A critical remote code execution vulnerability in Bash, present in almost all Linux, UNIX and Mac OS X deployments, has been discovered. Experts advise immediate patching.
All posts by 007admin
SA-CONTRIB-2014-093 – Twilio – Information Disclosure
- Advisory ID: DRUPAL-SA-CONTRIB-2014-093
- Project: Twilio (third-party module)
- Version: 7.x
- Date: 2014-September-24
- Security risk: 13/25 ( Moderately Critical) AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All
- Vulnerability: Information Disclosure
Description
This module enables you to easily add SMS and VOIP functionality to your website by leveraging the Twilio cloud Voip and SMS service.
The module doesn’t expose its own permissions for administration including viewing and editing the Twilio authentication tokens. It relies only on “access administration pages” permission which is frequently granted to less-trusted users.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “access administration pages”.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
- Twilio 7.x-1.x versions prior to 7.x-1.9.
Drupal core is not affected. If you do not use the contributed Twilio module,
there is nothing you need to do.
Solution
Install the latest version:
- If you use the Twiliio module for Drupal 7.x, upgrade to Twilio 7.x-1.9
Also see the Twilio project page.
Reported by
Fixed by
- Arvin Singla the module maintainer
Coordinated by
- Greg Knaddison of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at
https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies,
writing secure code for Drupal, and
securing your site.
Drupal version:
SA-CONTRIB-2014-094 – Webform Patched – Cross Site Scripting (XSS)
- Advisory ID: DRUPAL-SA-CONTRIB-2014-094
- Project: Webform Patched (third-party module)
- Version: 6.x, 7.x
- Date: 2014-September-24
- Security risk: 13/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default
- Vulnerability: Cross Site Scripting
Description
The Webform Patched module is a fork of the Webform module with Token support added. The module enables you to create forms which can be used for surveys, contact forms or other data collection throughout your site.
The module doesn’t sufficiently sanitize field label titles when two fields have the same form_key, which can only be managed by carefully crafting the webform structure via a specific set of circumstances.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “create webform content”.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
- Webform Patched 6.x-3.x versions prior to 6.x-3.20.
- Webform Patched 7.x-3.x versions prior to 7.x-3.20.
Drupal core is not affected. If you do not use the contributed Webform Patched module,
there is nothing you need to do.
Solution
Install the latest version:
- If you use the webform module for Drupal 6.x, upgrade to webform_patched 6.x-3.20
- If you use the webform module for Drupal 7.x-3.x, upgrade to webform_patched 7.x-3.20
Also see the Webform Patched project page.
Reported by
Fixed by
- Nate Haug the module maintainer
Coordinated by
- Greg Knaddison, Dan Smith and Lee Rowlands of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at
https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies,
writing secure code for Drupal, and
securing your site.
Drupal version:
SA-CONTRIB-2014-092 – Services – Cross Site Scripting, Access bypass
- Advisory ID: DRUPAL-SA-CONTRIB-2014-092
- Project: Services (third-party module)
- Version: 7.x
- Date: 2014-September-24
- Security risk: 11/25 ( Moderately Critical) AC:Complex/A:User/CI:None/II:Some/E:Proof/TD:All
- Vulnerability: Cross Site Scripting, Access bypass
Description
The Services module enables you to expose an API to third party systems using REST, XML-RPC or other protocols.
New user’s password set to weak password in _user_resource_create()
When creating a new user account via Services, the new user’s password was set to a weak password.
This issue is mitigated by the fact that the user resource must be enabled (or least have been enabled in the past) and new user registration permitted via Services.
Action required: This release of Services comes with an interface and a drush command to perform actions in order to secure your site and get rid of this vulnerability. After installing this release and running the regular database updates, make sure to read all the information provided at admin/config/services/services-security, and pick the option most suited to your site. For example, you can reset the password of all user accounts that have been created since August 30th, 2013 (recommended).
