All posts by 007admin

Drupal

SA-CONTRIB-2014-091 – Survey Builder – Cross Site Scripting (XSS)

Description

This module allows you to use the Form Builder module to provide an intuitive interface for building surveys, along with the back-end for storing surveys and their responses.

Cross Site Scripting (XSS)

When viewing surveys at “/surveys”, the survey titles printed out are not sanitized. Any potentially dangerous code in the survey titles is also rendered.

This vulnerability is mitigated by the fact that a user must have the “Create Survey” permission to be able to set the survey titles.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.

Versions affected

  • survey_builder 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Survey Builder module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Survey Builder project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at
https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies,
writing secure code for Drupal, and
securing your site.

Drupal version: 
Drupal 7.x
Drupal

SA-CONTRIB-2014-090 Speech recognition – Multiple vulnerabilities

Description

This module enables you to add speech recognition to forms, allowing site admins to enable experimental Speech Input API features on form inputs through the user interface.

Cross Site Scripting (XSS)

The module incorrectly prints fields without proper sanitization thereby opening a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer speech”.

Cross Site Request Forgery (CSRF)

The module enables in-place configuration of form options via AJAX requests, but it doesn’t sufficiently check the source of those requests, making possible for an attacker to cause a user to unknowingly make changes to the field configurations.

This vulnerability is mitigated by the fact that the attacked administrator must have a role with the permission “administer speech”.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.

Versions affected

  • All versions of Speech recognition.

Drupal core is not affected. If you do not use the contributed module, there is nothing you need to do.

Drupal core is not affected. If you do not use the contributed Speech recognition module,
there is nothing you need to do.

Solution

If you use the Speech recognition module you should uninstall it.

Also see the Speech recognition project page.

Reported by

Fixed by

Not applicable.

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at
href=”https://www.drupal.org/contact“>https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: 
Drupal 7.x
ESET

Free iPhone 6 Facebook scam does the rounds, right on time

Facebook scams tend to crop up in the run-up to a big Apple launch with around the same regularity as big Apple launches themselves. This week’s iPhone 6 launch is no exception, with Help Net Security noting that a Facebook page ‘offering’ free iPhone 6 units is, as usual, a total fraud.

This time, the scam promises a free iPhone 6 as soon as “three easy steps” are completed, which, as usual, involve a survey, which allows you to download a “participation application.”

When a victim completes the free iPhone 6 survey, all their friends are spammed with the fake promotion, Hoax Slayer reveals, but the three “easy” steps are anything but.

Each time someone completes a survey, the page claims there is an error, and they are directed to a further survey, according to Help Net. As always, the “free iPhone 6” never materializes.

Free iPhone 6: Nope, it’s a scam

“Some of the available surveys want you to provide your mobile phone number, ostensibly to go in the draw for extra prizes or offers. But, by submitting your number, you will actually be subscribing to a very expensive text messaging ‘service’ that will charge you several dollars every time they send you a message,” Hoax Slayer says.

“Alternatively, you may be asked to provide your name, address, and phone details, again, to supposedly enter you into a prize draw. But, fine print on the page will state that your details will be shared with third-party marketers. Thus, after submitting your details, you will likely be inundated with annoying phone calls, emails, and junk mail.”

“Meanwhile, the scammer who created the fake promotion will earn a commission. But, no matter how many surveys you complete, you will still not get to download your ‘application’.”

The site cautions against clicking on any link this week which offers a free iPhone 6, as this sort of big product launch is a prime target for cybercriminals, and any link is potentially suspect.

Something for free?

Mark James, ESET security specialist, says, “We all like the idea of something for free, that’s the approach these type of scams use. Deep down we know it’s not going to happen, but a lot of people will still click the like button or share that simple post in the hope it’s going to arrive.”

“We have seen these types of scams for years but they are still as effective today as they were when started, once we like or share the page we do all the marketing and advertising for the scammers thus providing a very valuable and potential dangerous page to initiate future scams or attacks.”

“I still encourage people to use the “front door” policy, i.e treat it like your front door: ‘When was the last time someone banged on your front door to offer you an iPhone 5 or 6 just for filling out a survey or a £10/£50 supermarket voucher for free?’ It just does not happen.”

The post Free iPhone 6 Facebook scam does the rounds, right on time appeared first on We Live Security.

Drupal

SA-CONTRIB-2014-089 – Geofield Yandex Maps – Cross Site Scripting (XSS)

Description

The Geofield Yandex Maps module provides a Geofield widget, Geofield formatter, Views handler, Form element and Text filter to allow Yandex maps to be added to a site.

The module does not sufficiently filter user-supplied text, resulting in a persistent Cross Site Scripting (XSS) vulnerability.

The vulnerability is mitigated by the fact that an attacker would need permission to create nodes or entities using the Geofield widget.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.

Versions affected

  • Geofield Yandex Maps 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Geofield Yandex Maps module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Geofield Yandex Maps project page.

Reported by

  • Matt V. (provisional member of the Drupal Security Team)

Fixed by

  • Matt V. (provisional member of the Drupal Security Team)

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: 
Drupal 7.x
Panda Security

What is Phishing?  

No doubt you have wondered and asked yourself on more than one occasion, what is phishing and how can it affect you.

All of us know that it is some type of scam, although perhaps there are many who don’t know exactly what it is or the techniques used by hackers and cyber-criminals.

So, exactly what is phishing? Basically, also known as email phishing, it involves sending emails, which appear to come from trusted sources, such as banks etc, though really they are aimed at stealing confidential information from users.

These emails usually include a link which when clicked, takes you to a spoof Web page. These pages appear genuine though they are really like a mirror that hides the criminals whose sole aim is to steal your personal data.

The problem is that users think they are in a trusted site and therefore enter the requested data. However, this confidential data will fall straight into the hands of the scammers and can then be used for some type of fraud.

That’s why it is always best to access web pages by typing the address directly in the browser.

what is phishing

How to recognize a phishing message

It’s not always easy to recognize phishing messages, particularly if you are a client of the company from which the message has supposedly been sent.

  • Even though the ‘From:’ field of the message shows the address of the company, it is not difficult for a criminal to alter the source address of the email in any mail client.
  • The email may have the logos and trademarks of the organization, yet these can easily be lifted from the company’s website.
  • The link in the email seems to point to the company’s website, though really it takes you to a fake page which will ask you for your user name, password, etc.
  • Very often these messages contain spelling or grammatical errors that you would not normally expect in official communications from the genuine company.

It’s also important to bear in mind that although phishing has traditionally used email, now, with the increasing popularity of smartphones and social networks, there are new channels of attack.

Another thing to be aware of is that although we normally talk about phishing in the context of banks, cyber-criminals often use any popular website or platform (Ebay, Facebook, Paypal, etc) as bait for stealing personal data.

But remember, no company will ever ask you to send them your personal details via email. If they do, be very suspicious!

Moreover, as a stich in time saves nine, you can always add an extra layer of protection by installing one of our new 2015 antivirus solutions. To do this, all you have to do is visit our free antivirus page and select the one that best adapts to your ideal level of protection.

The post What is Phishing?   appeared first on MediaCenter Panda Security.

Drupal

SA-CONTRIB-2014-088 – Mollom – Cross-site scripting (XSS)

Description

Mollom is an “intelligent” content moderation web service which determines if a post is potentially spam; not only based on the posted content, but also on the past activity and reputation of the poster across multiple sites.

Mollom offers a feature to report submitted content as inappropriate which allows end users to indicate that a piece of site content is objectionable or out of place. When reporting content, the content title is not sufficiently sanitized to prevent cross-site scripting (XSS) attacks.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create content and the content type must be enabled for “Flag as Inappropriate” within the Mollom advanced configuration settings (which is not the default setting).

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.

Versions affected

  • Mollom 6.x-2.x versions from 6.x-2.7 to 6.x-2.10
  • Mollom 7.x-2.x versions from 7.x-2.9 to 7.x-2.10

Drupal core is not affected. If you do not use the contributed Mollom module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Mollom project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at
href=”https://www.drupal.org/contact“>https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies,
writing secure code for Drupal, and
securing your site.

Drupal version: 
Drupal 6.x
Drupal 7.x