Blogroll: Drupal Contrib Security

I read blogs, as well as write one. The 'blogroll' on this site reproduces some posts from some of the people I enjoy reading. There are currently 13 posts from the blog 'Drupal Contrib Security.'

Disclaimer: Reproducing an article here need not necessarily imply agreement or endorsement!

Subscribe to Drupal Contrib Security feed
Updated: 40 min 46 sec ago

Paragraphs - Moderately critical - Access Bypass - SA-CONTRIB-2018-073

Wed, 31/10/2018 - 17:53
Project: ParagraphsVersion: 8.x-1.4Date: 2018-October-31Security risk: Moderately critical 10∕25 AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:UncommonVulnerability: Access BypassDescription: 

The Paragraphs module allows Drupal Site Builders to make content organization cleaner so that you can give more editing power to end-users.

The module doesn't sufficiently check access to create new paragraph entities which can cause access bypass issues when used in combination with other contributed modules.

Solution: 

Install the latest version:

Also see the Paragraphs project page.

Reported By: Fixed By: Coordinated By: 
Categories: Technology

Session Limit - Critical - Insecure Session Management - SA-CONTRIB-2018-072

Wed, 31/10/2018 - 15:12
Project: Session LimitVersion: 7.x-2.28.x-1.0-beta2Date: 2018-October-31Security risk: Critical 15∕25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Insecure Session ManagementDescription: 

The session limit module enables a site administrator to set a policy around the number of active sessions users of the site may have. This is typically set to one so that you can only be logged in once with the same user account.

In one configuration of the module, when a user logs in with another session elsewhere already active, the module asks the user which session should be closed before they can proceed with login. The module does not sufficiently tokenise the list of sessions so that the user's session keys can be found through inspection of the form.

This vulnerability is mitigated by the fact that an attacker must already be able to intercept the contents of the HTML page to exploit the issue. That ability to intercept may come from Cross Site Scripting. This makes a Cross Site Scripting vulnerability worse than it would normally be.

Solution: 

Install the latest version:

  • If you use the Session Limit module for Drupal 7.x, upgrade to 7.x-2.3
  • If you use the Session Limit module for Drupal 8.x, upgrade to 8.x-1.0-beta3

Also see the Session Limit project page.

Reported By: Fixed By: Coordinated By: 
Categories: Technology

Decoupled Router - Critical - Access bypass - SA-CONTRIB-2018- 071

Wed, 31/10/2018 - 14:59
Project: Decoupled RouterVersion: 8.x-1.18.x-1.0Date: 2018-October-31Security risk: Critical 15∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

This module enables you to resolve the provided Drupal path in order to find the canonical path and information about the resolved entity. This information includes entity type ID, entity ID, entity UUID and entity label.

The module doesn't sufficiently check access before displaying entity labels. This leads to the display of labels on entities that are not be accessible, for example; titles of unpublished content.

Solution: 

Install the latest version:

Also see the Decoupled Router project page.

Reported By: Fixed By: Coordinated By: 
Categories: Technology

Search Autocomplete - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-070

Wed, 17/10/2018 - 23:14
Project: Search AutocompleteDate: 2018-October-17Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingCVE IDs: CVE-2018-7603Description: 

This Search Autocomplete module enables you to autocomplete textfield using data from your website (nodes, comments, etc..).

The module doesn't sufficiently filter user-entered text among the autocompletion items leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability can be exploited by any user allowed to create one of the autocompletion item, for instance, nodes, users, comments.

Solution: 

Install the latest version:

Also see the Search Autocomplete project page.

Reported By: Fixed By: Coordinated By: 
Categories: Technology

HTML Mail - Critical - Remote Code Execution - SA-CONTRIB-2018-069

Wed, 17/10/2018 - 19:16
Project: HTML MailDate: 2018-October-17Security risk: Critical 17∕25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Remote Code ExecutionDescription: 

The HTML Mail module lets you theme your messages the same way you theme the rest of your website.

When sending email some variables were not being sanitized for shell arguments, which could lead to remote code execution.

This issue is related to the Drupal Core release SA-CORE-2018-006.

Solution: 

Install the latest version:

  • If you are running Drupal 7.x,
    • update to 7.x-2.71.
    • In case you're still using 7.x-2.65, there is a version 7.x-2.66 which has only the security patch applied, but you must realize that you are running old code and you're missing a number of bug fixes.

Also see the HTML Mail project page.

Reported By: Fixed By: Coordinated By: 
Categories: Technology

Mime Mail - Critical - Remote Code Execution - SA-CONTRIB-2018-068

Wed, 17/10/2018 - 18:06
Project: Mime MailDate: 2018-October-17Security risk: Critical 17∕25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Remote Code ExecutionDescription: 

The MIME Mail module allows to send MIME-encoded e-mail messages with embedded images and attachments.

The module doesn't sufficiently sanitized some variables for shell arguments when sending email, which could lead to arbitrary remote code execution.

This issue is related to the Drupal Core release SA-CORE-2018-006.

Solution: 

Install the latest version:

Also see the Mime Mail project page.

Reported By: Fixed By: Coordinated By: 
Categories: Technology

Workbench Moderation - Moderately critical - Access bypass - SA-CONTRIB-2018-067

Wed, 17/10/2018 - 17:29
Project: Workbench ModerationDate: 2018-October-17Security risk: Moderately critical 11∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: 

The Workbench Moderation module adds arbitrary moderation states to Drupal core's "unpublished" and "published" node states, and affects the behavior of node revisions when nodes are published.

In some conditions, content moderation fails to check a users access to use certain transitions, leading to an access bypass.

This issue is related to the Drupal Core release SA-CORE-2018-006.

Solution: 

Install the latest version:

Also see the Drupal core project page.

Reported By: Fixed By: Coordinated By: 
Categories: Technology

NVP field - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-066

Wed, 10/10/2018 - 18:02
Project: NVP fieldDate: 2018-October-10Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescription: 

NVP field module allows you to create a field type of name/value pairs, with custom
titles and easily editable rendering with customizable HTML/text surrounding the pairs.

The module doesn't sufficiently handle sanitization of its field formatter's output.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission of creating/editing content where the module defined fields are in use.

Solution: 

Install the latest version:

Also see the NVP field project page.

Reported By: Fixed By: Coordinated By: 
Categories: Technology

Search API Solr Search - Moderately critical - Access bypass - SA-CONTRIB-2018-065

Wed, 10/10/2018 - 18:01
Project: Search API Solr SearchVersion: 7.x-1.13Date: 2018-October-10Security risk: Moderately critical 10∕25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: 

This module provides support for creating searches using the Apache Solr search engine and the Search API Drupal module.

The module doesn't sufficiently take the searched fulltext fields into account when creating a search excerpt. This can, in specific cases, lead to confidential data being leaked as part of the search excerpt.

Solution: 

Install the latest version:

Also see the Search API Solr Search project page.

Reported By: Fixed By: Coordinated By: 
Categories: Technology

Lightbox2 - Critical - Cross Site Scripting - SA-CONTRIB-2018-064

Wed, 10/10/2018 - 17:57
Project: Lightbox2Version: 7.x-2.x-devDate: 2018-October-10Security risk: Critical 18∕25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescription: 

The Lightbox2 module enables you to overlay images on the current page.

The module did not sanitize some inputs when used in combination with a custom view leading to potential Cross Site Scripting (XSS).

Solution: 

Install the latest version:

Also see the Lightbox2 project page.

Reported By: Fixed By: Coordinated By: 
Categories: Technology

Printer, email and PDF versions - Highly critical - Remote Code Execution - SA-CONTRIB-2018-063

Wed, 03/10/2018 - 19:18
Project: Printer, email and PDF versionsVersion: 7.x-2.x-devDate: 2018-October-03Security risk: Highly critical 20∕25 AC:None/A:None/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Remote Code ExecutionDescription: 

This module provides printer-friendly versions of content, including send by e-mail and PDF versions.

The module doesn't sufficiently sanitize the arguments passed to the wkhtmltopdf executable, allowing a remote attacker to execute arbitrary shell commands. It also doesn't sufficiently sanitize the HTML content passed to dompdf, allowing a privileged attacker to execute arbitrary PHP code.

This vulnerability is mitigated by the fact that the site must have either the wkhtmltopdf or dompdf sub-modules enabled and selected as the PDF generation tool. In the case of the dompdf vulnerability, the attacker must be able to write content to the site.

Solution: 

Install the latest version:

  • If you use the print module for Drupal 7.x, upgrade to print 7.x-2.1

In alternative, disable PDF generation, or replace the PDF generation library with another of the supported versions.

Also see the Printer, email and PDF versions project page.

Reported By: Fixed By: Coordinated By: 
Categories: Technology

Commerce Klarna Checkout - Moderately critical - Access bypass - SA-CONTRIB-2018-062

Wed, 26/09/2018 - 17:34
Project: Commerce Klarna CheckoutVersion: 7.x-1.4Date: 2018-September-26Security risk: Moderately critical 13∕25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

The Commerce Klarna Checkout module enables you to accept payments from the Klarna Checkout payment provider

The module doesn't sufficiently validate the payment callback made by Klarna. An attacker could bypass the payment step.

Solution: 

Install the latest version:

Also see the Commerce Klarna Checkout project page.

Reported By: Fixed By: Coordinated By: 
Categories: Technology

Taxonomy File Tree - Moderately critical - Access bypass - SA-CONTRIB-2018-061

Wed, 26/09/2018 - 17:12
Project: Taxonomy File TreeVersion: 7.x-1.0Date: 2018-September-26Security risk: Moderately critical 13∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

Taxonomy File Tree allows site managers to create file trees.

For files managed as Drupal files, the module does not properly check that a user has access to a file before letting the user download the file.

This vulnerability only affects sites that use private files.

Solution: 

Install the latest version:

Also see the Taxonomy File Tree project page.

Reported By: Fixed By: Coordinated By: 
Categories: Technology
Additional Terms