TITLE:
Drupal FileField Module Security Bypass
SECUNIA ADVISORY ID:
SA37130
VERIFY ADVISORY:
http://secunia.com/advisories/37130/
DESCRIPTION:
A vulnerability has been reported in the FileField module for Drupal.
This can be exploited by malicious users to bypass certain security
restrictions.
An error in the module does not properly restrict access to files in
Drupal core's private file system, which can be exploited to access
otherwise restricted files.
The vulnerability is reported in version 6.x-3.1.
SOLUTION:
Update to version 6.x-3.2.
http://drupal.org/node/609874
PROVIDED AND/OR DISCOVERED BY:
The vendor credits isaac77.
* Advisory ID: DRUPAL-SA-CONTRIB-2010-016
* Project: Graphviz Filter (third-party module)
* Version: 6.x, 5.x
* Date: 2010 February 10
* Security risk: Highly critical
* Exploitable from: Remote
* Vulnerability: Arbitrary code execution
-------- DESCRIPTION
---------------------------------------------------------
Graphviz Filter does not properly filter user input via @command option in
node body, leading to a possible Arbitrary Shell Code Execution [1]
vulnerability. This vulnerability allows a remote attacker with the ability
to create content using a Graphviz input filter to execute an arbitrary shell
code on affected system.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Graphviz 6.x-1.x prior to 6.x-1.6
* Graphviz 5.x-1.x prior to 5.x-1.3
Drupal core is not affected. If you do not use the contributed Graphviz
Filter module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use Graphviz Filter 6.x-1.x, upgrade to Graphviz Filter 6.x-1.6
[2].
* If you use Graphviz Filter 5.x-1.x, upgrade to Graphviz Filter 5.x-1.3
[3].
See also the Graphviz Filter project page [4].
-------- REPORTED BY
---------------------------------------------------------
* Clemens Tolboom [5].
-------- FIXED BY
------------------------------------------------------------
* Karim Ratib [6], the Graphviz Filter module maintainer.
-------- CONTACT
-------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Arbitrary_code_execution
[2] http://drupal.org/node/710798
[3] http://drupal.org/node/710804
[4] http://drupal.org/project/graphviz_filter
[5] http://drupal.org/user/125814
[6] http://drupal.org/user/48424
_______________________________________________
Security-news mailing list
Security-news@drupal.org
http://lists.drupal.org/mailman/listinfo/security-news
SECUNIA ADVISORY ID:
SA37923
VERIFY ADVISORY:
http://secunia.com/advisories/37923/
DESCRIPTION:
Some vulnerabilities have been reported in the FAQ module for Drupal,
which can be exploited by malicious users to conduct script insertion
attacks.
Certain input passed via an unspecified parameter is not properly
sanitised before being displayed to the user. This can be exploited
to insert arbitrary HTML and script code, which will be executed in a
user's browser session in context of an affected site when the
malicious data is being viewed.
Successful exploitation requires 'administer faq', 'create faq', or
'edit faq' permissions.
The vulnerabilities are reported in versions prior to 6.x-1.11 or
5.x-2.14.
SOLUTION:
FAQ 6.x:
Update to version 6.x-1.11.
http://drupal.org/node/666776
FAQ 5.x:
Update to version 5.x-2.14.
http://drupal.org/node/666770
TITLE:
Drupal Simplenews Statistics Module Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA37128
VERIFY ADVISORY:
http://secunia.com/advisories/37128/
DESCRIPTION:
Some vulnerabilities and a weakness have been reported in the
Simplenews Statistics module for Drupal, which can be exploited by
malicious people to conduct cross-site scripting, cross-site request
forgery, and spoofing attacks.
1) Certain input passed to unspecified parameters in not properly
sanitised before being displayed to the user. This can be exploited
to execute arbitrary HTML and script code in a user's browser session
in context of an affected site.
2) The module allows users to perform certain actions via HTTP
requests without performing any validity checks to verify the
requests, which can be exploited to e.g. hijack accounts of other
logged in users.
3) A weakness is caused due the module using certain parameters to
redirect users without validation. This can be exploited to e.g.
redirect a user to visit a malicious site.
The vulnerabilities and the weakness are reported in versions prior
to 6.x-2.0.
