• Advisory ID: DRUPAL-SA-CONTRIB-2015-166
• Project: Encrypt (third-party module)
• Version: 7.x
• Date: 2015-November-18
• Security risk: 11/25 ( Moderately Critical) AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:Default
• Vulnerability: Weak Encryption

Description

This module enables you to encrypt data within Drupal using a user-configurable encryption method and key provider.

The module did not sufficiently validate good configurations and api usage resulting in multiple potential weaknesses depending on module usage. The default encryption method could theoretically leak the key for known plaintexts. This vulnerability is mitigated by the fact that an attacker would need to have access to the encrypted data which is generally not possible without a breach of the database.

The default key provider uses the Drupal private key, which means that it could potentially be leaked which puts other elements of the site at risk. This vulnerability is mitigated by requiring the default combination of encryption method and key provider for the Drupal private key to be potentially leaked. Users of the module are likely to employ a key of their own creation, rather than use the Drupal private key.

Another encryption method included with the module uses a cipher that can leak structural information about the plaintext. This vulnerability is mitigated by the fact that it would only affect encryptions of large quantities of data, such as files and data of shorter lengths would not be affected.

The default key created by the module is generated by a MD5 hash, which is not as strong as using truly random bytes of data.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• Encrypt 7.x-2.x versions prior to 7.x-2.2.

Drupal core is not affected. If you do not use the contributed Encrypt module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Encrypt module for Drupal 7.x, upgrade to Encrypt 7.x-2.2

Once installed, review your settings and alter it to use a key provider and encryption method that is not deprecated. If data was encrypted with a deprecated key provider or encryption method then you should also re-encrypt all that data.

Also see the Encrypt project page.

Reported by

• Heine Deelstra of the Drupal Security Team

Fixed by

• Rick Hawkins the module maintainer
• Greg Knaddison of the Drupal Security Team
• Heine Deelstra of the Drupal Security Team
• Chad DeGroot

Coordinated by

• Greg Knaddison of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

• Advisory ID: DRUPAL-SA-CONTRIB-2015-165
• Project: UC Profile (third-party module)
• Version: 6.x
• Date: 2015-November-11
• Security risk: 11/25 ( Moderately Critical) AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:Default
• Vulnerability: Information Disclosure

Description

UC Profile module enables you to collect profile fields for users during the checkout process of Ubercart as a checkout pane.

The module doesn’t sufficiently check access to profiles under certain circumstances. Depending on the information being collected, sensitive data may be exposed.

This vulnerability is mitigated by the fact that only sites that store data to the anonymous user’s profile are affected.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• UC Profile 6.x-1.x versions prior to 6.x-1.3

Drupal core is not affected. If you do not use the contributed UC Profile module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the UC Profile module for Drupal 6.x, upgrade to UC Profile 6.x-1.3

Also see the UC Profile project page.

Reported by

• Will Long

Fixed by

• Chris Wells, module maintainer
• Patrick Corbett, module maintainer

Coordinated by

• Pere Orga of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

• Advisory ID: DRUPAL-SA-CONTRIB-2015-164
• Project: MAYO (third-party theme)
• Version: 7.x
• Date: 2015-November-11
• Security risk: 13/25 ( Moderately Critical) AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All
• Vulnerability: Cross Site Scripting

Description

MAYO theme enables you to change certain theme settings via the administration interface.

Some theme settings aren’t sufficiently sanitized.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission “Administer themes”.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• All MAYO 7.x-2.x versions prior to 7.x-2.6
• All MAYO 7.x-1.x versions prior to 7.x-1.4

Drupal core is not affected. If you do not use the contributed MAYO theme, there is nothing you need to do.

Solution

Install the latest version:

• If you use the MAYO theme for Drupal 7.x-2.x, upgrade to MAYO 7.x-2.6
• If you use the MAYO theme for Drupal 7.x-1.x, upgrade to MAYO 7.x-1.4

Also see the MAYO project page.