Unfiltered JSONP callback parameter (XSS)
The JSONP response of a callback parameter is unfiltered and outputs raw HTTP data. This can lead to arbitrary JavaScript execution.
This issue is mitigated by the fact that JSONP is not enabled by default in the REST server response formatters and the HTTP client Accept header must be set to text/javascript or application/javascript if the “xml” formatter is enabled.
Services module now restricts callback parameters to alphanumeric characters only and a hard limit of 60 characters.
Flood control for user login bypass
Flood control was not properly enforced leaving it vulnerable to brute force attacks. Services now implements flood control just like core Drupal does.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
- Services 7.x-3.x versions prior to 7.x-3.10.
Drupal core is not affected. If you do not use the contributed Services module,
there is nothing you need to do.
Solution
Install the latest version:
- If you use the Services module for Drupal 7.x, upgrade to Services 7.x-3.10
- follow the security update instructions at admin/config/services/services-security
Also see the Services project page.
Reported by
- Sam Metson reported the user password issue
- Régis Leroy reported the XSS issue
- Chris Oden reported the flood control issue
Fixed by
- Kyle Browning the module maintainer
- Stéphane Corlosquet of the Drupal Security Team
Coordinated by
- Greg Knaddison of the Drupal Security Team
- Stéphane Corlosquet of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at
https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies,
writing secure code for Drupal, and
securing your site.
Drupal version:
[ MDVSA-2014:185 ] libgadu
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2014:185 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : libgadu Date : September 24, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated libgadu packages fix security vulnerability: Libgadu before 1.12.0 was found to not be performing SSL certificate validation (CVE-2013-4488). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4488 http://advisories.mageia.org/MGASA-2014-0375.html _______________________________________________________________________ Updated Packages: Mandriva Business Server 1/X86_64: de3454fe7c663ecd08d4e1eeb2638776 mbs1/x86_64/
[ MDVSA-2014:184 ] net-snmp
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2014:184 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : net-snmp Date : September 24, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated net-snmp packages fix security vulnerabilities: A remote denial-of-service flaw was found in the way snmptrapd handled certain SNMP traps when started with the -OQ option. If an attacker sent an SNMP trap containing a variable with a NULL type where an integer variable type was expected, it would cause snmptrapd to crash (CVE-2014-3565). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3565 http://advisories.mageia.
[ MDVSA-2014:183 ] phpmyadmin
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2014:183 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : phpmyadmin Date : September 24, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated phpmyadmin package fixes security vulnerability: In phpMyAdmin before 4.2.9, by deceiving a logged-in user to click on a crafted URL, it is possible to perform remote code execution and in some cases, create a root account due to a DOM based XSS vulnerability in the micro history feature (CVE-2014-6300). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6300 http://advisories.mageia.org/MGASA-2014-0383.html _______
[ MDVSA-2014:182 ] zarafa
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2014:182 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : zarafa Date : September 24, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated zarafa packages fix security vulnerabilities: Robert Scheck reported that Zarafa's WebAccess stored session information, including login credentials, on-disk in PHP session files. This session file would contain a user's username and password to the Zarafa IMAP server (CVE-2014-0103). Robert Scheck discovered that the Zarafa Collaboration Platform has multiple incorrect default permissions (CVE-2014-5447, CVE-2014-5448, CVE-2014-5449, CVE-2014-5450). _______________________________________________
[ MDVSA-2014:181 ] dump
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2014:181 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : dump Date : September 24, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated dump packages fix security vulnerability: An integer overflow in liblzo before 2.07 allows attackers to cause a denial of service or possibly code execution in applications using performing LZO decompression on a compressed payload from the attacker (CVE-2014-4607). The dump package is built with a bundled copy of minilzo, which is a part of liblzo containing the vulnerable code. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?nam
More Trouble For jQuery As Second Compromise Reported
The website for JavaScript library jQuery is under attack for the second time in a week.