SOLUTION:
Update to version 6.x-2.0.
http://drupal.org/node/590098
PROVIDED AND/OR DISCOVERED BY:
1) and 2) The vendor credits Dylan Wilder-Tack.
3) The vendor credits John Pettitt.
UPGRADING
---------
Prior to upgrading, you should ensure that:
* Your system meets or exceeds Drupal's minimum requirements as shown at
http://drupal.org/requirements.
* You have a backup of all your relevant data (#1).
* Custom and contributed modules have been checked for compatibility (#11).
* Custom and contributed themes have been checked for compatibility (#11).
* You have read through this entire document.
Let's begin!
1. Back up your Drupal database and site root directory. Be especially sure
to back up your "sites" directory which contains your configuration file,
added modules and themes, and your site's uploaded files. If other files
have modifications, such as .htaccess or robots.txt, back those up as well.
Note: for a single site setup, the configuration file is the "settings.php"
file located at sites/default/settings.php. The default.settings.php file
contains a clean copy for restoration purposes, if required.
For multisite configurations, the configuration file is located in a
structure like the following:
sites/default/settings.php
sites/example.com/settings.php
sites/sub.example.com/settings.php
sites/sub.example.com.path/settings.php
More information on multisite configuration is located in INSTALL.txt.
2. If possible, log on as the user with user ID 1, which is the first account
created and the main administrator account. User ID 1 will be able to
automatically access update.php in step #10. There are special instructions
in step #10 if you are unable to log on as user ID 1. Do not close your
browser until the final step is complete.
3. Place the site in "Off-line" mode, to let the database updates run without
interruption and avoid displaying errors to end users of the site. This
option is at http://www.example.com/?q=admin/settings/site-maintenance
(replace www.example.com with your installation's domain name and path).
4. If using a custom or contributed theme, switch
to a core theme, such as Garland or Bluemarine.
5. Disable all custom and contributed modules.
6. Remove all old files and directories from the Drupal installation directory.
7. Unpack the new files and directories into the Drupal installation directory.
8. Copy your backed up "files" and "sites" directories to the Drupal
installation directory. If other system files such as .htaccess or
robots.txt were customized, re-create the modifications in the new
versions of the files using the backups taken in step #1.
9. Verify the new configuration file to make sure it has correct information.
10. Run update.php by visiting http://www.example.com/update.php (replace
www.example.com with your Drupal installation's domain name and path). This
step will update the core database tables to the new Drupal installation.
Note: if you are unable to access update.php do the following:
- Open your settings.php with a text editor.
- There is a line that says $update_free_access = FALSE;
Change it to $update_free_access = TRUE;
- Once update.php is done, you must change the settings.php file
back to its original form with $update_free_access = FALSE;
11. Ensure that the versions of all custom and contributed modules match the
new Drupal version to which you have updated. For a major update, such as
from 5.x to 6.x, modules from previous versions will not be compatible
and updated versions will be required.
- For contributed modules, check http://drupal.org/project/modules
for the version of a module matching your version of Drupal.
- For custom modules, review http://drupal.org/update/modules to
ensure that a custom module is compatible with the current version.
12. Re-enable custom and contributed modules and re-run update.php
to update custom and contributed database tables.
13. Return the site to its original theme (if you switched to a core
theme like Garland or Bluemarine in step #4). If your site uses a
custom or contributed theme, make sure it is compatible with your
version of Drupal.
- For contributed themes, check http://drupal.org/project/themes
for the version of a theme matching your version of Drupal.
- For custom themes, review http://drupal.org/update/theme to ensure
that a custom theme is compatible with the current version.
14. Finally, return your site to "Online" mode so your visitors may resume
browsing. As in step #3, this option is available in your administration
screens at http://www.example.com/?q=admin/settings/site-maintenance
(replace www.example.com with your installation's domain name and path).