Reported by

• Kisugi Ai of the Drupal Security Team

Fixed by

• John Powell the theme maintainer
• Kisugi Ai of the Drupal Security Team

Coordinated by

• Pere Orga of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

• Advisory ID: DRUPAL-SA-CONTRIB-2015-163
• Project: Monster Menus (third-party module)
• Version: 7.x
• Date: 2015-November-04
• Security risk: 12/25 ( Moderately Critical) AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default
• Vulnerability: Access bypass

Description

Monster Menus is a hierarchical menu tree, which provides highly scalable, granular permissions for all pages within a site.

The module includes an option to remove nodes from view (add them to a “recycle bin”) rather than deleting them outright. When a node has been put into a bin using an affected version of the module, it remains visible via a seldom-used URL pattern to the users to whom it had been visible previously, when it was outside of the recycle bin.

This vulnerability is mitigated by the facts that:

1. Sites which do not use the recycle bin feature are not vulnerable.
2. The exposed node is no more accessible than it had been before being placed into the recycle bin. If the node could not be read by a particular user while it was on the regular page, it would still be unreadable by that user when in the recycle bin.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• Monster Menus versions 7.x-1.21 through 7.x-1.23.

Drupal core is not affected. If you do not use the contributed Monster Menus module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Monster Menus module for Drupal 7.x, upgrade to Monster Menus 7.x-1.24.

Also see the Monster Menus project page.

Reported by

• Dan Wilga

Fixed by

• Dan Wilga the module maintainer

Coordinated by

• Greg Knaddison of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

• Advisory ID: DRUPAL-SA-CONTRIB-2015-162
• Project: Login Disable (third-party module)
• Version: 6.x, 7.x
• Date: 2015-November-04
• Security risk: 12/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon
• Vulnerability: Access bypass

Description

This module enables you to prevent existing users from logging in to your Drupal site unless they know the secret key to add to the end of the ?q=user login form page.

The Login Disable module doesn’t support other contributed user authentication modules like CAS or URL Login. When combined with those modules, the protection preventing a user from logging in does not work.

This vulnerability is mitigated by the fact that an attacker must already have a user account to log in. This bug therefore allows users to log in even if they do not have permission to login.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• Login Disable 6.x-1.x versions prior to 6.x-1.1.
• Login Disable 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Login Disable module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Login Disable module for Drupal 6.x, upgrade to Login Disable 6.x-1.1
• If you use the Login Disable module for Drupal 7.x, upgrade to Login Disable 7.x-1.2

Also see the Login Disable project page.

Reported by

• Gunnar Mathisen

Fixed by

• Bryan Heisler
• Brian Gilbert the module maintainer

Coordinated by

• Greg Knaddison of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

• Advisory ID: DRUPAL-SA-CONTRIB-2015-161
• Project: Field as Block (third-party module)
• Version: 7.x
• Date: 2015-October-28
• Security risk: 8/25 ( Less Critical) AC:Basic/A:Admin/CI:Some/II:None/E:Theoretical/TD:Uncommon
• Vulnerability: Access bypass

Description

This module enables you to take a field from the current entity and place it elsewhere as a block.

The module caches the block output in a manner that could allow sensitive content to be seen by visitors who should not see it.

The problem will only occur when other modules alter field output based on user permissions.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• Field as Block 7.x-1.x versions prior to 7.x-1.4.

Drupal core is not affected. If you do not use the contributed Field as Block module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Field as Block module for Drupal 7.x, upgrade to Field as Block 7.x-1.4

Also see the Field as Block project page.

Reported by

• László Csécsy

Fixed by

• László Csécsy
• Marc van Gend the module maintainer

Coordinated by

• Hunter Fox of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

• Advisory ID: DRUPAL-SA-CORE-2015-004
• Project: Drupal core
• Version: 7.x
• Date: 2015-October-21
• Security risk: 9/25 ( Less Critical) AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:Default
• Vulnerability: Open Redirect

Description

The Overlay module in Drupal core displays administrative pages as a layer over the current page (using JavaScript), rather than replacing the page in the browser window. The Overlay module does not sufficiently validate URLs prior to displaying their contents, leading to an open redirect vulnerability.

