Monthly Archives: January 2015

NVD

CVE-2014-9567

Leave a comment

Unrestricted file upload vulnerability in process-upload.php in ProjectSend (formerly cFTP) r100 through r561 allows remote attackers to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via a direct request to the file in the upload/files/ or upload/temp/ directory.

Drupal

SA-CONTRIB-2015-013 – Field Display Label – Cross Site Scripting (XSS)

Leave a comment

Description

This module enables you to use a different label for displaying fields from the label used when viewing the field in a form.

The module doesn’t sufficiently sanitize the alternate field label in content types settings.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to add or edit fields on an entity.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.

Versions affected

  • Field Display Label 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Field Display Label module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Field Display Label project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 
Drupal 7.x
Drupal

SA-CONTRIB-2015-012 – Jammer – Cross Site Request Forgery (CSRF)

Leave a comment

Description

This module enables you to hide or remove items from displaying including the node and comment preview buttons, node delete button, revision log textarea, workflow form on the workflow tab, and feed icon.

The report administration links are not properly protected from CSRF. A malicious user could cause an administrator to delete settings for hidden form elements or status messages by getting the administrator’s browser to make a request to a specially-crafted URL while the administrator was logged in.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.

Versions affected

  • Jammer 6.x-1.x versions prior to 6.x-1.8.
  • Jammer 7.x-1.x versions prior to 7.x-1.4.

Drupal core is not affected. If you do not use the contributed Jammer module,
there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Jammer module for Drupal 6.x, upgrade to Jammer 6.x-1.8
  • If you use the Jammer module for Drupal 7.x, upgrade to Jammer 7.x-1.4

Also see the Jammer project page.

Reported by

  • Pere Orga provisional member of the Drupal Security Team

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 
Drupal 6.x
Drupal 7.x
Fedora

Fedora EPEL 6 Security Update: docker-io-1.4.1-2.el6

Leave a comment

Resolved Bugs
1175144 – docker-io-1.4.1 is available
1173950 – docker-io can’t be installed on rhel 6.5 due to requirement device-mapper-libs >= 1.02.90-1
1173325 – CVE-2014-9357 CVE-2014-9356 CVE-2014-9358 docker-io: various flaws [epel-6]
1172761 – CVE-2014-9356 docker: Path traversal during processing of absolute symlinks
1172782 – CVE-2014-9357 docker: Escalation of privileges during decompression of LZMA archives
1172787 – CVE-2014-9358 docker: Path traversal and spoofing opportunities presented through image identifiers<br
don’t require fish for fish-completion as it’s unavailable
Resolves: rhbz#1175144 – update to 1.4.1
Resolves: rhbz#1173950 remove min version requirements on device-mapper-libs
Security fix for CVE-2014-9357, CVE-2014-9358, CVE-2014-9356

Drupal

SA-CONTRIB-2015-011 – Todo Filter – Cross Site Request Forgery (CSRF)

Leave a comment

Description

Todo Filter module provides an input filter to display check-boxes that can be used as a task list.

Some paths were not protected against CSRF, meaning that an attacker could cause users to toggle tasks they did not intend to toggle by getting the user’s browser to make a request to a specially-crafted URL while the user was logged in.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.

Versions affected

  • Todo Filter 6.x-1.x versions prior to 6.x-1.1.
  • Todo Filter 7.x-1.x versions prior to 7.x-1.1.

Drupal core is not affected. If you do not use the contributed Todo Filter module, there is nothing you need to do.

Drupal core is not affected. If you do not use the contributed Todo Filter module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Todo Filter project page.

Reported by

  • Pere Orga provisional member of the Drupal Security Team

Fixed by

Coordinated by

  • Pere Orga provisional member of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 
Drupal 6.x
Drupal 7.x
Drupal

SA-CONTRIB-2015-009 – Linkit – Cross Site Scripting (XSS)

Leave a comment

Description

Linkit provides an easy interface for internal and external linking with wysiwyg editors and fields by using an autocomplete field.

The module doesn’t sufficiently sanitize node titles in the result list if the node search plugin is enabled.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to add or edit any type of node and that the linkit node search plugin is enabled.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.

Versions affected

  • Linkit 7.x-2.x versions prior to 7.x-2.7.
  • Linkit 7.x-3.x versions prior to 7.x-3.3.

Drupal core is not affected. If you do not use the contributed Linkit module,
there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Linkit module for Drupal 7.x and Linkit 7.x-2.x, upgrade to Linkit 7.x-2.7
  • If you use the Linkit module for Drupal 7.x and Linkit 7.x-3.x, upgrade to Linkit 7.x-3.3

Also see the Linkit project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 
Drupal 7.x
Drupal

SA-CONTRIB-2015-008 – Batch Jobs – Cross Site Request Forgery (CSRF)

Leave a comment

Description

The Batch Jobs project is a scalable way to execute a list of tasks.

Links that take actions on batch jobs are not protected from Cross Site Request Forgery (CSRF). A malicious individual could cause a user that has permission to access a particular batch job (or an administrator) to dele the record of that batch job or possibly execute a task by getting the user’s browser to make a request to a specially-crafted URL while the user is logged in.

This vulnerability only exists when batch job data exists – i.e. during the short period it is running or if it is retained (not deleted after completion of the batch job).

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.

Versions affected

  • Batch Jobs 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Batch Jobs module,
there is nothing you need to do.

Solution

Make sure that all batch jobs are deleted or install the latest version:

Also see the Batch Jobs project page.

Reported by

Fixed by

Coordinated by

  • Pere Orga provisional member of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 
Drupal 7.x
Drupal

SA-CONTRIB-2015-006 – Cloudwords for Multilingual Drupal – Multiple vulnerabilities

Leave a comment

Description

This module provides integration with the Cloudwords third-party service.

The module was not sanitizing node titles on certain conditions, thereby leading to a Cross Site Scripting (XSS) vulnerability.

Also, a menu callback was not protected against CSRF.

The XSS vulnerability is mitigated by the fact that an attacker must have a user with permissions to create nodes.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

  • Cloudwords for Multilingual Drupal 7.x-2.x versions prior to 7.x-2.3.

Drupal core is not affected. If you do not use the contributed Cloudwords for Multilingual Drupal module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Cloudwords for Multilingual Drupal project page.

Reported by

  • Pere Orga provisional member of the Drupal Security Team

Fixed by

Coordinated by

  • Pere Orga provisional member of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 
Drupal 7.x
Drupal

SA-CONTRIB-2015-007 – Htaccess – Cross Site Request Forgery (CSRF)

Leave a comment

Description

The Htaccess module allows the creation and deployment of .htaccess files based on custom settings.

Some administration links were not properly protected from Cross Site Request Forgery (CSRF). A malicious user could cause an administrator to deploy or delete .htaccess files by getting the administrator’s browser to request specially crafted URLS while the administrator was logged in.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.

Versions affected

  • All Htaccess 7.x-2.x versions prior to 7.x-2.3.

Drupal core is not affected. If you do not use the contributed htaccess module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the htaccess project page.

Reported by

  • Pere Orga provisional member of the Drupal Security Team

Fixed by

  • Jibus the module maintainer

Coordinated by

  • Pere Orga provisional member of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 
Drupal 7.x