Blogroll: Drupal Contrib Security

I read blogs, as well as write one. The 'blogroll' on this site reproduces some posts from some of the people I enjoy reading. There are currently 11 posts from the blog 'Drupal Contrib Security.'

Disclaimer: Reproducing an article here need not necessarily imply agreement or endorsement!

Subscribe to Drupal Contrib Security feed
Updated: 3 hours 14 min ago

Aegir HTTPS - Moderately critical - Access bypass - SA-CONTRIB-2019-003

Wed, 09/01/2019 - 19:10
Project: Aegir HTTPSVersion: 7.x-3.170Date: 2019-January-09Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

Aegir is a Web hosting control panel program that provides a Drupal-based graphical interface designed to simplify deploying, managing and upgrading an entire network of Drupal, Wordpress and CiviCRM Web sites. The Hosting HTTPS module is a commonly used piece of the Aegir platform.

This module doesn't sufficiently shield multi-site installations.

This vulnerability is mitigated by the fact that the server must be using Apache and must host multiple sites on a common platform. An attacker must have a knowledge about used filenames and the server.

Solution: 

Install the latest version:

Also see the Aegir HTTPS project page.

Reported By: Fixed By: Coordinated By: 
Categories: Technology

Provision - Moderately critical - Access bypass - SA-CONTRIB-2019-002

Wed, 09/01/2019 - 17:49
Project: ProvisionVersion: 7.x-3.170Date: 2019-January-09Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

Aegir is a Web hosting control panel program that provides a Drupal-based graphical interface designed to simplify deploying, managing and upgrading an entire network of Drupal, Wordpress and CiviCRM Web sites. The Provision module is a core piece of the Aegir platform.

This module doesn't sufficiently shield multi-site installations or the PHP source code.

This vulnerability is mitigated by the fact that the server must be using Apache. For multi-site installations, the server must host multiple sites on a common platform. Additionally an attacker must have a knowledge about used filenames and the server.

Solution: 

Install the latest version:

Also see the Provision project page.

Reported By: Fixed By: Coordinated By: 
Categories: Technology

Phone Field - Critical - SQL Injection - SA-CONTRIB-2019-001

Wed, 09/01/2019 - 17:38
Project: Phone FieldDate: 2019-January-09Security risk: Critical 16∕25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: SQL InjectionDescription: 

This module provides a phone field for Drupal 7 that supports the HTML5 tel:-schema.

In an API function that is not used by the module, the name for the phone field is not sufficiently sanitised when using it in database queries.

This vulnerability is mitigated by the fact that it affects an unused function. A site is only vulnerable if it has custom code that uses the phonefield_get_entity_id() function and exposes control over the $field parameter to visitors to the site.

Solution: 

Install the latest version:

Also see the Phone Field project page.

Reported By: Fixed By: Coordinated By: 
Categories: Technology

JSON:API - Moderately critical - Access bypass - SA-CONTRIB-2018-081

Wed, 19/12/2018 - 17:53
Project: JSON:APIDate: 2018-December-19Security risk: Moderately critical 13∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

This module provides a JSON:API specification-compliant HTTP API for accessing and manipulating Drupal content and configuration entities.

The module doesn't sufficiently check access when responding to certain filtered collection requests, thereby causing an access bypass vulnerability.

In order to fix this issue, two new hooks were added: hook_jsonapi_ENTITY_TYPE_filter_access() and hook_jsonapi_entity_field_filter_access(). Sites with custom entity types and/or with entity or field access customizations may need to implement these newly introduced hooks.

Solution: 

Install the latest version:

Also see the JSON:API project page.

Reported By: Fixed By: Coordinated By: 
Categories: Technology

E-Sign - Moderately critical - Cross site scripting - SA-CONTRIB-2018-080

Wed, 19/12/2018 - 16:23
Project: E-SignVersion: 7.x-1.9Date: 2018-December-19Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross site scriptingDescription: 

This module allows for integration of Signature Pad, an electronic-signing
script, into Drupal for both nodes (content), the Field API (FAPI), and Webforms.

The module doesn't sufficiently filter user input when displaying a signature.

The vulnerability is mitigated by the fact that an attacker must have the ability to submit a signature. That permission might be associated with submitting a webform or creating or editing a node depending on site configuration.

Solution: 

Install the latest version:

  • If you use the Esign module for Drupal 7.x, upgrade to Esign 7.x-1.10

Also see the E-Sign project page.

Reported By: Fixed By: Coordinated By: 
Categories: Technology

Responsive Menus - Moderately critical - Cross site scripting - SA-CONTRIB-2018-079

Wed, 05/12/2018 - 19:34
Project: Responsive MenusVersion: 7.x-1.x-devDate: 2018-December-05Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross site scriptingDescription: 

This module enables you to collapse your sites main menu on mobile, and show a menu toggle button.