This vulnerability is mitigated by the fact that it can only be used against site users who have the “Access the administrative overlay” permission, and that the Overlay module must be enabled.

An incomplete fix for this issue was released as part of SA-CORE-2015-002.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• Drupal core 7.x versions prior to 7.41.

Solution

Install the latest version:

• If you use Drupal 7.x, upgrade to Drupal 7.41

Also see the Drupal core project page.

Reported by

• Samuel Mortenson
• Pere Orga of the Drupal Security Team

Fixed by

• Pere Orga of the Drupal Security Team
• David Rothstein of the Drupal Security Team

Coordinated by

• The Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

• Advisory ID: DRUPAL-SA-CONTRIB-2015-160
• Project: Webform CiviCRM Integration (third-party module)
• Version: 7.x
• Date: 2015-October-21
• Security risk: 12/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon
• Vulnerability: Cross Site Scripting

Description

Webform CiviCRM Integration allows you to add CiviCRM fields to a Drupal Webform.

The module doesn’t sufficiently escape user input.

Some of the vulnerabilities are mitigated by the fact that an attacker must have a role with the permission to edit the webform node plus “access CiviCRM” to define the input prompts, or permission to create events in CiviCRM.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• Webform CiviCRM 7.x versions prior to 7.x-4.13.

Drupal core is not affected. If you do not use the contributed Webform CiviCRM Integration module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Webform CiviCRM module for Drupal 7.x, upgrade to Webform CiviCRM 7.x-4.13

Also see the Webform CiviCRM Integration project page.

Reported by

• Neil Drumm of the Drupal Security Team

Fixed by

• Coleman Watts the module maintainer
• Chris Burgess of the CiviCRM Security Team

Coordinated by

• Greg Knaddison of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

• Advisory ID: DRUPAL-SA-CONTRIB-2015-159
• Project: LABjs (third-party module)
• Version: 7.x
• Date: 2015-October-21
• Security risk: 9/25 ( Less Critical) AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:Default
• Vulnerability: Open Redirect

Description

The LABjs module integrates LABjs with Drupal for web performance optimization.

The module ships with a modified version of the core Overlay JavaScript file, which is vulnerable to an open redirect attack (see SA-CORE-2015-004).

Only sites with the Overlay module enabled are vulnerable.

An incomplete fix for this issue was released in SA-CONTRIB-2015-124.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• LABjs 7.x-1.x versions prior to 7.x-1.8.

Drupal core is not affected. If you do not use the contributed LABjs module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the LABjs module for Drupal 7.x, upgrade to LABjs 7.x-1.8

Also see the LABjs project page.

Reported by

• Pere Orga of the Drupal Security Team
• Samuel Mortenson

Fixed by

• Hai-Nam Nguyen the module maintainer
• Pere Orga of the Drupal Security Team

Coordinated by

• The Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

• Advisory ID: DRUPAL-SA-CONTRIB-2015-158
• Project: jQuery Update (third-party module)
• Version: 7.x
• Date: 2015-October-21
• Security risk: 9/25 ( Less Critical) AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:Default
• Vulnerability: Open Redirect

Description

The jQuery Update module enables you to update jQuery on your site.

The module ships with a modified version of the core Overlay JavaScript file, which is vulnerable to an open redirect attack (see SA-CORE-2015-004).

Only sites with the Overlay module enabled are vulnerable.

An incomplete fix for this issue was released in SA-CONTRIB-2015-123.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• jQuery Update 7.x-2.x versions prior to 7.x-2.7

Drupal core is not affected. If you do not use the contributed jQuery Update module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the jQuery Update module 2.x branch, upgrade to jQuery Update 7.x-2.7

Also see the jQuery Update project page.

Reported by

• Samuel Mortenson
• Pere Orga of the Drupal Security Team

Fixed by

• Pere Orga of the Drupal Security Team
• Mark Carver, module maintainer

Coordinated by

• The Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity