Category Archives: Security

Security

Drupal

SA-CONTRIB-2014-090 Speech recognition – Multiple vulnerabilities

Description

This module enables you to add speech recognition to forms, allowing site admins to enable experimental Speech Input API features on form inputs through the user interface.

Cross Site Scripting (XSS)

The module incorrectly prints fields without proper sanitization thereby opening a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer speech”.

Cross Site Request Forgery (CSRF)

The module enables in-place configuration of form options via AJAX requests, but it doesn’t sufficiently check the source of those requests, making possible for an attacker to cause a user to unknowingly make changes to the field configurations.

This vulnerability is mitigated by the fact that the attacked administrator must have a role with the permission “administer speech”.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.

Versions affected

  • All versions of Speech recognition.

Drupal core is not affected. If you do not use the contributed module, there is nothing you need to do.

Drupal core is not affected. If you do not use the contributed Speech recognition module,
there is nothing you need to do.

Solution

If you use the Speech recognition module you should uninstall it.

Also see the Speech recognition project page.

Reported by

Fixed by

Not applicable.

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at
href=”https://www.drupal.org/contact“>https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: 
Drupal 7.x
Drupal

SA-CONTRIB-2014-089 – Geofield Yandex Maps – Cross Site Scripting (XSS)

Description

The Geofield Yandex Maps module provides a Geofield widget, Geofield formatter, Views handler, Form element and Text filter to allow Yandex maps to be added to a site.

The module does not sufficiently filter user-supplied text, resulting in a persistent Cross Site Scripting (XSS) vulnerability.

The vulnerability is mitigated by the fact that an attacker would need permission to create nodes or entities using the Geofield widget.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.

Versions affected

  • Geofield Yandex Maps 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Geofield Yandex Maps module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Geofield Yandex Maps project page.

Reported by

  • Matt V. (provisional member of the Drupal Security Team)

Fixed by

  • Matt V. (provisional member of the Drupal Security Team)

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: 
Drupal 7.x
Drupal

SA-CONTRIB-2014-088 – Mollom – Cross-site scripting (XSS)

Description

Mollom is an “intelligent” content moderation web service which determines if a post is potentially spam; not only based on the posted content, but also on the past activity and reputation of the poster across multiple sites.

Mollom offers a feature to report submitted content as inappropriate which allows end users to indicate that a piece of site content is objectionable or out of place. When reporting content, the content title is not sufficiently sanitized to prevent cross-site scripting (XSS) attacks.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create content and the content type must be enabled for “Flag as Inappropriate” within the Mollom advanced configuration settings (which is not the default setting).

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.

Versions affected

  • Mollom 6.x-2.x versions from 6.x-2.7 to 6.x-2.10
  • Mollom 7.x-2.x versions from 7.x-2.9 to 7.x-2.10

Drupal core is not affected. If you do not use the contributed Mollom module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Mollom project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at
href=”https://www.drupal.org/contact“>https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies,
writing secure code for Drupal, and
securing your site.

Drupal version: 
Drupal 6.x
Drupal 7.x
Microsft

MS14-053 – Important: Vulnerability in .NET Framework Could Allow Denial of Service (2990931) – Version: 1.1

Severity Rating: Important
Revision Note: V1.1 (September 17, 2014): V1.1 (September 17, 2014): Bulletin revised to clarify language in the Executive Summary, Mitigating Factors, and Vulnerability FAQ sections that describes the attack vector for CVE-2014-4072. This is an informational change only. Customers who have already successfully installed the update do not have to take any action.
Summary: This security update resolves one privately reported vulnerability in Microsoft .NET Framework. The vulnerability could allow denial of service if an attacker sends a small number of specially crafted requests to an affected .NET-enabled website. By default, ASP.NET is not installed when Microsoft .NET Framework is installed on any supported edition of Microsoft Windows. To be affected by the vulnerability, customers must manually install and enable ASP.NET by registering it with IIS.