You are here

Distribuir contenido

Drupal core - Critical - Multiple Vulnerabilities - SA-CORE-2018-001

Drupal Security - Hace 2 horas 23 mins
Project: Drupal coreVersion: 8.4.x-dev7.x-devDate: 2018-February-21Security risk: Critical 16∕25 AC:Basic/A:User/CI:Some/II:Some/E:Exploit/TD:DefaultVulnerability: Multiple Vulnerabilities Description: 

This security advisory fixes multiple vulnerabilities in both Drupal 7 and Drupal 8. See below for a list.

Comment reply form allows access to restricted content - Critical - Drupal 8

Users with permission to post comments are able to view content and comments they do not have access to, and are also able to add comments to this content.

This vulnerability is mitigated by the fact that the comment system must be enabled and the attacker must have permission to post comments.

JavaScript cross-site scripting prevention is incomplete - Critical - Drupal 7 and Drupal 8

Drupal has a Drupal.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML. This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances.

The PHP functions which Drupal provides for HTML escaping are not affected.

Private file access bypass - Moderately Critical - Drupal 7

When using Drupal's private file system, Drupal will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is trying to grant access to the file and another is trying to deny it, leading to an access bypass vulnerability.

This vulnerability is mitigated by the fact that it only occurs for unusual site configurations.

jQuery vulnerability with untrusted domains - Moderately Critical - Drupal 7

A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit.

For Drupal 8, this vulnerability was already fixed in Drupal 8.4.0 as a side effect of upgrading Drupal core to use a newer version of jQuery. For Drupal 7, it is fixed in the current release (Drupal 7.57) for jQuery 1.4.4 (the version that ships with Drupal 7 core) as well as for other newer versions of jQuery that might be used on the site, for example using the jQuery Update module.

Language fallback can be incorrect on multilingual sites with node access restrictions - Moderately Critical - Drupal 8

When using node access controls with a multilingual site, Drupal marks the untranslated version of a node as the default fallback for access queries. This fallback is used for languages that do not yet have a translated version of the created node. This can result in an access bypass vulnerability.

This issue is mitigated by the fact that it only applies to sites that a) use the Content Translation module; and b) use a node access module such as Domain Access which implement hook_node_records().

Note that the update will mark the node access tables as needing a rebuild, which will take a long time on sites with a large number of nodes.

Settings Tray access bypass - Moderately Critical - Drupal 8

The Settings Tray module has a vulnerability that allows users to update certain data that they do not have the permissions for.

If you have implemented a Settings Tray form in contrib or a custom module, the correct access checks should be added. This release fixes the only two implementations in core, but does not harden against other such bypasses.

This vulnerability can be mitigated by disabling the Settings Tray module.

External link injection on 404 pages when linking to the current page - Less Critical - Drupal 7

Drupal core has an external link injection vulnerability when the language switcher block is used. A similar vulnerability exists in various custom and contributed modules. This vulnerability could allow an attacker to trick users into unwillingly navigating to an external site.

Solution: 

Install the latest version:

Reported By: 
  • Comment reply form allows access to restricted content - Critical - Drupal 8
  • JavaScript cross-site scripting prevention is incomplete - Critical - Drupal 7 and Drupal 8)
  • Private file access bypass - Moderately Critical - Drupal 7
  • jQuery vulnerability with untrusted domains - Moderately Critical - Drupal 7
  • Language fallback can be incorrect on multilingual sites with node access restrictions - Moderately Critical - Drupal 8
  • Settings Tray access bypass - Moderately Critical - Drupal 8
  • External link injection on 404 pages when linking to the current page - Less Critical - Drupal 7
Fixed By: 
Categorías: Drupal

Will Google Search Ranking Algorithms Use Chrome Ad Blocking Signals

Search Engine Roundtable - Hace 3 horas 27 mins
Glenn Gabe asked if Google would be using those signals used to block ads in Chrome as ranking signals or factors for ranking in the future.
Categorías: SEO

Google To Port All Old Search Console Features To New Version

Search Engine Roundtable - Hace 6 horas 27 mins
On a daily basis I see complaints around the new beta Search Console which began rolling out recently about how it is missing many of the features from the old version. Google is aware of these complaints and is not removing the old version anytime soon...
Categorías: SEO

Google: We Changed Request Indexing Limits & Quotas Over Spam & Abuse

Search Engine Roundtable - Hace 6 horas 27 mins
When Google first changed the request indexing limits and quotas in the Google Search Console tool, Google was pretty cryptic and secretive about the whole situation. Just the other day, they documented the new quotas...
Categorías: SEO

Google Tests Multiple Images In Featured Snippets?