For more information on upgrading visit
the Drupal handbook at http://drupal.org/upgrade
En la sección de administración al intentar listar los modulos instalados aparece el siguiente error:
Fatal error: Unsupported operand types in /home1/dominio/public_html/midirectori/includes/common.inc on line 1430
* Advisory ID: DRUPAL-SA-CONTRIB-2010-081
* Project: FileField Sources (third-party module)
* Version: 6.x
* Date: 2010-May-19
* Security risk: Critical
* Exploitable from: Remote
* Vulnerability: Arbitrary Code Execution
-------- DESCRIPTION
---------------------------------------------------------
The FileField Sources module expands on the abilities of FileField, allowing
users to select new or existing files through additional means, including:
Reuse of existing files through an autocomplete textfield or IMCE, or
transfering files directly from remote servers. The module does not sanitize
the file extemsions of files that have been transfered from remote servers,
allowing for the transfering of files that match allowed extensions but
actually contain malicious code. This could potentially allow an attacker to
transfer scripts to the server and execute them. This vulerability is usually
mitigated by Drupal core's built-in security mechanisms which prevent code
execution of uploads that are within the Drupal files directory. This exploit
should not affect the majority of Drupal sites. Users would also need the
ability to use the FileField Sources module which requires permission to
create or edit a node that has a FileField with FileField Sources configured
for it.
-------- VERSIONS AFFECTED
---------------------------------------------------
* FileField Sources module for Drupal 6.x versions prior to 6.x-1.2
Drupal core is not affected. If you do not use the contributed FileField
Sources [1] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the FileField Sources module for Drupal 6.x upgrade to
FileField Sources 6.x-1.2 [2]
See also the FileField Sources project page [3].
-------- REPORTED BY
---------------------------------------------------------
* Apa Sajja
-------- FIXED BY
------------------------------------------------------------
* Nathan Haug [4], module maintainer
* Greg Knaddison [5] of the Drupal security team
* Advisory ID: DRUPAL-SA-CONTRIB-2010-082
* Project: Printer, e-mail and PDF versions (third-party module)
* Version: 5.x, 6.x
* Date: 2010-August-11
* Security risk: Critical
* Exploitable from: Remote
* Vulnerability: Local file read access
-------- DESCRIPTION
---------------------------------------------------------
The Printer, e-mail and PDF versions ("print") module provides
printer-friendly versions of content, including a PDF version that is
generated by one of three supported generation tools (dompdf, TCPDF and
wkhtmltopdf). When using the wkhtmltopdf PDF generation tool, that tool is
able to access local files in the Drupal server environment. Users with the
ability to create unfiltered HTML in the node content could trick the tool to
access any file accessible by the Web server user and to display its contents
inside the generated PDF. Sites should not grant the ability to post
unfiltered HTML to untrusted roles.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Printer, e-mail and PDF versions 6.x prior to 6.x-1.11
* Printer, e-mail and PDF versions 5.x prior to 5.x-4.10
Drupal core is not affected. If you do not use the contributed Printer,
e-mail and PDF versions module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use Printer, e-mail and PDF versions for Drupal 6.x upgrade to
Printer, e-mail and PDF versions 6.x-1.11 [1]
* If you use Printer, e-mail and PDF versions for Drupal 5.x upgrade to
Printer, e-mail and PDF versions 5.x-4.10 [2]
If you use the wkhtmltopdf PDF generation tool, and it's version is older
than 0.9.6, please upgrade [3] to a more recent version, as the module now
supports only versions 0.9.6 or higher. See also the Printer, e-mail and PDF
versions project page [4].
-------- REPORTED BY
---------------------------------------------------------
* Douglas Bagnall [5]
-------- FIXED BY
------------------------------------------------------------
* João Ventura [6], module maintainer
* James Gilliland [7], module maintainer
Advisory ID: DRUPAL-SA-CONTRIB-2010-059
Drupal core is not affected. If you do not use the contributed Panels module,
there is nothing you need to do.
SOLUTION
Install the latest version:
* If you use Panels for Drupal 6.x upgrade to Panels 6.x-3.4 [1]
REPORTED BY
Sam Boyer [2], co-maintainer of the Panels module.
FIXED BY
Sam Boyer.
* Advisory ID: DRUPAL-SA-CONTRIB-2010-061
* Project: AddonChat (third-party module)
* Version: 6.x-1.x
* Date: 2010-May-26
* Security risk: Highly Critical
* Exploitable from: Remote
* Vulnerability: Multiple (Privilege Escalation, Cross-site scripting)
DESCRIPTION
The AddonChat module provides Drupal integration with the AddonChat Java chat
room.
Due to unsafe handling of the global $user object, failed authentication at
the custom addonchat_auth.php script will log in an attacker as the chosen
user.
Additionally, several configuration variables are not escaped correctly,
leading to a cross-site scripting vulnerability. Users with "access
administration pages" permission could add arbitrary HTML and javascript to
pages.
VERSIONS AFFECTED
* AddonChat module for Drupal 6.x versions prior to 6.x-1.2
Drupal core is not affected. If you do not use the contributed AddonChat [1]
module, there is nothing you need to do.
SOLUTION
Install the latest version.
* If you use the AddonChat module for Drupal 6.x upgrade to AddonChat
6.x-1.2 [2]
REPORTED BY
* Jonathan Hedstrom [3]
* Dylan Tack [4] of the Drupal Security Team
FIXED BY
* Jonathan Hedstrom [5] and Chris Duerr [6], the module maintainer.
* Advisory ID: DRUPAL-SA-CONTRIB-2010-083
* Project: UC2Checkout, UCPaypal, UC Cart LInks (third-party modules in the
Ubercart Project)
* Version: 5.x, 6.x
* Date: 2010-Aug-11
* Security risk: Critical
* Exploitable from: Remote
* Vulnerability: Access Bypass, Cross Site Request Forgery
-------- DESCRIPTION
---------------------------------------------------------
The Ubercart module for Drupal provides e-commerce features. Several modules
within Ubercart were vulnerable to various security issues.
1) The 2Checkout gateway module did not properly verify the payment
notification information. A malicious user could use a specially crafted
HTTP request to simulate payment and order completion on arbitrary
orders. If the 2Checkout gateway module is not installed then your site
is not at risk to this vulnerability.
2) The Paypal module's WPS payment method did not properly verify the
payment notification information. A malicious user could alter HTML form
data to send payment to a different Paypal account and still check out on
the site. If you do not use the Paypal WPS payment method then your site
is not at risk to this vulnerability.
3) The Ubercart Cart Links module is vulnerable to both an Access Bypass and
Cross Site Request Forgery where a malicious user could both trick other
users into adding or removing items from their cart and add items to a
cart which are not published on the site. If you do not use Ubercart Cart
Links module your site is not at risk to this vulnerability.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Ubercart module for Drupal 5.x versions prior to 5.x-1.10
* Ubercart module for Drupal 6.x versions prior to 6.x-2.4
Drupal core is not affected. If you do not use the contributed Ubercart [1]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Ubercart module for Drupal 5.x upgrade to Ubercart 5.x-1.10
[2]
* If you use the Ubercart module for Drupal 6.x upgrade to Ubercart 6.x-2.4
[3]
See also the Ubercart project page [4].
-------- REPORTED BY
---------------------------------------------------------
* Greg Knaddison [5] of the Drupal Security Team
* Guy Paddock [6]
* Nathan Phillip Brink [7]
-------- FIXED BY
------------------------------------------------------------
* Lyle Mantooth [8], the module maintainer
* Greg Knaddison [9] of the Drupal Security Team
* Advisory ID: DRUPAL-SA-CONTRIB-2010-074
* Projects: Drupad (third-party module)
* Version: 6.x
* Date: 2010-07-14
* Security risks: Critical
* Exploitable from: Remote
* Vulnerability: CSRF
-------- DESCRIPTION
---------------------------------------------------------
The Drupad module is the companion module of the iPhone / iPodTouch
application also called Drupad. The module doesn't check if the incoming
request is made from the application, leading to a CSRF vulneraby. This
vulnerability can be used to delete users and content, or set the site in
offline mode when a privileged user visits a malicious site.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Drupad for Drupal 6.x versions prior to 6.x-1.1
Drupal core is not affected. If you do not use the contributed Drupad [1]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* Upgrade to Drupad 6.x-1.1 [2]
See also the Drupad project page [3].
-------- REPORTED BY
---------------------------------------------------------
* Heine Deelstra [4] of the Drupal security team
-------- FIXED BY
------------------------------------------------------------
* Jérémy Chatard [5], module maintainer
Este modulo muestra un block con nodos similares al que se este viendo actualmente basado en el titulo. Las páginas relacionadas se muestran como un bloque con las lista de articulos.
