Blogroll: Drupal Contrib Security

I read blogs, as well as write one. The 'blogroll' on this site reproduces some posts from some of the people I enjoy reading. There are currently 23 posts from the blog 'Drupal Contrib Security.'

Disclaimer: Reproducing an article here need not necessarily imply agreement or endorsement!

Subscribe to Drupal Contrib Security feed
Updated: 12 min 7 sec ago

DownloadFile- Critical - Unsupported - SA-CONTRIB-2017-023

Wed, 22/02/2017 - 17:22
Description

DownloadFile is a module to direct download files or images.

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions

Drupal core is not affected. If you do not use the contributed download file module, there is nothing you need to do.

Solution

If you use the download_file module for Drupal 7.x you should uninstall it.

Also see the download file project page.

Reported by Fixed by

Not applicable

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Categories: Technology

Unpublished 404 - Critical - Unsupported - SA-CONTRIB-2017-021

Wed, 22/02/2017 - 17:19
Description

The purpose of this module is to emit a 404 error when a user tries to access a unpublished pages.

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions

Drupal core is not affected. If you do not use the contributed unpublished 404 module, there is nothing you need to do.

Solution

If you use the unpublished_404 module for Drupal 7.x you should uninstall it.

Also see the unpublished 404 project page.

Reported by Fixed by

Not applicable

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Categories: Technology

Views - Moderately Critical - Access Bypass - SA-CONTRIB-2017-022

Wed, 22/02/2017 - 17:18
Description

The Views module allows site builders to create listings of various data in the Drupal database.

The Views module fails to add the required query tags to listings of Taxonomy Terms, which could cause private data stored on Taxonomy Terms to be leaked to users without permision to view it.

This is mitigated by the fact that a View must exist that lists Taxonomy Terms which contain private data. If all the data on Taxonomy Terms is public or there are no applicable Views, then your site is unaffected.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • views 7.x-3.x versions prior to 7.x-3.15.

Drupal core is not affected. If you do not use the contributed Views module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the views module for Drupal 7.x, upgrade to views 7.x-3.15

Also see the Views project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Technology

Timezone Detect - Moderately Critical - Cross Site Request Forgery - SA-CONTRIB-2017-020

Wed, 22/02/2017 - 16:45
Description

This module enables sites to automatically detect and set user timezones via JavaScript.

The module does not sufficiently protect against Cross-Site Request Forgery (CSRF): an attacker could use this vulnerability to manipulate a user's timezone setting. The security implication of this issue depends on the site. It can range from minor annoyance to some level of a bigger bug on a site that relies on the timezone for some more important purpose.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Timezone Detect 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Timezone Detect module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Timezone Detect project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Categories: Technology

Metatag -Moderately Critical - Information disclosure - SA-CONTRIB-2017-019

Wed, 15/02/2017 - 17:21
Description

This module enables you to add a variety of meta tags to a site for helping with a site's search engine results and to customize how content is shared on social networks.

The module doesn't sufficiently protect against data being cached that might contain information related to a specific user.

This vulnerability is mitigated by the fact that a site must have a page with sensitive data in the page title that varies per logged in user.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Metatag 7.x-1.x versions prior to 7.x-1.21.

Drupal core is not affected. If you do not use the contributed Metatag module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Metatag project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Categories: Technology

RESTful - Moderately Critical - Access Bypass - SA-CONTRIB-2017-018

Wed, 15/02/2017 - 16:55
Description

This module enables you to build a RESTful API for your Drupal site.

The restful_token_auth module (a sub-module) doesn't validate the status of users when logging them in. This results in a blocked user being able to operate normally with the RESTful actions, even after being blocked.

This vulnerability is mitigated by the fact that an attacker must be in possession of the credentials of a previously blocked user. It is also mitigated by the attacker only will have the access corresponding to the roles of the blocked user. Finally this only affects sites that use the sub-module, restful_token_auth.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • RESTful 7.x-1.x versions prior to 7.x-1.8.
  • RESTful 7.x-2.x versions prior to 7.x-2.16.

Drupal core is not affected. If you do not use the contributed RESTful module, there is nothing you need to do.

Solution

Install the latest version:

Also see the RESTful project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Technology

Flag clear - Moderately Critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2017-017

Wed, 15/02/2017 - 16:42
Description

The Flag clear module allows administrators to remove user flags for content. This functionality is often useful in user-submission use-cases, where users do not necessarily need to unflag things on their own.

The module doesn't sufficiently protect from CSRF attacks. The unflagging links do not include a token.

This vulnerability is mitigated by the fact that an attacker must be targeting users with the 'clear flags' role. They must also discover a valid combination of flag, content and user IDs for flagged content.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All Flag clear module versions prior to 7.x-2.0.

Drupal core is not affected. If you do not use the contributed Flag clear module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Flag clear project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Technology

Search API Sorts - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2017-016

Wed, 15/02/2017 - 16:30
Description

The Search API Sorts module allows the site administrator to configure custom sort options for their search results and expose the control interface via the core block system.

The module doesn't sufficiently sanitise the name of the sort option which is displayed to users.

This vulnerability is mitigated by the fact that an attacker must have a role with permission 'administer search_api'.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Search API Sorts 7.x-1.x versions prior to 7.x-1.7

Drupal core is not affected. If you do not use the contributed Search API sorts module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Search API sorts project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Technology

Hotjar - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2017-015

Wed, 15/02/2017 - 16:19
Description

This module enables you to add the Hotjar tracking system to your website.

The module doesn't sufficiently sanitize the Hotjar ID when including tracking code.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer hotjar".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Hotjar 7.x-1.x versions before 7.x-1.2
  • Hotjar 8.x-1.x versions before 8.x-1.0

Drupal core is not affected. If you do not use the contributed Hotjar module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Hotjar module for Drupal 7.x upgrade to Hotjar 7.x-1.2
  • If you use the Hotjar module for Drupal 8.x upgrade to Hotjar 8.x-1.0

Also see the Hotjar project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.xDrupal 8.x
Categories: Technology

OSF for Drupal - Less Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2017-014

Wed, 08/02/2017 - 19:20
Description

This module enables administrators to use a user interface to create complex semantic queries that can be saved to be used in different locations of a Drupal instance that uses OSF.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • osf_querybuilder 7.x-3.3 versions prior to 7.x-3.3.

Drupal core is not affected. If you do not use the contributed OSF for Drupal module, there is nothing you need to do.

Solution

Install the latest version:

Also see the OSF for Drupal project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Technology

Acquia Content Hub - Moderately Critical - Access Bypass - SA-CONTRIB-2017-013

Wed, 08/02/2017 - 18:35
Description

The Acquia Content Hub module enables the distribution and discovery of content from any source using the Acquia Content Hub service.

The module allows rendering of any arbitrary entity, without performing the appropriate access check. Users browsing to a well crafted URL could access information they may not be authorized to view.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Acquia Content Hub 8.x-1.x versions prior to 8.x-1.4.

Drupal core is not affected. If you do not use the contributed Acquia Content Hub module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Acquia Content Hub project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 8.x
Categories: Technology

Wetkit Omega - Moderately Critical - Access Bypass - SA-CONTRIB-2017-012

Wed, 08/02/2017 - 17:00
Description

WetKit Omega 4.x is a modern, Sass and Compass enabled Drupal 7 theme powered by the Omega base theme.

When using the Drupal page cache, some links intended for privileged users can get cached and displayed to users who shouldn't have access to them.

This is mitigated by the fact that the unprivileged users won't be able to actually visit the links.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • wetkit_omega 7.x-1.x versions prior to 7.x-1.15.

Drupal core is not affected. If you do not use the contributed Web Experience Toolkit: Omega module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Web Experience Toolkit: Omega project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Technology

Facebook Pull - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2017-011

Wed, 08/02/2017 - 16:45
Description

This module enables you to add integration with Facebook API.

The module doesn't sufficiently sanitize incoming data from Facebook.

This vulnerability is mitigated by the fact that an attacker must have be able to successfully pass malicious code through Facebook API or alter facebooks DNS and recreate API endpoints.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Facebook Pull versions prior to 7.x-3.1.

Drupal core is not affected. If you do not use the contributed Facebook Pull module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Facebook Pull project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Technology

Storage API stream wrappers - Moderately Critical - Access bypass - SA-CONTRIB-2017-010

Wed, 08/02/2017 - 16:27
Description

This module provides stream wrappers to integrate Storage API with Drupal, as an alternative to Storage API's core_bridge submodule.

