Cross-site scripting (XSS) vulnerability in modules/mod_languages/tmpl/default.php in the Language Switcher module for Joomla! 2.5.x before 2.5.7 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to index.php. NOTE: some of these details are obtained from third party information. (CVSS:4.3) (Last Update:2012-11-01)
WatchGuard MSSP Program Offers Enhanced Flexibility
WatchGuard Announces Seventh Straight Quarter of Double-Digit Growth
WatchGuard Adds RapidDeploy Capability to Create Industry's First Self-Configuring UTM Security Appliance
CVE-2012-5455
Cross-site scripting (XSS) vulnerability in the language search component in Joomla! before 3.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to a “typographical error.” (CVSS:4.3) (Last Update:2012-11-08)
SA-CORE-2012-003 – Drupal core – Arbitrary PHP code execution and Information disclosure
- Advisory ID: DRUPAL-SA-CORE-2012-003
- Project: Drupal core
- Version: 7.x
- Date: 2012-October-17
- Security risk: Highly critical
- Exploitable from: Remote
- Vulnerability: Information Disclosure, Arbitrary PHP code execution
Description
Multiple vulnerabilities were discovered in Drupal core.
Arbitrary PHP code execution
A bug in the installer code was identified that allows an attacker to re-install Drupal using an external database server under certain transient conditions. This could allow the attacker to execute arbitrary PHP code on the original server.
This vulnerability is mitigated by the fact that the re-installation can only be successful if the site’s settings.php file or sites directories are writeable by or owned by the webserver user. Configuring the Drupal installation to be owned by a different user than the webserver user (and not to be writeable by the webserver user) is a recommended security best practice. However, in all cases the transient conditions expose information to an attacker who accesses install.php, and therefore this security update should be applied to all Drupal 7 sites.
CVE: CVE-2012-4553
Information disclosure – OpenID module
For sites using the core OpenID module, an information disclosure vulnerability was identified that allows an attacker to read files on the local filesystem by attempting to log in to the site using a malicious OpenID server.
CVE: CVE-2012-4554
Versions affected
- Drupal core 7.x versions prior to 7.16.
Drupal 6 is not affected.
Solution
Install the latest version:
- If you use Drupal 7.x, upgrade to Drupal core 7.16.
If you are unable to deploy the security release immediately, removing or blocking access to install.php is a sufficient mitigation step for the arbitrary PHP code execution vulnerability.
Also see the Drupal core project page.
Reported by
- The arbitrary PHP code execution vulnerability was reported by Heine Deelstra and Noam Rathaus working with Beyond Security’s SecuriTeam Secure Disclosure Program. Heine Deelstra is also a member of the Drupal Security Team.
- The information disclosure vulnerability in the OpenID module was reported by Reginaldo Silva.
Fixed by
- The arbitrary PHP code execution vulnerability was fixed by Damien Tournoud, David Rothstein, Peter Wolanin, and Károly Négyesi, all members of the Drupal Security Team.
- The information disclosure vulnerability in the OpenID module was fixed by Reginaldo Silva, Christian Schmidt, VojtÄch Kusý, and Frédéric Marand, and by Peter Wolanin, David Rothstein, Damien Tournoud, and Heine Deelstra of the Drupal Security Team.
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Oracle Java SE Critical Patch Update Advisory – October 2012
Oracle Critical Patch Update Advisory – October 2012
WatchGuard Shares Security Best Practices for Real-World Threats at Gartner Symposium ITxpo
CVE-2012-5108 (chrome)
Race condition in Google Chrome before 22.0.1229.92 allows remote attackers to execute arbitrary code via vectors related to audio devices.