El módulo de entradas similares soporta solamente proyectos basados en MySQL por que el FULLTEXT de MySQL utiliza MyISAM
FULLTEXT es un query especial que ayuda a encontrar contenido relevante en otros nodos usando lenguaje natural de busquedas
Aparece el siguiente error en drupal
Fatal error: Unsupported operand types in /home/directotio/public_html/propietario/includes/common.inc on line 1426
* Advisory ID: DRUPAL-SA-CONTRIB-2010-095
* Project: Lightbox2 (third-party module)
* Version: 5.x, 6.x
* Date: 2010-September-22
* Security risk: Highly Critical
* Exploitable from: Remote
* Vulnerability: Access Bypass, Cross-Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
The Lightbox2 module enables images to be overlaid on the current page using
JavaScript. The module displays images above the page instead of within it,
freeing the page design from layout constraints and keeping users on the same
page.
The module does not sanitize some of the user supplied data before displaying
it, leading to a Cross Site Scripting (XSS [1]) vulnerability which can be
used by a malicious user to gain full administrative access.
The Lightbox2 module also enables Embedded Media Field [2] and Acidfree [3]
videos to be displayed in a modal popup. In some cases checks on the user's
field level access to the source video were not carried out correctly,
allowing direct queries to the backend URL resulting in the display of videos
which the user would otherwise be unable to access.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Lightbox2 module for Drupal 6.x versions prior to 6.x-1.10
* Lightbox2 module for Drupal 5.x versions prior to 5.x-2.10
Drupal core is not affected. If you do not use the contributed Lightbox2 [4]
module there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Lightbox2 module for Drupal 6.x upgrade to Lightbox2
6.x-1.10 [5]
* If you use the Lightbox2 module for Drupal 5.x upgrade to Lightbox2
5.x-2.10 [6]
See also the Lightbox2 project page [7].
-------- REPORTED BY
---------------------------------------------------------
* mr.baileys [8], of the Drupal Security Team
* Jakub Suchy (meba) [9], of the Drupal Security Team
* Stella Power (stella) [10], module maintainer
* hefox [11]
-------- FIXED BY
------------------------------------------------------------
* Stella Power (stella) [12], module maintainer
* Advisory ID: DRUPAL-SA-CONTRIB-2010-078
* Project: Kaltura (third-party module)
* Versions: 5.x, 6.x
* Date: 2010-July-28
* Security risk: Less Critical
* Exploitable from: Remote
* Vulnerability: Information disclosure
-------- DESCRIPTION
---------------------------------------------------------
The Kaltura module integrates the Kaltura open source video platform with
Drupal. When installing, uninstalling, or configuring the module, it would
surreptitiously inject a hidden iframe into the messages displayed to the
administrator with the source pointing to corp.kaltura.com/stats/drupal.
These requests were made without prior knowledge or authorization of site
administrators. The iframe also included information such as the site's
Kaltura partner ID, registration ID, or registration error code. Because most
browsers also include the referring site when dispalying an iframe,
information such as the URL or IP address of the Drupal site could also have
been obtained.
-------- RESPONSIBLE COLLECTION OF USAGE STATISTICS FOR DRUPAL MODULES
-------
The popularity of modules hosted on drupal.org is already tracked based on
data in the request when a Drupal installation checks to see if any of its
modules have new releases (see the Kaltura usage page [1] for example). This
information is gathered with privacy in mind: an open discussion [2] occurred
before including private information in the requests; the data is not shared
outside of Drupal.org server administrators (approximately 10 people); site
administrators are alerted to this system during installation of their site
and they can opt in or out at any time.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Kaltura module for Drupal 6.x prior to 6.x-1.5, and all 6.x-2.x versions
* Kaltura module for Drupal 5.x prior to 5.x-1.4
Drupal core is not affected. If you do not use the Kaltura module, there is
nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use Kaltura module for Drupal 5.x upgrade to Kaltura 5.x-1.4 [3]
* If you use Kaltura module for Drupal 6.x upgrade to Kaltura 6.x-1.5 [4]
* If you use Kaltura module for Drupal version 6.x-2.0 or 6.x-2.x-dev,
downgrade to Kaltura 6.x-1.5 [5]
Also see the Kaltura project page [6].
-------- REPORTED BY
---------------------------------------------------------
* Denis Slepichev [7]
* Chris Burgess [8]
-------- FIXED BY
------------------------------------------------------------
* Chris Burgess [9], the new module maintainer