- Advisory ID: DRUPAL-SA-CONTRIB-2016-027
- Project: Dropbox Client (third-party module)
- Version: 7.x
- Date: 2016-May-18
- Security risk: 15/25 ( Critical) AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All
- Vulnerability: Cross Site Scripting, Access bypass, Cross Site Request Forgery, Information Disclosure, Multiple vulnerabilities
Description
This module enables you to view dropbox files in your Drupal site.
The module doesn’t sufficiently sanitize filenames when displaying them to users or administrators leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must be able to upload files to the dropbox folder that the victim later views through the Drupal site.
Additionally, the module shipped with hardcoded and exposed Oauth credentials, making known users of the module exposed to phishing and/or access bypass.
The app secret has been made invalid, making the exposed secrets unusable for the attacker. This also makes the module unusable without upgrading and taking necessary steps to register a new Dropbox app.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
- All dropbox_client 7.x-3.x versions.
Drupal core is not affected. If you do not use the contributed Dropbox Client module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the dropbox_client module for Drupal 7.x, upgrade to dropbox_client 7.x-4.0
- Versions 3.x is no longer supported
Also see the Dropbox Client project page.
Reported by
Fixed by
Coordinated by
- Pere Orga of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity