A privilege escalation vulnerability has been found in the User module
of the Drupal content management framework. For additional information,
please refer to the upstream advisory at
https://www.drupal.org/SA-CORE-2016-002.
Monthly Archives: June 2016
GLSA 201606-05: spice: Multiple vulnerabilities
Solarwinds Virtualization Manager 6.3.1 Java Deserialization
Solarwinds Virtualization Manager versions 6.3.1 and below suffer from a java deserialization vulnerability.
FBI: Email Scams Take $3.1 Billion Toll on Businesses
Business-related inbox scams are reaching epidemic levels with the total cost to business reaching a whopping $3.1 billion.
Drupal Core – Moderately Critical – Multiple Vulnerabilities – SA-CORE-2016-002
- Advisory ID: DRUPAL-SA-CORE-2016-002
- Project: Drupal core
- Version: 7.x, 8.x
- Date: 2016-June-15
- Security risk: 11/25 ( Moderately Critical) AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon
- Vulnerability: Access bypass, Multiple vulnerabilities
Description
Saving user accounts can sometimes grant the user all roles (User module – Drupal 7 – Moderately Critical)
A vulnerability exists in the User module, where if some specific contributed or custom code triggers a rebuild of the user profile form, a registered user can be granted all user roles on the site. This would typically result in the user gaining administrative access.
This issue is mitigated by the fact that it requires contributed or custom code that performs a form rebuild during submission of the user profile form.
Views can allow unauthorized users to see Statistics information (Views module – Drupal 8 – Less Critical)
An access bypass vulnerability exists in the Views module, where users without the “View content count” permission can see the number of hits collected by the Statistics module for results in the view.
This issue is mitigated by the fact that the view must be configured to show a “Content statistics” field, such as “Total views”, “Views today” or “Last visit”.
The same vulnerability exists in the Drupal 7 Views module (see SA-CONTRIB-2016-036).
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
- Drupal core 7.x versions prior to 7.44
- Drupal core 8.x versions prior to 8.1.3
Solution
Install the latest version:
- If you use Drupal 7.x, upgrade to Drupal core 7.44
- If you use Drupal 8.x, upgrade to Drupal core 8.1.3
Also see the Drupal core project page.
Reported by
Saving user accounts can sometimes grant the user all roles:
Views can allow unauthorized users to see Statistics information:
Fixed by
Saving user accounts can sometimes grant the user all roles:
- Ben Dougherty of the Drupal Security Team
- Balazs Nagykekesi
- David Rothstein of the Drupal Security Team
- Lee Rowlands of the Drupal Security Team
- Stefan Ruijsenaars of the Drupal Security Team
- vlad.k
- Peter Wolanin of the Drupal Security Team
Views can allow unauthorized users to see Statistics information:
- Nathaniel Catchpole of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- Nickolay Leshchev
- Stefan Ruijsenaars of the Drupal Security Team
- David Snopek of the Drupal Security Team
- Daniel Wehner
- xjm of the Drupal Security Team
Coordinated by
The Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
Drupal version:
Views – Less Critical – Access Bypass – SA-CONTRIB-2016-036
- Advisory ID: DRUPAL-SA-CONTRIB-2016-036
- Project: Views (third-party module)
- Version: 7.x
- Date: 2016-June-15
- Security risk: 7/25 ( Less Critical) AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon
- Vulnerability: Access bypass
Description
An access bypass vulnerability exists in the Views module, where users without the “View content count” permission can see the number of hits collected by the Statistics module for results in the view.
This issue is mitigated by the fact that the view must be configured to show a “Content statistics” field, such as “Total views”, “Views today” or “Last visit”.
The same vulnerability exists in the Drupal 8 core Views module SA-CORE-2016-002
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
- Views 7.x-3.x versions prior to 7.x-3.14.
Drupal core is not affected. If you do not use the contributed Views module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Views module for Drupal 7.x, upgrade to Views 7.x-3.14
Also see the Views project page.
Reported by
Fixed by
- Nathaniel Catchpole of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- Nickolay Leshchev
- Stefan Ruijsenaars of the Drupal Security Team
- David Snopek of the Drupal Security Team
- Daniel Wehner
Coordinated by
- xjm of the Drupal Security Team
- Michael Hess of the Drupal Security Team
- Klaus Purer of the Drupal Security Team
- Stefan Ruijsenaars of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
Cisco Security Advisory 20160615-rv
Cisco Security Advisory – A vulnerability in the web interface of the Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and the Cisco RV215W Wireless-N VPN Router could allow an unauthenticated, remote attacker to execute arbitrary code as root on a targeted system. The vulnerability is due to insufficient sanitization of HTTP user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request with custom user data. An exploit could allow the attacker to execute arbitrary code with root-level privileges on the affected system, which could be leveraged to conduct further attacks. Cisco has not released software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available.
Bomgar Remote Support Unauthenticated Code Execution
This Metasploit module exploits a vulnerability in the Bomgar Remote Support, which deserializes user provided data using PHP’s unserialize method. By providing an specially crafted PHP serialized object, it is possible to write arbitrary data to arbitrary files. This effectively allows the execution of arbitrary PHP code in the context of the Bomgar Remote Support system user. To exploit the vulnerability, a valid Logging Session ID (LSID) is required. It consists of four key-value pairs (i. e., ‘h=[…];l=[…];m=[…];t=[…]’) and can be retrieved by an unauthenticated user at the end of the process of submitting a new issue via the ‘Issue Submission’ form. Versions before 15.1.1 are reported to be vulnerable.
How to Hack Someones Facebook Account Just by Knowing their Phone Numbers
Hacking Facebook account is one of the major queries on the Internet today. It’s hard to find — how to hack Facebook account, but researchers have just proven by taking control of a Facebook account with only the target’s phone number and some hacking skills.
Yes, your Facebook account can be hacked, no matter how strong your password is or how much extra security measures you have taken. No
Underground Market Selling Cheap Access to Hacked Servers
Kaspersky Lab uncovers the xDedic marketplace, a trading forum selling access to hacked servers.