Monthly Archives: February 2016

Drupal

Drupal Core – Critical – Multiple Vulnerabilities – SA-CORE-2016-001

Leave a comment

Description

File upload access bypass and denial of service (File module – Drupal 7 and 8 – Moderately Critical)

A vulnerability exists in the File module that allows a malicious user to view, delete or substitute a link to a file that the victim has uploaded to a form while the form has not yet been submitted and processed. If an attacker carries out this attack continuously, all file uploads to a site could be blocked by deleting all temporary files before they can be saved.

This vulnerability is mitigated by the fact that the attacker must have permission to create content or comment and upload files as part of that process.

Brute force amplification attacks via XML-RPC (XML-RPC server – Drupal 6 and 7 – Moderately Critical)

The XML-RPC system allows a large number of calls to the same method to be made at once, which can be used as an enabling factor in brute force attacks (for example, attempting to determine user passwords by submitting a large number of password variations at once).

This vulnerability is mitigated by the fact that you must have enabled a module that provides an XML-RPC method that is vulnerable to brute-forcing. There are no such modules in Drupal 7 core, but Drupal 6 core is vulnerable via the Blog API module. It is additionally mitigated if flood control protection is in place for the method in question.

Open redirect via path manipulation (Base system – Drupal 6, 7 and 8 – Moderately Critical)

In Drupal 6 and 7, the current path can be populated with an external URL. This can lead to Open Redirect vulnerabilities.

This vulnerability is mitigated by the fact that it would only occur in combination with custom code, or in certain cases if a user submits a form shown on a 404 page with a specially crafted URL.

For Drupal 8 this is a hardening against possible browser flaws handling certain redirect paths.

Form API ignores access restrictions on submit buttons (Form API – Drupal 6 – Critical)

An access bypass vulnerability was found that allows input to be submitted, for example using JavaScript, for form button elements that a user is not supposed to have access to because the button was blocked by setting #access to FALSE in the server-side form definition.

This vulnerability is mitigated by the fact that the attacker must have access to submit a form that has such buttons defined for it (for example, a form that both administrators and non-administrators can access, but where administrators have additional buttons available to them).

HTTP header injection using line breaks (Base system – Drupal 6 – Moderately Critical)

A vulnerability in the drupal_set_header() function allows an HTTP header injection attack to be performed if user-generated content is passed as a header value on sites running PHP versions older than 5.1.2. If the content contains line breaks the user may be able to set arbitrary headers of their own choosing.

This vulnerability is mitigated by the fact that most hosts have newer versions of PHP installed, and that it requires a module to be installed on the site that allows user-submitted data to appear in HTTP headers.

Open redirect via double-encoded ‘destination’ parameter (Base system – Drupal 6 – Moderately Critical)

The drupal_goto() function in Drupal 6 improperly decodes the contents of $_REQUEST[‘destination’] before using it, which allows the function’s open redirect protection to be bypassed and allows an attacker to initiate a redirect to an arbitrary external URL.

This vulnerability is mitigated by that fact that the attack is not possible for sites running on PHP 5.4.7 or greater.

Reflected file download vulnerability (System module – Drupal 6 and 7 – Moderately Critical)

Drupal core has a reflected file download vulnerability that could allow an attacker to trick a user into downloading and running a file with arbitrary JSON-encoded content.

This vulnerability is mitigated by the fact that the victim must be a site administrator and that the full version of the attack only works with certain web browsers.

Saving user accounts can sometimes grant the user all roles (User module – Drupal 6 and 7 – Less Critical)

Some specific contributed or custom code may call Drupal’s user_save() API in a manner different than Drupal core. Depending on the data that has been added to a form or the array prior to saving, this can lead to a user gaining all roles on a site.

This issue is mitigated by the fact that it requires contributed or custom code that calls user_save() with an explicit category and code that loads all roles into the array.

Email address can be matched to an account (User module – Drupal 7 and 8 – Less Critical)

In certain configurations where a user’s email addresses could be used to log in instead of their username, links to “have you forgotten your password” could reveal the username associated with a particular email address, leading to an information disclosure vulnerability.

This issue is mitigated by the fact that it requires a contributed module to be installed that permits logging in with an email address, and that it is only relevant on sites where usernames are typically chosen to hide the users’ real-life identities.

Session data truncation can lead to unserialization of user provided data (Base system – Drupal 6 – Less Critical)

On certain older versions of PHP, user-provided data stored in a Drupal session may be unserialized leading to possible remote code execution.

This issue is mitigated by the fact that it requires an unusual set of circumstances to exploit and depends on the particular Drupal code that is running on the site. It is also believed to be mitigated by upgrading to PHP 5.4.45, 5.5.29, 5.6.13, or any higher version.

CVE identifier(s) issued (#)

  • CVE identifiers will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

  • Drupal core 6.x versions prior to 6.38
  • Drupal core 7.x versions prior to 7.43
  • Drupal core 8.0.x versions prior to 8.0.4

Solution

Install the latest version:

Also see the Drupal core project page.

Reported by

File upload access bypass and denial of service:

Brute force amplification attacks via XML-RPC:

Open redirect via path manipulation:

Form API ignores access restrictions on submit buttons:

HTTP header injection using line breaks:

Open redirect via double-encoded ‘destination’ parameter:

Reflected file download vulnerability:

Saving user accounts can sometimes grant the user all roles:

Email address can be matched to an account:

Session data truncation can lead to unserialization of user provided data:

Fixed by

File upload access bypass and denial of service:

Brute force amplification attacks via XML-RPC:

Open redirect via path manipulation:

Form API ignores access restrictions on submit buttons:

HTTP header injection using line breaks:

Open redirect via double-encoded ‘destination’ parameter:

Reflected file download vulnerability:

Saving user accounts can sometimes grant the user all roles:

Email address can be matched to an account:

Session data truncation can lead to unserialization of user provided data:

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 
Drupal 6.x
Drupal 7.x
Drupal 8.x
Avast

Avast free Wi-Fi experiment fools Mobile World Congress attendees

Leave a comment
Travelers often connect to free Wi-Fi to save money

Travelers often connect to free Wi-Fi to save money. image via www.shbarcelona.com

Avast Mobile Security researchers camped out at the Barcelona Airport, threw up a few fake Wi-Fi hotspots, and waited to see who would connect.

 

That’s already an interesting premise for an experiment, but this was the weekend when attendees of Mobile World Congress, “the world’s biggest and most influential mobile event” were arriving, making this not only interesting but fun!  You would think with such a savvy group that the results would be rather ho-hum, but think again!

Thousands of smartphone users threw caution to the wind and connected to one of Avast’s bogus Wi-Fi hotspots, risking being spied on and hacked by cybercriminals.

How did the Barcelona Airport experiment work?

Avast researchers set up Wi-Fi networks next to the Mobile World Congress registration booth at the Barcelona Airport. The Wi-Fi network names were “Starbucks”, “Airport_Free_Wifi_AENA“ and “MWC Free WiFi” — Wi-Fi names (SSIDs) that are either commonplace or that look like they were set up for the congress visitors.

In just 4 hours, Avast gathered more than 8 million data packets and learned the following about the Mobile World Congress visitors:

  • 50.1 percent had an Apple device, 43.4 percent had an Android device, 6.5 percent had an Windows Phone device
  • 61.7 percent searched information on Google or checked their emails on Gmail
  • 14.9 percent visited Yahoo
  • 2 percent visited Spotify
  • 52.3 percent have the Facebook app installed, 2.4 percent have the Twitter app installed
  • Avast could see the identity of  63.5 percent of the devices and users

“Many individuals recognize that surfing over open Wi-Fi isn’t secure. However, some of these same people aren’t aware that their device might automatically connect to a Wi-Fi network unless they adjust their settings,” said Gagan Singh, president of mobile at Avast.

“With most Mobile World Congress visitors traveling from abroad, it’s not surprising to see that many opt to connect to free Wi-Fi in order to save money, instead of using data roaming services. When taking this route, people should utilize a VPN service that anonymizes their data while connecting to public hotspots to ensure that their connection is secure.”

Protect yourself at home or abroad

Avast SecureLine VPN for Android, available on Google Play, and in the Apple App Store for iOS devices, encrypts connections on unsecured public Wi-Fi and allows users to browse anonymously. The app also lets users choose the server location they would like to connect with, enabling users to access content from their home country that may otherwise be restricted by geo-location.

Pretend you’re a hacker at the Avast booth at MWC16

Visitors to MWC16 can step into a hacker’s shoes and see what data is visible over an unencrypted Wi-Fi network.  Visit Avast in Hall 8.1 (App Planet), Booth no. H65.

 

Drupal

SA-CONTRIB-2016-008 – FileField – Denial of Service

Leave a comment

Description

FileField module allows users to upload files in conjunction with the Content Construction Kit (CCK) module in Drupal 6.

The module doesn’t validate that a request to delete a temporary file was made by the user who uploaded the file. An attacker can use this vulnerability to delete other user’s file uploads while they are in the process of creating or editing content and attaching files (before it is saved). This can be used as a denial of service (DoS) attack that can prevent file uploads from working on the site.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create content and upload files using a file (or image) field.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

  • FileField module 6.x-3.x versions prior to 6.x-3.14.

Drupal core is not affected. If you do not use the contributed FileField module, there is nothing you need to do.

Solution

Install the latest version:

Also see the FileField project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 
Drupal 6.x
Avast

Avast finds personal data on phones sold at pawn shops

Leave a comment

Many people sell their used smartphones but fail to ensure their personal data is wiped away.

A year and half ago, Avast mobile security researchers bought 20 used phones from online consumer-to-consumer sites, like eBay and Amazon, in the USA. Using easily available recovery software, they were able to access more than 40,000 personal photos, emails, and text messages.

Since then, smartphone technology has progressed and numerous educational articles have been published to inform people about cleaning their phones before selling, so we wanted to see what would happen if we did a similar experiment now. This time, our researchers bought phones from pawn shops: Five devices each in New York, Paris, Barcelona, and Berlin — and again, used widely available free recovery software to detect the data found on the devices.

infograph_used_smartphone_pk_v3 Install Avast Anti-Theft from the Google Play Store for free

ESET

Porn clicker trojans at Google Play: An analysis

Leave a comment

ESET researchers have found a large campaign of malicious porn clicker type apps on Google Play. These trojans belong to a single family of malicious apps masquerading as popular games and/or applications. They are designed and systematically modified to bypass Google’s security checks.

The post Porn clicker trojans at Google Play: An analysis appeared first on We Live Security.