Monthly Archives: September 2014

Drupal

SA-CONTRIB-2014-091 – Survey Builder – Cross Site Scripting (XSS)

Leave a comment

Description

This module allows you to use the Form Builder module to provide an intuitive interface for building surveys, along with the back-end for storing surveys and their responses.

Cross Site Scripting (XSS)

When viewing surveys at “/surveys”, the survey titles printed out are not sanitized. Any potentially dangerous code in the survey titles is also rendered.

This vulnerability is mitigated by the fact that a user must have the “Create Survey” permission to be able to set the survey titles.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.

Versions affected

  • survey_builder 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Survey Builder module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Survey Builder project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at
https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies,
writing secure code for Drupal, and
securing your site.

Drupal version: 
Drupal 7.x
Drupal

SA-CONTRIB-2014-090 Speech recognition – Multiple vulnerabilities

Leave a comment

Description

This module enables you to add speech recognition to forms, allowing site admins to enable experimental Speech Input API features on form inputs through the user interface.

Cross Site Scripting (XSS)

The module incorrectly prints fields without proper sanitization thereby opening a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer speech”.

Cross Site Request Forgery (CSRF)

The module enables in-place configuration of form options via AJAX requests, but it doesn’t sufficiently check the source of those requests, making possible for an attacker to cause a user to unknowingly make changes to the field configurations.

This vulnerability is mitigated by the fact that the attacked administrator must have a role with the permission “administer speech”.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.

Versions affected

  • All versions of Speech recognition.

Drupal core is not affected. If you do not use the contributed module, there is nothing you need to do.

Drupal core is not affected. If you do not use the contributed Speech recognition module,
there is nothing you need to do.

Solution

If you use the Speech recognition module you should uninstall it.

Also see the Speech recognition project page.

Reported by

Fixed by

Not applicable.

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at
href=”https://www.drupal.org/contact“>https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: 
Drupal 7.x
ESET

Free iPhone 6 Facebook scam does the rounds, right on time

Leave a comment

Facebook scams tend to crop up in the run-up to a big Apple launch with around the same regularity as big Apple launches themselves. This week’s iPhone 6 launch is no exception, with Help Net Security noting that a Facebook page ‘offering’ free iPhone 6 units is, as usual, a total fraud.

This time, the scam promises a free iPhone 6 as soon as “three easy steps” are completed, which, as usual, involve a survey, which allows you to download a “participation application.”

When a victim completes the free iPhone 6 survey, all their friends are spammed with the fake promotion, Hoax Slayer reveals, but the three “easy” steps are anything but.

Each time someone completes a survey, the page claims there is an error, and they are directed to a further survey, according to Help Net. As always, the “free iPhone 6” never materializes.

Free iPhone 6: Nope, it’s a scam

“Some of the available surveys want you to provide your mobile phone number, ostensibly to go in the draw for extra prizes or offers. But, by submitting your number, you will actually be subscribing to a very expensive text messaging ‘service’ that will charge you several dollars every time they send you a message,” Hoax Slayer says.

“Alternatively, you may be asked to provide your name, address, and phone details, again, to supposedly enter you into a prize draw. But, fine print on the page will state that your details will be shared with third-party marketers. Thus, after submitting your details, you will likely be inundated with annoying phone calls, emails, and junk mail.”

“Meanwhile, the scammer who created the fake promotion will earn a commission. But, no matter how many surveys you complete, you will still not get to download your ‘application’.”

The site cautions against clicking on any link this week which offers a free iPhone 6, as this sort of big product launch is a prime target for cybercriminals, and any link is potentially suspect.

Something for free?

Mark James, ESET security specialist, says, “We all like the idea of something for free, that’s the approach these type of scams use. Deep down we know it’s not going to happen, but a lot of people will still click the like button or share that simple post in the hope it’s going to arrive.”

“We have seen these types of scams for years but they are still as effective today as they were when started, once we like or share the page we do all the marketing and advertising for the scammers thus providing a very valuable and potential dangerous page to initiate future scams or attacks.”

“I still encourage people to use the “front door” policy, i.e treat it like your front door: ‘When was the last time someone banged on your front door to offer you an iPhone 5 or 6 just for filling out a survey or a £10/£50 supermarket voucher for free?’ It just does not happen.”

The post Free iPhone 6 Facebook scam does the rounds, right on time appeared first on We Live Security.

Drupal

SA-CONTRIB-2014-089 – Geofield Yandex Maps – Cross Site Scripting (XSS)

Leave a comment

Description

The Geofield Yandex Maps module provides a Geofield widget, Geofield formatter, Views handler, Form element and Text filter to allow Yandex maps to be added to a site.

The module does not sufficiently filter user-supplied text, resulting in a persistent Cross Site Scripting (XSS) vulnerability.

The vulnerability is mitigated by the fact that an attacker would need permission to create nodes or entities using the Geofield widget.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.

Versions affected

  • Geofield Yandex Maps 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Geofield Yandex Maps module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Geofield Yandex Maps project page.

Reported by

  • Matt V. (provisional member of the Drupal Security Team)

Fixed by

  • Matt V. (provisional member of the Drupal Security Team)

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: 
Drupal 7.x
Panda Security

What is Phishing?  

Leave a comment

No doubt you have wondered and asked yourself on more than one occasion, what is phishing and how can it affect you.

All of us know that it is some type of scam, although perhaps there are many who don’t know exactly what it is or the techniques used by hackers and cyber-criminals.

So, exactly what is phishing? Basically, also known as email phishing, it involves sending emails, which appear to come from trusted sources, such as banks etc, though really they are aimed at stealing confidential information from users.

These emails usually include a link which when clicked, takes you to a spoof Web page. These pages appear genuine though they are really like a mirror that hides the criminals whose sole aim is to steal your personal data.

The problem is that users think they are in a trusted site and therefore enter the requested data. However, this confidential data will fall straight into the hands of the scammers and can then be used for some type of fraud.

That’s why it is always best to access web pages by typing the address directly in the browser.

what is phishing

How to recognize a phishing message

It’s not always easy to recognize phishing messages, particularly if you are a client of the company from which the message has supposedly been sent.

  • Even though the ‘From:’ field of the message shows the address of the company, it is not difficult for a criminal to alter the source address of the email in any mail client.
  • The email may have the logos and trademarks of the organization, yet these can easily be lifted from the company’s website.
  • The link in the email seems to point to the company’s website, though really it takes you to a fake page which will ask you for your user name, password, etc.
  • Very often these messages contain spelling or grammatical errors that you would not normally expect in official communications from the genuine company.

It’s also important to bear in mind that although phishing has traditionally used email, now, with the increasing popularity of smartphones and social networks, there are new channels of attack.

Another thing to be aware of is that although we normally talk about phishing in the context of banks, cyber-criminals often use any popular website or platform (Ebay, Facebook, Paypal, etc) as bait for stealing personal data.

But remember, no company will ever ask you to send them your personal details via email. If they do, be very suspicious!

Moreover, as a stich in time saves nine, you can always add an extra layer of protection by installing one of our new 2015 antivirus solutions. To do this, all you have to do is visit our free antivirus page and select the one that best adapts to your ideal level of protection.

The post What is Phishing?   appeared first on MediaCenter Panda Security.

Drupal

SA-CONTRIB-2014-088 – Mollom – Cross-site scripting (XSS)

Leave a comment

Description

Mollom is an “intelligent” content moderation web service which determines if a post is potentially spam; not only based on the posted content, but also on the past activity and reputation of the poster across multiple sites.

Mollom offers a feature to report submitted content as inappropriate which allows end users to indicate that a piece of site content is objectionable or out of place. When reporting content, the content title is not sufficiently sanitized to prevent cross-site scripting (XSS) attacks.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create content and the content type must be enabled for “Flag as Inappropriate” within the Mollom advanced configuration settings (which is not the default setting).

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.

Versions affected

  • Mollom 6.x-2.x versions from 6.x-2.7 to 6.x-2.10
  • Mollom 7.x-2.x versions from 7.x-2.9 to 7.x-2.10

Drupal core is not affected. If you do not use the contributed Mollom module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Mollom project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at
href=”https://www.drupal.org/contact“>https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies,
writing secure code for Drupal, and
securing your site.

Drupal version: 
Drupal 6.x
Drupal 7.x
AVG

Is it time you used two-factor authentication?

Leave a comment

Two-factor authentication is an additional security measure that you can add to your online accounts to help keep them safe from attack and fraud.

“Two-factor” simply means that you need something other than your password in order to access your account. This normally comes in the form of a code generated by an app or sent to you in a text or email. Two-factor-authentication means that should your password be compromised, your accounts are still protected.

You may be familiar with two-factor authentication for online banking, where it has been used for a long time to validate logins and safely setting up transactions. Given its security benefits, many of the leading websites and services have enabled two-factor authentication for users. Google, for example, implemented the extra layer of security in early 2011, but many users still don’t realize that it is available.

While logging into accounts with two-factor authentication does require a little extra effort on behalf of the user, the extra layer of security does make it well worth-while.

How to Setup Two-Factor Authentication

In this example I will be setting up two-factor authentication on a Google account but similar instructions can be found for most popular sites such as Amazon, Dropbox and Facebook.

Before setting up two-factor authentication you need to make sure you have two things available. The first is a secure password, something you should already be using, on whichever services you use (Although you should have different password for each service for greater security). The second would be a device or application that can receive a code, most commonly a smartphone.

  1. Go to: www.google.com/settings/security
  2. Click “Set Up” under 2-step verification menu
  3. Chose how you would to receive your codes: SMS or codes
  4. Download Google’s Authenticator app for Android or iOS.
  5. Link your Authenticator app or device to your Google account using the code provided

Google-Authenticator

Once you are setup for two-factor authentication it’s ready to go in the wild. The next time a new device or browser tries to access your account they will need your username and password like before, but then you will need to enter in an access code pin that is either texted to you or synced to the authenticator app. Once the username, password, and pin number are all entered correctly you are logged in.

Two-factor authentication is one of the settings we believe strongly in to help mitigate password hacking because even if somebody does know your password they still can’t get into your account. It is important to remember however there are other methods to get access to your information so just using this helps secure your password login, but won’t guarantee all information is secure.  This is a great step forward to better security and privacy of your data and we highly recommend all users activate two-factor authentication wherever they can.