It provides two stream wrappers: "Storage API Public" and "Storage API Private".

The private storage API doesn't sufficiently performs access control allowing anonymous users to access the private storage files.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Storage API stream wrappers 7.x-1.x versions prior to 7.x-1.1.

Drupal core is not affected. If you do not use the contributed Storage API stream wrappers module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Storage API stream wrappers project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Technology

Better Exposed Filters - Less Critical - Cross Site Sscripting (XSS) - SA-CONTRIB-2017-009

Wed, 01/02/2017 - 15:50
Description

The Better Exposed Filters module gives site builders more choices for rendering Views' exposed form elements.

The module does not sufficiently sanitize taxonomy term descriptions when the "Include the term description" option is selected.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer taxonomy".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Better Exposed Filters 7.x-3.x versions prior to 7.x-3.4.

Drupal core is not affected. If you do not use the contributed Better Exposed Filters module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Better Exposed Filters project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Technology

SalesCloud - Critical - Unsupported - SA-CONTRIB-2017-008

Wed, 25/01/2017 - 18:21
Description

This module Connects Drupal to SalesCloud's API, a Commerce Platform as a Service.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions

Drupal core is not affected. If you do not use the contributed salescloud module, there is nothing you need to do.

Solution

If you use the salescloud module for Drupal 7.x you should uninstall it.

Also see the salescloud project page.

Reported by Fixed by

Not applicable

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Categories: Technology

Microblog - Critical - Unsupported - SA-CONTRIB-2017-007

Wed, 25/01/2017 - 18:18
Description

This module enables microblogging on Drupal sites using it.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions

Drupal core is not affected. If you do not use the contributed microblog module, there is nothing you need to do.

Solution

If you use the microblog module for Drupal 7.x you should uninstall it.

Also see the microblog project page.

Reported by Fixed by

Not applicable

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Categories: Technology

OAuth - Less Critical - Access Bypass - SA-CONTRIB-2017-006

Wed, 25/01/2017 - 18:14
Description

This module enables you to use the OAuth 1.a protocol to authenticate requests.

The module does not does not implement the OAuth 1.0a security fix reported at https://oauth.net/advisories/2009-1/.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • OAuth 7.x-3.x versions prior to 7.x-3.3.

Drupal core is not affected. If you do not use the contributed OAuth module, there is nothing you need to do.

Solution

Install the latest version.

  • If you use the OAuth module for Drupal 7.x, upgrade to OAuth 7.x-3.3

Also see the OAuth project page.

Reported by Fixed by Coordinated by Changelog
  • 2017-01-25: Released the advisory as unsupported module.
  • 2017-01-25: Updated the advisory as the module is supported again and a security release was made.
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Technology

Mailjet - Highly critical - Arbitrary PHP code execution - SA-CONTRIB-2017-005

Wed, 11/01/2017 - 16:25
Description

The Mailjet module integrates with a 3rd party system to deliver site-generated emails, including newsletters, system notifications, etc.

The Mailjet module included v5.2.8 of the PHPMailer library in its "includes" directory. Per PSA-2016-004, this version of the PHPMailer library was vulnerable to PHP code execution.

Per Drupal.org policy, 3rd party code should not be stored in drupal.org repositories.

Updating this module will require manual actions to replace the PHPMailer library as described in the README.txt file included in the release.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Mailjet 7.x-2.x versions prior 7.x-2.9.

Drupal core is not affected. If you do not use the contributed module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Mailjet module for Drupal 7.x, upgrade to Mailjet7.x-2.9

Also see the project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Categories: Technology

OpenLucius - Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2017-004

Wed, 11/01/2017 - 16:23
Description

OpenLucius is a work management platform for social communication, documentation, and projects.

The distribution doesn't sufficiently use tokens when marking messages for users as read thereby exposing a Cross Site Request Forgery (CSRF) vulnerability.

The distribution does not sufficiently filter taxonomy term names before outputting them to HTML thereby exposing a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have permissions to insert malicious taxonomy terms.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Openlucius 7.x-1.x versions prior to 7.x-1.6.

Drupal core is not affected. If you do not use the contributed OpenLucius News module, there is nothing you need to do.

Solution

Install the latest version:

Also see the OpenLucius News project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Technology

Pages