Vulnerability: Access bypass, Information Disclosure
Description
This module enables you to associate menus with Organic Groups (OG). It allows you to create one or more menus per group, configure and apply menu permissions in a group context, add/edit menu links directly from the entity form, etc.
The module doesn’t sufficiently check the menu parameters passed in the path, creating an access bypass vulnerability allowing an attacker to edit or delete any menu link on the site. There is also an information disclosure vulnerability of menu info.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer og menu”.
This handles the same issue as SA-CONTRIB-2014-125, but due to a mistake made in tagging the release, the fix did not get included.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
Organic Groups Menu (OG Menu) 6.x-2.x versions prior to 6.x-2.6
Organic Groups Menu (OG Menu) 7.x-2.x versions prior to 7.x-2.4
Organic Groups Menu (OG Menu) 7.x-3.0 and later versions are not affected.
Drupal core is not affected. If you do not use the contributed OG Menu module,
there is nothing you need to do.
Solution
Install the latest version:
If you use the OG Menu module for Drupal 6.x, upgrade to OG Menu 6.x-2.6
If you use the OG Menu module for Drupal 7.x and the OG module 7.x-1.x, upgrade to OG Menu 7.x-2.4
If you use the OG Menu module for Drupal 7.x and the OG module 7.x-2.x, no action is needed.
School Administration module enables you to keep records of all students and staff. With inner modules, it aims to be a complete school administration system.
The module failed to sanitize some node titles in messages, leading to a Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a user with the permission to create or edit a class node.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
School Administration 7.x-1.x versions prior to 7.x-1.8.
Drupal core is not affected. If you do not use the contributed module,
there is nothing you need to do.
Vulnerability: Access bypass, Cross Site Request Forgery, Multiple vulnerabilities
Description
This distribution enables you to create an intranet.
Several of the sub modules included do not prevent CSRF on several menu callbacks.
Open Atrium Discussion also does not exit correctly after checking access on a several ajax callbacks, allowing anyone with “access content” to update and delete nodes.
Also, (alpha) module OG Subgroups contained a vulnerability that allowed access to child groups even if membership inheritance was disabled.
Vulnerability: Access bypass, Information Disclosure
Description
This module enables you to associate menus with Organic Groups (OG). It allows you to create one or more menus per group, configure and apply menu permissions in a group context, add/edit menu links directly from the entity form, etc.
The module doesn’t sufficiently check the menu parameters passed in the path, creating an access bypass vulnerability allowing an attacker to edit or delete any menu link on the site. There is also an information disclosure vulnerability of menu info.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer og menu”.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
Organic Groups Menu (OG Menu) 6.x-2.x versions prior to 6.x-2.5.
Organic Groups Menu (OG Menu) 7.x-2.x versions prior to 7.x-2.3.
Organic Groups Menu (OG Menu) 7.x-3.x versions prior to 7.x-3.0
Drupal core is not affected. If you do not use the contributed OG Menu module,
there is nothing you need to do.
Solution
Install the latest version:
If you use the OG Menu module for Drupal 6.x, upgrade to OG Menu 6.x-2.5
If you use the OG Menu module for Drupal 7.x and the OG module 7.x-1.x, upgrade to OG Menu 7.x-2.3
If you use the OG Menu module for Drupal 7.x, and the OG module 7.x-2.x upgrade to OG Menu 7.x-3.0
This module enables users to have a block displaying the result of the last poll as a chart.
The module doesn’t sufficiently sanitize poll node titles when displaying the block.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create polls and the poll chart block must be enabled.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
poll_chart 7.x-1.x versions prior to 7.x-1.2.
Drupal core is not affected. If you do not use the contributed Poll Chart Block module,
there is nothing you need to do.
Solution
Install the latest version:
If you use the Poll Chart module for Drupal 7.x, upgrade to Poll Chart 7.x-1.2
The Postal Code module enables you to implement postal code validation for several countries.
The module doesn’t sufficiently sanitize certain data in the admin thereby opening a Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with a permission that allows adding or editing fields to entity types such as “administer taxonomy terms” or “administer content types”.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
Postal Code 7.x-1.x versions prior to 7.x-1.9.
Drupal core is not affected. If you do not use the contributed Postal Code module,
there is nothing you need to do.
Solution
Install the latest version:
If you use the Postal Code module for Drupal 7.x, upgrade to Postal Code 7.x-1.9
This module enables you to use Moip (a Brazilian payment method) with Drupal Commerce.
The module doesn’t sufficiently filter the data passed by the automatic notifications, leaving the possibility for a malicious user to insert Cross Site Scripting (xss) attacks.
This vulnerability is mitigated by the fact that only sites running the dblog module are affected (this module is enabled by default).
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
Moip 7.x-1.x versions prior to 7.x-1.4.
Drupal core is not affected. If you do not use the contributed MoIP module,
there is nothing you need to do.
Solution
Install the latest version:
If you use the Moip module for Drupal 7.x, upgrade to Moip 7.x-1.4
This module enables you to execute arbitrary Javascript by adding the script to the title of a node.
The module doesn’t sufficiently sanitize Watchdog messages when viewing the detail view of a specific Watchdog notification. It improperly translated the message rather than using proper Watchdog message syntax.
This vulnerability is mitigated by the fact that an attacker must have a role allowing them to create nodes or edit the title of an existing node. It is further mitigated in that the script is only executed by admins when viewing a Watchdog notice when using dblog module (syslog users are not affected).
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
Godwin’s Law 7.x-1.0.
Drupal core is not affected. If you do not use the contributed Godwin’s Law module,
there is nothing you need to do.
Solution
Install the latest version:
If you use the Godwin’s Law module for Drupal 7.x, upgrade to Godwin’s Law 7.x-1.1
Affected sites are urged to generate a new hash salt and store it in settings.php.
Methods to generate a new hash salt
With drush: drush php-eval 'echo(drupal_random_key()) . "n";'
With openssl: openssl rand -base64 32
How to replace the hash salt
Open your settings.php file (e.g., sites/default/settings.php
Locate the variable $drupal_hash_salt:
<?php /** * Salt for one-time login links and cancel links, form tokens, etc. * [...] */ $drupal_hash_salt = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'; ?>
Replace the value and safe the file
Flush all caches either from within the administrative UI (Administration » Configuration » Development » Performance) or by issuing drush cache-clear all
Effects caused by replacing the hash salt
Passwort reset links generated before the new hash salt will not work anymore. Affected users need to request a new password reset link.
Existing image style urls will stop working. A cache flush is necessary such that all <img> tags are updated.
If immediate installation / regeneration of the hash salt is not possible, then disable user-id tracking at once.
Affected sites are urged to generate a new hash salt and store it in settings.php.
Methods to generate a new hash salt
With drush: drush php-eval 'echo(drupal_random_key()) . "n";'
With openssl: openssl rand -base64 32
How to replace the hash salt
Open your settings.php file (e.g., sites/default/settings.php
Locate the variable $drupal_hash_salt:
<?php /** * Salt for one-time login links and cancel links, form tokens, etc. * [...] */ $drupal_hash_salt = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'; ?>
Replace the value and safe the file
Flush all caches either from within the administrative UI (Administration » Configuration » Development » Performance) or by issuing drush cache-clear all
Effects caused by replacing the hash salt
Password reset links generated before the new hash salt will not work anymore. Affected users need to request a new password reset link.
Existing image style urls will stop working. A cache flush is necessary such that all <img> tags are updated.
If immediate installation / regeneration of the hash salt is not possible, then disable user-id tracking at once.