The module doesn't sufficiently sanitize configuration settings provided by users which leads to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer responsive menus".

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 
Categories: Technology

Salesforce Suite - Moderately critical - Access bypass - SA-CONTRIB-2018-078

Wed, 05/12/2018 - 19:24
Project: Salesforce SuiteDate: 2018-December-05Security risk: Moderately critical 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

This module enables Drupal to synchronize entities with Salesforce records. The module includes a page that does not sufficiently protect access rights, resulting in potential information disclosure.

This vulnerability is mitigated by the fact that only Drupal entity title and IDs, and Salesforce record IDs are exposed. Entity content and metadata are appropriately protected. Disclosure of Salesforce ID does not confer any additional privileges.

Solution: 

Install the latest version:

Also see the Salesforce Suite project page.

Reported By: Fixed By: Coordinated By: 
Categories: Technology

Password Policy - Less critical - Denial of Service - SA-CONTRIB-2018-077

Wed, 05/12/2018 - 19:21
Project: Password PolicyVersion: 7.x-1.x-devDate: 2018-December-05Security risk: Less critical 9∕25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:DefaultVulnerability: Denial of ServiceDescription: 

The Password Policy module makes it possible to set constraints on user passwords which disallow certain passwords.

The "digit placement" constraint is vulnerable to Denial of Service attacks if an attacker submits specially crafted passwords which can cause a site to become unresponsive.

This vulnerability is mitigated by the fact that a site must have the "digit placement" constraint enabled.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 
Categories: Technology

Date Reminder - Moderately critical - Access bypass - SA-CONTRIB-2018-076

Wed, 28/11/2018 - 18:01
Project: Date ReminderDate: 2018-November-28Security risk: Moderately critical 10∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

This module allows registered users to request email reminders to be sent at a specified time before an event.

The module doesn't sufficiently check access to nodes, allowing a user to set a reminder on a node that the user shouldn't be able to access.

This can be mitigated with configuring DateReminder with Reminder Display: "Fieldset within a node" disables the potential exploit.

Solution: 

Install the latest version:

Also see the Date Reminder project page.

Reported By: Fixed By: Coordinated By: 
  • Balazs Janos Tatar Provisional Security Team member
  • Categories: Technology

    GatherContent - Moderately critical - Access bypass - SA-CONTRIB-2018-075

    Wed, 28/11/2018 - 17:51
    Project: GatherContentDate: 2018-November-28Security risk: Moderately critical 13∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

    This module enables you to import and export data from the GatherContent service.

    The module didn't properly protect its administrative paths.

    Solution: 
    • gathercontent 7.x versions prior to 7.x-3.5.

    Drupal core is not affected. If you do not use the contributed GatherContent module, there is nothing you need to do.

    Solution

    Install the latest version:

    Reported By: Fixed By: Coordinated By: 
    Categories: Technology

    Bootstrap - Moderately critical - Cross site scripting - SA-CONTRIB-2018-074

    Wed, 28/11/2018 - 17:32
    Project: BootstrapVersion: 7.x-3.228.x-3.14Date: 2018-November-28Security risk: Moderately critical 11∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross site scriptingDescription: 

    This base theme bridges the gap between Drupal and the Bootstrap Framework.

    The theme doesn't sufficiently filter valid targets under the scenario of opening modals, popovers, and tooltips.

    This vulnerability is mitigated by the fact that an attacker must already have the ability to either:

    1. Edit/save custom content that supplies a value for the data-target attribute by injecting malicious code.
    2. Inject custom markup onto the page that further exploits the data-target attribute by injecting malicious code. This method of attack is highly unlikely if they already have this level of access.

    Note: while the base-theme does not provide either of these opportunities to do this out-of-the-box; a custom sub-theme may, however, be susceptible if it didn't sanitize or filter user provided input for XSS properly.

    Solution: 

    Install the latest version and take additional manual steps (see below).

    • If you use the Drupal Bootstrap base-theme for Drupal 7.x, upgrade to 7.x-3.22
    • If you use the Drupal Bootstrap base-theme for Drupal 8.x, upgrade to 8.x-3.14

    Extra Note:

    The vulnerability fixed in the Bootstrap theme releases on Drupal.org is a by-product from forking parts of the external framework's JavaScript code. The external framework's vulnerability was first reported in a public issue and later a fix for this vulnerability was merged into the external framework, however an official release of the external framework has yet to be made.

    Users of this theme should take two additional steps:

    1. Follow this external framework issue for further information and to keep up-to-date on when you need to upgrade your sub-theme's external framework source. You may consider using the distributed files from the temporary branch master-xmr-v3-fixes until an official release is made.
    2. Review any custom code on your site that might have copied from the external framework's vulnerable code.

    Also see the Bootstrap project page.

    Reported By: Fixed By: Coordinated By: 
    Categories: Technology
    Additional Terms