Search Engine Roundtable - Hace 6 horas 27 mins
@Adoubleagent shared a photo (well, multiple) on Twitter of Google showing not just a single featured snippet image but multiple images in the featured snippet. I don't believe I've seen multiple images in a featured snippet and for the life of me...
Categorías: SEO

Google AdSense Auto Ads Now Out Of Beta

Search Engine Roundtable - Hace 6 horas 27 mins
Last September we told you about a limited beta running through AdSense named auto ads. Well, now, as of this morning...
Categorías: SEO

Duane Forrester - The Search Community Honors You

Search Engine Roundtable - Hace 6 horas 27 mins
This is part of the say something nice about an SEO/SEM series - feel free to nominate someone over here. Duane Forrester has been in the SEO/SEM industry for a couple decades now...
Categorías: SEO

A Shiny Google Slide

Search Engine Roundtable - Hace 6 horas 27 mins
Categorías: SEO

Create a wiki on your Linux desktop with Zim

Open Source - Hace 11 horas 31 mins

There's no denying the usefulness of a wiki, even to a non-geek. You can do so much with one—write notes and drafts, collaborate on projects, build complete websites. And so much more.


read more
Categorías: Open Source

Getting started with SQL

Open Source - Hace 11 horas 32 mins

Building a database using SQL is simpler than most people think. In fact, you don't even need to be an experienced programmer to use SQL to create a database. In this article, I'll explain how to create a simple relational database management system (RDMS) using MySQL 5.6. Before I get started, I want to quickly thank SQL Fiddle, which I used to run my script. It provides a useful sandbox for testing simple scripts.


read more
Categorías: Open Source

3 warning flags of DevOps metrics

Open Source - Hace 11 horas 32 mins

Metrics. Measurements. Data. Monitoring. Alerting. These are all big topics for DevOps and for cloud-native infrastructure and application development more broadly. In fact, acm Queue, a magazine published by the Association of Computing Machinery, recently devoted an entire issue to the topic.


read more
Categorías: Open Source

Daily Search Forum Recap: February 20, 2018

Search Engine Roundtable - Mar, 02/20/2018 - 22:50

Here is a recap of what happened in the search forums today...

Categorías: SEO

How Kubernetes became the solution for migrating legacy applications

Open Source - Mar, 02/20/2018 - 17:30

In the early days of the internet, if you wanted to launch an application, you had to buy or rent hardware. This was a physical server or a rack of servers, and you needed one server per application, so it was expensive. In 2001, VMware came out with virtualization—software that allowed users to run multiple applications on the same hardware. This meant you could split up a single box into multiple virtual boxes, each running its own environment and applications. The cost savings for businesses were tremendous.


read more
Categorías: Open Source

Google News Meta Keywords Tag Hasn't Been Supported Since October 2017

Search Engine Roundtable - Mar, 02/20/2018 - 16:40
So for the past four months or more, Google has not supported the Google News meta keywords tag. Don't confuse this with the normal meta keywords tag...
Categorías: SEO

Google Share URL For Random Number Generator Goes To Metronome

Search Engine Roundtable - Mar, 02/20/2018 - 16:40
If you go to Google and search for [random number generator] you will be given a box at the top to generate that number. If you try to share that URL to that search result using the share buttons...
Categorías: SEO

Google Local Panel Adds Mall Directories Search

Search Engine Roundtable - Mar, 02/20/2018 - 16:40
Google has added mall directories information to the local panel in the search results. If you search for a local mall in your area, you may see a tab for "Directory" which will show you the stores located in that mall...
Categorías: SEO

The Search Community Mourns The Loss Of Jill Sampey

Search Engine Roundtable - Mar, 02/20/2018 - 16:40
Jill Sampey has passed away on Saturday, February 17th. It comes to a shock to everyone who knows her. She was the most smiley...
Categorías: SEO

Ashley Berman Hale - The Search Community Honors You

Search Engine Roundtable - Mar, 02/20/2018 - 13:34
This is part of the say something nice about an SEO/SEM series - feel free to nominate someone over here. Ashley Berman Hale is 34 years old and lives in Fort Collins, Colorado with her husband and two "confident" daughters ages 7 and 5...
Categorías: SEO

Old Google Word Of Mouth T-Shirt

Search Engine Roundtable - Mar, 02/20/2018 - 13:34
Categorías: SEO

How to format academic papers on Linux with groff -me

Open Source - Mar, 02/20/2018 - 09:03

I was an undergraduate student when I discovered Linux in 1993. I was so excited to have the power of a Unix system right in my dorm room, but despite its many capabilities, Linux lacked applications. Word processors like LibreOffice and OpenOffice were years away. If you wanted to use a word processor, you likely booted your system into MS-DOS and used WordPerfect, the shareware GalaxyWrite, or a similar program.


read more
Categorías: Open Source

Páginas

Subscribe to Develop Site agregador