OSF for Drupal – Critical – Multiple vulnerabilities – SA-CONTRIB-2015-134

Advisory ID: DRUPAL-SA-CONTRIB-2015-134
Project: OSF for Drupal (third-party module)
Version: 7.x
Date: 2015-July-22
Security risk: 15/25 ( Critical) AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default
Vulnerability: Cross Site Scripting, Access bypass, Cross Site Request Forgery

Description

The Open Semantic Framework (OSF) for Drupal is a middleware layer that allows structured data (RDF) and associated vocabularies (ontologies) to “drive” tailored tools and data displays within Drupal.

The module is vulnerable to reflected Cross Site Scripting (XSS) because it did not sufficiently filter user input values in some administration pages. An attacker could exploit this vulnerability by making other users visit a specially-crafted URL. Only sites with OSF Ontology module enabled are affected.

Additionally, the module is vulnerable to Arbitrary file deletion. A malicious user can cause an administrator to delete files by getting their browser to make a request to a specially-crafted URL. Only sites with OSF Ontology and OSF Import modules enabled are affected.

Also, some forms were vulnerable to Cross Site Request Forgery (CSRF). An attacker could create new OSF datasets by getting an administrator’s browser to make a request to a specially-crafted URL. Only sites with OSF Import module enabled are affected.

CVE identifier(s) issued

A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

OSF 7.x-3.x versions prior to 7.x-3.1.

Drupal core is not affected. If you do not use the contributed OSF for Drupal module, there is nothing you need to do.

Solution

Install the latest version:

If you use the OSF for Drupal module for Drupal 7.x, upgrade to OSF 7.x-3.1

Also see the OSF for Drupal project page.

Reported by

Pere Orga of the Drupal Security Team

Fixed by

Frederick Giasson, the module maintainer

Coordinated by

Pere Orga of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version:

Drupal 7.x

007 Software