7.3 or 7.4.

The Security Team has released both a pure security update without other bug fixes and a security update combined with other bug fixes and improvements. You can choose to either only include the security update for an immediate fix (which might require less quality assurance and testing) or more fixes and improvements alongside the security fixes by choosing between Drupal 7.3 and Drupal 7.4. Read the announcement for more information.

See also the Drupal core project page.

Reported by

Fixed by

  • The access bypass was fixed by Károly Négyesi, member of the Drupal security team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: