Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2012.0425.2 A number of vulnerabilities have been identified in Drupal core 3 October 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Drupal Publisher: Drupal Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Denial of Service -- Existing Account Provide Misleading Information -- Remote with User Interaction Unauthorised Access -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2012-2153 CVE-2012-1591 CVE-2012-1590 CVE-2012-1589 CVE-2012-1588 Original Bulletin: http://drupal.org/node/1557938 Revision History: October 3 2012: Added CVE-2012-2153 May 3 2012: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- * Advisory ID: DRUPAL-SA-CORE-2012-002 * Project: Drupal core [1] * Version: 7.x * Date: 2012-May-2 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Denial of Service, Access bypass - -------- DESCRIPTION --------------------------------------------------------- .... Denial of Service CVE: CVE-2012-1588 Drupal core's text filtering system provides several features including removing inappropriate HTML tags and automatically linking content that appears to be a link. A pattern in Drupal's text matching was found to be inefficient with certain specially crafted strings. This vulnerability is mitigated by the fact that users must have the ability to post content sent to the filter system such as a role with the "post comments" or "Forum topic: Create new content" permission. .... Unvalidated form redirect CVE: CVE-2012-1589 Drupal core's Form API allows users to set a destination, but failed to validate that the URL was internal to the site. This weakness could be abused to redirect the login from to a remote site with a malicious script that harvests the login credentials and redirects to the live site. This vulnerability is mitigated only by the end user's ability to recognize a URL with malicious query parameters to avoid the social engineering required to exploit the problem. .... Access bypass - forum listing CVE: CVE-2012-1590 Drupal core's forum lists fail to check user access to nodes when displaying them in the forum overview page. If an unpublished node was the most recently updated in a forum then users who should not have access to unpublished forum posts were still be able to see meta-data about the forum post such as the post title. .... Access bypass - private images CVE: CVE-2012-1591 Drupal core provides the ability to have private files, including images, and Image Styles which create derivative images from an original image that may differ, for example, in size or saturation. Drupal core failed to properly terminate the page request for cached image styles allowing users to access image derivatives for images they should not be able to view. Furthermore, Drupal didn't set the right headers to prevent image styles from being cached in the browser. .... Access bypass - content administration CVE: * Advisory ID: DRUPAL-SA-CORE-2012-002 * Project: Drupal core [1] * Version: 7.x * Date: 2012-May-2 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Denial of Service, Access bypass - -------- DESCRIPTION --------------------------------------------------------- .... Denial of Service CVE: CVE-2012-1588 Drupal core's text filtering system provides several features including removing inappropriate HTML tags and automatically linking content that appears to be a link. A pattern in Drupal's text matching was found to be inefficient with certain specially crafted strings. This vulnerability is mitigated by the fact that users must have the ability to post content sent to the filter system such as a role with the "post comments" or "Forum topic: Create new content" permission. .... Unvalidated form redirect CVE: CVE-2012-1589 Drupal core's Form API allows users to set a destination, but failed to validate that the URL was internal to the site. This weakness could be abused to redirect the login from to a remote site with a malicious script that harvests the login credentials and redirects to the live site. This vulnerability is mitigated only by the end user's ability to recognize a URL with malicious query parameters to avoid the social engineering required to exploit the problem. .... Access bypass - forum listing CVE: CVE-2012-1590 Drupal core's forum lists fail to check user access to nodes when displaying them in the forum overview page. If an unpublished node was the most recently updated in a forum then users who should not have access to unpublished forum posts were still be able to see meta-data about the forum post such as the post title. .... Access bypass - private images CVE: CVE-2012-1591 Drupal core provides the ability to have private files, including images, and Image Styles which create derivative images from an original image that may differ, for example, in size or saturation. Drupal core failed to properly terminate the page request for cached image styles allowing users to access image derivatives for images they should not be able to view. Furthermore, Drupal didn't set the right headers to prevent image styles from being cached in the browser. .... Access bypass - content administration CVE: CVE-2012-2153 Drupal core provides the ability to list nodes on a site at admin/content. Drupal core failed to confirm a user viewing that page had access to each node in the list. This vulnerability only concerns sites running a contributed node access module and is mitigated by the fact that users must have a role with the "view content overview" permission. Unpublished nodes were not displayed to users who only had the "view content overview" permission. - -------- VERSIONS AFFECTED --------------------------------------------------- * Drupal core 7.x versions prior to 7.13. - -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Drupal 7.x, upgrade to Drupal core 7.13 [3] Also see the Drupal core [4] project page. - -------- REPORTED BY --------------------------------------------------------- * The Denial of Service vulnerability was reported by Jay Wineinger [5] and Lin Clark [6]. * The unvalidated form redirect vulnerability was reported by Károly Négyesi [7] of the Drupal Security Team. * The access bypass in forum listing vulnerability was reported by Glen W [8]. * The access bypass for private images vulnerability was reported by frega [9], Andreas Gonell [10], Jeremy Meier [11] and Xenza [12]. * The access bypass for the content administration vulnerability was reported by Jennifer Hodgdon [13]. - -------- FIXED BY ------------------------------------------------------------ * The Denial of Service was fixed by Károly Négyesi [14] of the Drupal Security Team. * The unvalidated form redirect was fixed by Wolfgang Ziegler [15] and Stéphane Corlosquet [16] of the Drupal Security Team. * The access bypass in forum listing was fixed by Michael Hess [17] of the Drupal Security Team, Ben Jeavons [18] of the Drupal Security Team and xjm [19]. * The Access bypass for private images was fixed by Károly Négyesi [20] of the Drupal Security Team, Damien Tournoud [21] of the Drupal Security Team, Greg Knaddison [22] of the Drupal Security Team, Stéphane Corlosquet [23] of the Drupal Security Team, Xenza [24] and frega [25]. * The Access bypass for content administration was fixed by Jennifer Hodgdon [26]. - -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [27]. Learn more about the Drupal Security team and their policies [28], writing secure code for Drupal [29], and securing your site [30]. [1] http://drupal.org/project/drupal [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/node/1558412 [4] http://drupal.org/project/drupal [5] http://drupal.org/user/923254 [6] http://drupal.org/user/396253 [7] http://drupal.org/user/9446 [8] http://drupal.org/user/170314 [9] http://drupal.org/user/243377 [10] http://drupal.org/user/414525 [11] http://drupal.org/user/1271628 [12] http://drupal.org/user/1792496 [13] http://drupal.org/user/155601 [14] http://drupal.org/user/9446 [15] http://drupal.org/user/16747 [16] http://drupal.org/user/52142 [17] http://drupal.org/user/102818 [18] http://drupal.org/user/91990 [19] http://drupal.org/user/65776 [20] http://drupal.org/user/9446 [21] http://drupal.org/user/22211 [22] http://drupal.org/user/36762 [23] http://drupal.org/user/52142 [24] http://drupal.org/user/1792496 [25] http://drupal.org/user/243377 [26] http://drupal.org/user/155601 [27] http://drupal.org/contact [28] http://drupal.org/security-team [29] http://drupal.org/writing-secure-code [30] http://drupal.org/security/secure-configuration Drupal core provides the ability to list nodes on a site at admin/content. Drupal core failed to confirm a user viewing that page had access to each node in the list. This vulnerability only concerns sites running a contributed node access module and is mitigated by the fact that users must have a role with the "view content overview" permission. Unpublished nodes were not displayed to users who only had the "view content overview" permission. - -------- VERSIONS AFFECTED --------------------------------------------------- * Drupal core 7.x versions prior to 7.13. - -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Drupal 7.x, upgrade to Drupal core 7.13 [3] Also see the Drupal core [4] project page. - -------- REPORTED BY --------------------------------------------------------- * The Denial of Service vulnerability was reported by Jay Wineinger [5] and Lin Clark [6]. * The unvalidated form redirect vulnerability was reported by Károly Négyesi [7] of the Drupal Security Team. * The access bypass in forum listing vulnerability was reported by Glen W [8]. * The access bypass for private images vulnerability was reported by frega [9], Andreas Gonell [10], Jeremy Meier [11] and Xenza [12]. * The access bypass for the content administration vulnerability was reported by Jennifer Hodgdon [13]. - -------- FIXED BY ------------------------------------------------------------ * The Denial of Service was fixed by Károly Négyesi [14] of the Drupal Security Team. * The unvalidated form redirect was fixed by Wolfgang Ziegler [15] and Stéphane Corlosquet [16] of the Drupal Security Team. * The access bypass in forum listing was fixed by Michael Hess [17] of the Drupal Security Team, Ben Jeavons [18] of the Drupal Security Team and xjm [19]. * The Access bypass for private images was fixed by Károly Négyesi [20] of the Drupal Security Team, Damien Tournoud [21] of the Drupal Security Team, Greg Knaddison [22] of the Drupal Security Team, Stéphane Corlosquet [23] of the Drupal Security Team, Xenza [24] and frega [25]. * The Access bypass for content administration was fixed by Jennifer Hodgdon [26]. - -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [27]. Learn more about the Drupal Security team and their policies [28], writing secure code for Drupal [29], and securing your site [30]. [1] http://drupal.org/project/drupal [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/node/1558412 [4] http://drupal.org/project/drupal [5] http://drupal.org/user/923254 [6] http://drupal.org/user/396253 [7] http://drupal.org/user/9446 [8] http://drupal.org/user/170314 [9] http://drupal.org/user/243377 [10] http://drupal.org/user/414525 [11] http://drupal.org/user/1271628 [12] http://drupal.org/user/1792496 [13] http://drupal.org/user/155601 [14] http://drupal.org/user/9446 [15] http://drupal.org/user/16747 [16] http://drupal.org/user/52142 [17] http://drupal.org/user/102818 [18] http://drupal.org/user/91990 [19] http://drupal.org/user/65776 [20] http://drupal.org/user/9446 [21] http://drupal.org/user/22211 [22] http://drupal.org/user/36762 [23] http://drupal.org/user/52142 [24] http://drupal.org/user/1792496 [25] http://drupal.org/user/243377 [26] http://drupal.org/user/155601 [27] http://drupal.org/contact [28] http://drupal.org/security-team [29] http://drupal.org/writing-secure-code [30] http://drupal.org/security/secure-configuration - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUGuxMO4yVqjM2NGpAQLr/BAAhrPRjQlUXfI8pMQ7lI9G21u4R5uG8tt0 S+RQK7Vfu1dRrAwrHPTQNeweafyKG9gSBdwqaoHVBmJimBSeVJtkV0L3hP9ijxNe Z/yGuZ7p98BgyL6HCPUjrQEoib/2b5xqxCik6uub6ll0w1OU1TVIwesBPrjdezzF YBV6S+u+TvJ/iLk2nw+mS6wnLyKQRdi7sFq06Hx1u5JDmJPgXiGEAU61h8HlNHtk PB9t6AKLhCWy4lmgShD8nslY9nzv0LVU/e3zPmhtKMFLQ+/ViEKh1i0aCcG28NSX jxZhypfG13yzHKOPR5Zk+X+f42PoEJzZXlD7kLzDCyfrmw9wI3/CS7NL2mXEwUBo GzwKhvfwL4DLUMHgvMwctddFQtjv7T2dACxVPmTi2mf6VzAs4ByJXqkMLqOQMxd9 BgcRBbMW3ysAlDJbknHJHHKSyTXFasXyHnIvp3q4VOSiK5hHjt23ux2xMz6JoRCP Y3Uza2xLg5wjH2cr+r1Sq0sSGjKR1cqDCh5dAZq34ydHnFiSBCIr1bQfmCJVWAud qdM4GQCHZfDwkvG6BgGzJUA93p7utoPWvkL+0MgWbzvg0Hr6K7/01m6Iph17I1ct fISDGJhpxDQRw9yHDt4YTuvxxLWDzbAI60Lh0sLSx9EYNoOWby/nrRmrF2UaM2Hy 3zYRw4wqYWE= =KRFb -----END PGP SIGNATURE-----