Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.1180 A number of vulnerabilities have been identified in Drupal core 17 July 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Drupal Publisher: Drupal Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Denial of Service -- Remote/Unauthenticated Cross-site Scripting -- Remote with User Interaction Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade Original Bulletin: https://www.drupal.org/SA-CORE-2014-003 - --------------------------BEGIN INCLUDED TEXT-------------------- * Advisory ID: DRUPAL-SA-CORE-2014-003 * Project: Drupal core [1] * Version: 6.x, 7.x * Date: 2014-July-16 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Multiple vulnerabilities - -------- DESCRIPTION --------------------------------------------------------- Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7. .... Denial of service with malicious HTTP Host header (Base system - Drupal 6 and 7 - Critical) Drupal core's multisite feature dynamically determines which configuration file to use based on the HTTP Host header. The HTTP Host header validation does not sufficiently check maliciously-crafted header values, thereby exposing a denial of service vulnerability. .... Access bypass (File module - Drupal 7 - Critical) The File module included in Drupal 7 core allows attaching files to pieces of content. The module doesn't sufficiently check permission to view the attached file when attaching a file that was previously uploaded. This could allow attackers to gain access to private files. This vulnerability is mitigated by the fact that the attacker must have permission to create or edit content with a file field. Note: The Drupal 6 FileField [3] module is affected by a similar issue (see SA-CONTRIB-2014-071 - FileField - Access bypass [4]) and requires an update to the current security release of Drupal 6 core in order for the fix released there to work correctly. However, Drupal 6 core itself is not directly affected. .... Cross-site scripting (Form API option groups - Drupal 6 and 7 - Moderately critical) A cross-site scripting vulnerability was found due to Drupal's form API failing to sanitize option group labels in select elements. This vulnerability affects Drupal 6 core directly, and likely affects Drupal 7 forms provided by contributed or custom modules. This vulnerability is mitigated by the fact that it requires the "administer taxonomy" permission to exploit in Drupal 6 core, and there is no known exploit within Drupal 7 core itself. .... Cross-site scripting (Ajax system - Drupal 7 - Moderately critical) A reflected cross-site scripting vulnerability was found in certain forms containing a combination of an Ajax-enabled textfield (for example, an autocomplete field) and a file field. This vulnerability is mitigated by the fact that an attacker can only trigger the attack in a limited set of circumstances, usually requiring custom or contributed modules. - -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [5] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ - -------- VERSIONS AFFECTED --------------------------------------------------- * Drupal core 6.x versions prior to 6.32. * Drupal core 7.x versions prior to 7.29. - -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Drupal 6.x, upgrade to Drupal core 6.32. [6] * If you use Drupal 7.x, upgrade to Drupal core 7.29. [7] Also see the Drupal core [8] project page. - -------- REPORTED BY --------------------------------------------------------- * The denial of service vulnerability using malicious HTTP Host headers was reported by Régis Leroy [9]. * The access bypass vulnerability in the File module was reported by Ivan Ch [10]. * The cross-site scripting vulnerability with Form API option groups was reported by Kroly Ngyesi [11]. * The cross-site scripting vulnerability in the Ajax system was reported by mani22test [12]. - -------- FIXED BY ------------------------------------------------------------ * The denial of service vulnerability using malicious HTTP Host headers was fixed by Regis Leroy [13], and by Klaus Purer [14] of the Drupal Security Team. * The access bypass vulnerability in the File module was fixed by Nate Haug [15] and Ivan Ch [16], and by Drupal Security Team members David Rothstein [17], Heine Deelstra [18] and David Snopek [19]. * The cross-site scripting vulnerability with Form API option groups was fixed by Greg Knaddison [20] of the Drupal Security Team. * The cross-site scripting vulnerability in the Ajax system was fixed by Neil Drumm [21] of the Drupal Security Team. - -------- COORDINATED BY ------------------------------------------------------ * The Drupal Security Team [22] - -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [23]. Learn more about the Drupal Security team and their policies [24], writing secure code for Drupal [25], and securing your site [26]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [27] [1] http://drupal.org/project/drupal [2] http://drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/filefield [4] https://www.drupal.org/node/2304561 [5] http://cve.mitre.org/ [6] https://www.drupal.org/drupal-6.32-release-notes [7] https://www.drupal.org/drupal-7.29-release-notes [8] http://drupal.org/project/drupal [9] https://www.drupal.org/user/1367862 [10] https://www.drupal.org/user/556138 [11] https://www.drupal.org/u/chx [12] https://www.drupal.org/user/2844779 [13] https://www.drupal.org/user/1367862 [14] https://www.drupal.org/user/262198 [15] https://www.drupal.org/user/35821 [16] https://www.drupal.org/user/556138 [17] https://www.drupal.org/user/124982 [18] https://www.drupal.org/user/17943 [19] https://www.drupal.org/user/266527 [20] https://www.drupal.org/u/greggles [21] https://www.drupal.org/u/drumm [22] http://drupal.org/security-team [23] http://drupal.org/contact [24] http://drupal.org/security-team [25] http://drupal.org/writing-secure-code [26] http://drupal.org/security/secure-configuration [27] https://twitter.com/drupalsecurity - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU8dfOxLndAQH1ShLAQLZnBAAm8JrxxJXPPMsB9csxLqCOSQT//jd2Duh 0GVLjdkY8NvXhX5EmWUhzhvfvhnwuB9Oww0aBhimKOTHD411JxhbUxGQwsOkVvDf eE3+/o2D/Ld10dz3qdyo0pKnvGz1XrM2iMgSBZ0UUqRk+nzASJT22GplqOGaLbbX 5N3rouLK3+p7mhvgNZdBzv2dCVmowtSso7c+kNAvXb2rVcXm3Xs5aagF9N40IUuq 6smgCcHS3GUYq9z0r+UFwvsWCNOVU/gH1xQWdmZk7ypCo4StFwXFWXEUjbTo14u6 nPg9LFaEdssRG6A5Y305Ya3DSC7MSj9OoPxriguyRXcPkM6egolzmz12Klw9rKOB LWXFmviV1cGdlTFfvuGscqJqWYe+Dd1+S8Y13onHIq7L1CUZHoccgdOln4HYaiEj wInnhOvbx5vZwK9WtaO2rwRSB0Ay4+K6Mkpu2Gbaw+VveyoOgHWihZnt7H/bkhU0 qXO6qntUViFY5y0/Jlw8DEp9SqzeF43uPrg/O3tT+fQ+N3MUG+GkjpV4uPI1xjwC XuThjvP6Fj4EIlik22JzZMBJGCcC0pgyM5/D1VY8KEoiAyNt+Y6TxN5PUqYvRELP VpeK2Vxm2waJTVWp5Lw9YbQJ+4u/Tn0+OyVRjUSR8E139sBSVLCUnYWBFpGs52E8 bGhS+AFi/KY= =MwLK -----END PGP SIGNATURE-----