TYPO3 Neos 1.1.x before 1.1.3 and 1.2.x before 1.2.3 allows remote editors to access, create, and modify content nodes in the workspace of other editors via unspecified vectors.
Monthly Archives: April 2015
Multicast DNS Vulnerability Could Lead to DDOS Amplification Attacks
DHS warned of a serious vulnerability in Multicast DNS devices whereby leaked system information could be leveraged in a DDoS amplification attack.
Password Policy – Critical – Cross Site Scripting (XSS) – SA-CONTRIB-2015-090
- Advisory ID: DRUPAL-SA-CONTRIB-2015-090
- Project: Password policy (third-party module)
- Version: 6.x, 7.x
- Date: 2015-April-01
- Security risk: 15/25 ( Critical) AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default
- Vulnerability: Cross Site Scripting
Description
The Password Policy module allows enforcing restrictions on user passwords by defining password policies.
The module doesn’t sufficiently sanitize usernames in some administration pages, thereby exposing a Cross Site Scripting vulnerability.
This vulnerability is mitigated by the fact that only sites with a policy that uses the username constraint are affected. Also, only sites importing users from an external source (like distributed authentication) may allow non-standard usernames that might contain malicious characters, as Drupal core has validation when creating users via the user interface.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
- Password Policy 6.x-1.x versions prior to 6.x-1.11.
- Password Policy 7.x-1.x versions prior to 7.x-1.11.
Drupal core is not affected. If you do not use the contributed Password policy module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Password Policy 6.x-1.x module for Drupal 6.x, upgrade to Password Policy 6.x-1.11
- If you use the Password Policy 7.x-1.x module for Drupal 7.x, upgrade to Password Policy 7.x-1.11
Also see the Password policy project page.
Reported by
- AohRveTPV, the module maintainer
Fixed by
- AohRveTPV, the module maintainer
Coordinated by
- Pere Orga of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
Drupal version:
EntityBulkDelete – Critical – Cross Site Scripting (XSS) – SA-CONTRIB-2015-089
- Advisory ID: DRUPAL-SA-CONTRIB-2015-089
- Project: EntityBulkDelete (third-party module)
- Version: 7.x
- Date: 2015-April-01
- Security risk: 16/25 ( Critical) AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All
- Vulnerability: Cross Site Scripting
Description
EntityBulkDelete module allows you to delete entities in bulk using the Batch API.
The module doesn’t sufficiently sanitize user supplied text in some administration pages, thereby exposing a Cross Site Scripting vulnerability.
This vulnerability is mitigated by the fact that an attacker must be allowed to create/edit comments, create/edit taxonomy terms or create/edit nodes.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
- EntityBulkDelete 7.x-1.0
Drupal core is not affected. If you do not use the contributed EntityBulkDelete module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the EntityBulkDelete module for Drupal 7.x, download EntityBulkDelete 7.x-1.1
Also see the EntityBulkDelete project page.
Reported by
- Pere Orga of the Drupal Security Team
Fixed by
- Rahul Seth the module maintainer
Coordinated by
- Pere Orga of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
Drupal version:
Imagefield Info – Moderately Critical – Cross Site Scripting (XSS) – SA-CONTRIB-2015-088
- Advisory ID: DRUPAL-SA-CONTRIB-2015-088
- Project: Imagefield Info (third-party module)
- Version: 7.x
- Date: 2015-April-01
- Security risk: 13/25 ( Moderately Critical) AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All
- Vulnerability: Cross Site Scripting
Description
Imagefield Info module enables you to view image field paths so you can easily use them with a WYSIWYG editor.
The module doesn’t sufficiently sanitize user supplied text in some administration pages, thereby exposing a Cross Site Scripting vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “Administer image styles”.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
- Imagefield Info 7.x-1.x versions prior to 7.x-1.2
Drupal core is not affected. If you do not use the contributed Imagefield Info module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Imagefield Info module for Drupal 7.x, upgrade to Imagefield Info 7.x-1.2
Also see the Imagefield Info project page.
Reported by
- Pere Orga of the Drupal Security Team
Fixed by
- Peter Lachky the module maintainer
- Pere Orga of the Drupal Security Team
Coordinated by
- Pere Orga of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
Drupal version:
Mozilla Adds Opportunistic Encryption for HTTP in Firefox 37
Mozilla has released Firefox 37, and along with the promised addition of the OneCRL certificate revocation list, the company has included a feature that enables opportunistic encryption on connections for servers that don’t support HTTPS. The new feature gives users a new defense against some forms of monitoring and doesn’t require any setup from users. When […]
CEEA-2015:0717 CentOS 7 tzdata Enhancement Update
CentOS Errata and Enhancement Advisory 2015:0717 Upstream details at : https://rhn.redhat.com/errata/RHEA-2015-0717.html The following updated files have been uploaded and are currently syncing to the mirrors: ( sha256sum Filename ) x86_64: 818c1d17d5adb9ab3d6757430050e8070e06e2af4ee54a1d8bdfb0cb460722ee tzdata-2015b-1.el7.noarch.rpm 71e6f2749ec0de934123278410f5df6209a4190d6e11081b47704930818abed5 tzdata-java-2015b-1.el7.noarch.rpm Source: 8ec69e7d73b7f0cd4cbef055142adf3c5098070bfdb2720e7c6a94614c66ab63 tzdata-2015b-1.el7.src.rpm
CESA-2015:0771 Important CentOS 7 thunderbirdSecurity Update
CentOS Errata and Security Advisory 2015:0771 Important Upstream details at : https://rhn.redhat.com/errata/RHSA-2015-0771.html The following updated files have been uploaded and are currently syncing to the mirrors: ( sha256sum Filename ) x86_64: 7ebfced7a86fc0807143f90dbf4ca28fdd63b38d2cfe442fffbc8ca3d9395394 thunderbird-31.6.0-1.el7.centos.x86_64.rpm Source: 61228bdaf11280dbf4a5f9360fc668b3460f5f9cc8ec981a3efb808384207d86 thunderbird-31.6.0-1.el7.centos.src.rpm
Is the rise of biometric security a good thing?
Whether we like it or not, it seems that biometric security is rapidly becoming the norm.
In March alone, Samsung unveiled new iris scanning technology, Microsoft announced facial recognition for Windows 10, Asus introduced fingerprint scanning and Qualcomm, Fujitsu and Intel all jumped in with biometric tools of their own.
Why are we seeing such rapid adoption?
Although it may still seem futuristic, modern biometric security has been around for a number of years. You could argue though that it was only with the launch of the iPhone 5S and its fingerprint scanner that people really started to take notice.
Now, fuelled by convenience, biometric security is at the forefront of our minds. After all, why remember a password or have to input a code when your device can simply scan you and authorize access?
Is it secure?
While few people can argue that biometric security is not convenient, there are still question marks over its viability as a robust security measure.
SRI, who developed Samsung’s iris scanning technology claim that “tests have shown this purely iris-based solution to be more than 1,000 times more accurate than published fingerprint data.” This begs the question, how secure is fingerprint data?
Not all that secure it turns out. In October 2014, a hacker known as Starbug accurately replicated the fingerprint of the German Minister of Defense from nothing other than hi-res images taken of her at an event.
More recently, AVG’s own researchers from the Innovation Lab in Amsterdam developed a set of ‘Invisibility Glasses’ that used specialist materials and technology to successfully counteract facial recognition technology.
We’ve written many times before about the pros and cons of biometric security, from speculating on the future to busting myths.
However for now, it’s clear that if biometric security is really going to become our de-facto method of authentication, we need to make sure it is rigorously tested.