Blogroll: Drupal Contrib Security

I read blogs, as well as write one. The 'blogroll' on this site reproduces some posts from some of the people I enjoy reading. There are currently 8 posts from the blog 'Drupal Contrib Security.'

Disclaimer: Reproducing an article here need not necessarily imply agreement or endorsement!

Subscribe to Drupal Contrib Security feed
Updated: 1 hour 36 min ago

Imagecache External - Critical - Insecure session token management - SA-CONTRIB-2019-065

Wed, 21/08/2019 - 15:52
Project: Imagecache ExternalDate: 2019-August-21Security risk: Critical 15∕25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Insecure session token managementDescription: 

This module that allows you to store external images on your server and apply your own Image Styles.

The module exposes cookies to external sites when making external image requests.

This vulnerability is mitigated by using the whitelisted host feature to restrict external image requests from trusted sources.

Solution: 

Install the latest version:

Also see the Imagecache External project page.

Reported By: Fixed By: Coordinated By: 
Categories: Technology

Forms Steps - Critical - Access bypass - SA-CONTRIB-2019-064

Wed, 14/08/2019 - 18:33
Project: Forms StepsDate: 2019-August-14Security risk: Critical 16∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

Forms Steps provides an UI to create form workflows using form modes. It creates quick and configurable multisteps forms.

The module doesn't sufficiently check user permissions to access its workflows entities that allows to see any entities that have been created through the different steps of its multistep forms.

This vulnerability is mitigated by the fact that you have to know the Forms Steps URL to create a content linked to the flow. Also, all created content is very hard to edit through the same flow as you have to know the URL and the linked hash to the content.

Solution: 

Install the latest version:

Also see the Forms Steps project page.

Reported By: Fixed By: Coordinated By: 
Categories: Technology

External Links Filter - Moderately critical - Open Redirect Vulnerability - SA-CONTRIB-2019-063

Wed, 14/08/2019 - 18:26
Project: External Links FilterDate: 2019-August-14Security risk: Moderately critical 10∕25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:AllVulnerability: Open Redirect VulnerabilityDescription: 

The External Link Filter module provides an input filter that replaces external links by a local link that redirects to the target URL.

The module did not have protection for the Redirect URL to go where content authors intended.

Solution: 

Install the latest version:

Also see the External Links Filter project page.

Reported By: Fixed By: Coordinated By: 
Categories: Technology

Super Login - Moderately critical - Cross site scripting - SA-CONTRIB-2019-062

Wed, 14/08/2019 - 18:14
Project: Super LoginDate: 2019-August-14Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross site scriptingDescription: 

This module improves the Drupal login page with the new features and layout.

The module doesn't sufficiently filter input text in the administration pages text configuration inputs. For example, the login text field.

The vulnerability is mitigated by the fact it can only be exploited by a user with the "Administer super login" permission.

Solution: 

Install the latest version:

Also see the Super Login project page.

Reported By: Fixed By: Coordinated By: 
Categories: Technology

scroll to top - Moderately critical - Cross site scripting - SA-CONTRIB-2019-061

Wed, 14/08/2019 - 18:01
Project: scroll to topDate: 2019-August-14Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross site scriptingDescription: 

The Scroll To Top module enables you to have an animated scroll to top link in the bottom of the node.

The module does not sufficiently filter configuration text leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer scroll to top".

Solution: 

Install the latest version of the module.

Also see the scroll to top project page.

Reported By: Fixed By: Coordinated By: 
Categories: Technology

Existing Values Autocomplete Widget - Critical - Access bypass - SA-CONTRIB-2019-060

Wed, 24/07/2019 - 18:36
Project: Existing Values Autocomplete WidgetDate: 2019-July-24Security risk: Critical 17∕25 AC:None/A:None/CI:All/II:None/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

This module provides an autocomplete widget for text fields that suggests all existing (previously entered) values for that field.

The module doesn't sufficiently check for proper access permission before returning autocomplete results.

This vulnerability is mitigated by the fact that an attacker must know the route to the autocomplete callback controller though this is easily known.

Solution: 

Install the latest version:

Also see the Existing Values Autocomplete Widget project page.

Reported By: Fixed By: Coordinated By: 
Categories: Technology

Facebook Messenger Customer Chat Plugin - Critical - Access bypass - SA-CONTRIB-2019-059

Wed, 24/07/2019 - 17:49
Project: Facebook Messenger Customer Chat PluginDate: 2019-July-24Security risk: Critical 16∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

The Facebook Messenger Customer Chat Plugin module enables you to add the Facebook Messenger Customer Chat Plugin to your Drupal site.

The module doesn't require user permissions on the admin page.

Solution: 

Install the latest version:

Also see the Facebook Messenger Customer Chat Plugin project page.

Reported By: Reported by Fixed By: Coordinated By: 
Categories: Technology

Metatag - Moderately critical - Information disclosure - SA-CONTRIB-2019-058

Wed, 24/07/2019 - 17:31
Project: MetatagDate: 2019-July-24Security risk: Moderately critical 13∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Information disclosureDescription: 

This module enables you to customize meta tags to help with a site's search engine ranking and improve the display of page summaries when shared on social networks.

The module doesn't sufficiently check for a site being in maintenance mode.

This vulnerability is mitigated by the fact that the site must be configured to disallow access to certain content, and must be put into maintenance mode.

Solution: 

Install the latest version:

Also see the Metatag project page.

Reported By: Fixed By: Coordinated By: 
Categories: Technology
Additional Terms