Exploit the possiblities

Drupal Core 6.x / 7.x Cross Site Scripting / Access Bypass

Drupal Core 6.x / 7.x Cross Site Scripting / Access Bypass
Posted Jan 17, 2013
Authored by David Rothstein, Christian Johansson, Kressin Roger, t.ashula, Mark Lindsey, saschadrupal, Anders Olsson | Site drupal.org

Drupal core versions 6.x and 7.x suffer from access bypass and cross site scripting vulnerabilities.

tags | advisory, vulnerability, xss
MD5 | 2328a4b94cf2a8235773e2a182288b01

Drupal Core 6.x / 7.x Cross Site Scripting / Access Bypass

Change Mirror Download
View online: http://drupal.org/SA-CORE-2013-001

* Advisory ID: DRUPAL-SA-CORE-2013-001
* Project: Drupal core [1]
* Version: 6.x, 7.x
* Date: 2013-January-16
* Security risk: Highly critical [2]
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting, Access bypass

-------- DESCRIPTION
---------------------------------------------------------

Multiple vulnerabilities were fixed in the supported Drupal core versions 6
and 7.

.... Cross-site scripting (Various core and contributed modules - Drupal 6
and 7)

A reflected cross-site scripting vulnerability (XSS) was identified in
certain Drupal JavaScript functions that pass unexpected user input into
jQuery causing it to insert HTML into the page when the intended behavior is
to select DOM elements. Multiple core and contributed modules are affected by
this issue.

jQuery versions 1.6.3 and higher provide protection against common forms of
this problem; thus, the vulnerability is mitigated if your site has upgraded
to a recent version of jQuery. However, the versions of jQuery that are
shipped with Drupal 6 and Drupal 7 core do not contain this protection.

Although the fix added to Drupal as part of this security release prevents
the most common forms of this issue in the same way as newer versions of
jQuery do, developers should be aware that passing untrusted user input
directly to jQuery functions such as jQuery() and $() is unsafe and should be
avoided.

CVE: Requested.

.... Access bypass (Book module printer friendly version - Drupal 6 and 7)

A vulnerability was identified that exposes the title or, in some cases, the
content of nodes that the user should not have access to.

This vulnerability is mitigated by the fact that the bypass is only
accessible to users who already have the 'access printer-friendly version'
permission (which is not granted to Anonymous or Authenticated users by
default) and it only affects nodes that are part of a book outline.

CVE: Requested.

.... Access bypass (Image module - Drupal 7)

Drupal core provides the ability to have private files, including images. A
vulnerability was identified in which derivative images (which Drupal
automatically creates from these images based on "image styles" and which may
differ, for example, in size or saturation) did not always receive the same
protection. Under some circumstances, this would allow users to access image
derivatives for images they should not be able to view.

This vulnerability is mitigated by the fact that it only affects sites which
use the Image module and which store images in a private file system.

CVE: Requested.


-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------

* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./

-------- VERSIONS AFFECTED
---------------------------------------------------

* Drupal core 6.x versions prior to 6.28.
* Drupal core 7.x versions prior to 7.19.

-------- SOLUTION
------------------------------------------------------------

Install the latest version:

* If you use Drupal 6.x, upgrade to Drupal core 6.28 [4].
* If you use Drupal 7.x, upgrade to Drupal core 7.19 [5].

Also see the Drupal core [6] project page.

-------- REPORTED BY
---------------------------------------------------------

* The cross-site scripting issue in various Drupal core and contributed
modules was reported by t.ashula, and by David Rothstein [7] of the Drupal
Security Team.
* The access bypass issue in the Book module was reported by Mark Lindsey
[8].
* The access bypass issue in the Drupal 7 Image module was reported by
Kressin Roger [9], Christian Johansson [10], Anders Olsson [11] and
saschadrupal [12].

-------- FIXED BY
------------------------------------------------------------

* The cross-site scripting issue in various Drupal core and contributed
modules was fixed by t.ashula, Théodore Biadala [13], Katherine Bailey
[14], Steve De Jonghe [15] and J. Renée Beach [16], and by Dylan Tack
[17], Greg Knaddison [18], David Rothstein [19] and Damien Tournoud [20]
of the Drupal Security Team.
* The access bypass issue in the Book module was fixed by Mark Lindsey [21],
and by Fox [22], David Rothstein [23] and Peter Wolanin [24] of the Drupal
Security Team.
* The access bypass issue in the Drupal 7 Image module was fixed by Heine
Deelstra [25] of the Drupal Security Team, and by Anders Olsson [26].

-------- COORDINATED BY
------------------------------------------------------

* David Rothstein [27], Gábor Hojtsy [28], Stéphane Corlosquet [29], Greg
Knaddison [30], Heine Deelstra [31] and Peter Wolanin [32] of the Drupal
Security Team
* Jeremy Thorson [33] of the QA/Testing Infrastructure Team

-------- CONTACT AND MORE INFORMATION
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [34].

Learn more about the Drupal Security team and their policies [35], writing
secure code for Drupal [36], and securing your site [37].


[1] http://drupal.org/project/drupal
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/drupal-6.28-release-notes
[5] http://drupal.org/drupal-7.19-release-notes
[6] http://drupal.org/project/drupal
[7] http://drupal.org/user/124982
[8] http://drupal.org/user/1924632
[9] http://drupal.org/user/1605796
[10] http://drupal.org/user/204187
[11] http://drupal.org/user/855656
[12] http://drupal.org/user/245825
[13] http://drupal.org/user/598310
[14] http://drupal.org/user/172987
[15] http://drupal.org/user/264148
[16] http://drupal.org/user/748566
[17] http://drupal.org/user/96647
[18] http://drupal.org/user/36762
[19] http://drupal.org/user/124982
[20] http://drupal.org/user/22211
[21] http://drupal.org/user/1924632
[22] http://drupal.org/user/426416
[23] http://drupal.org/user/124982
[24] http://drupal.org/user/49851
[25] http://drupal.org/user/17943
[26] http://drupal.org/user/855656
[27] http://drupal.org/user/124982
[28] http://drupal.org/user/4166
[29] http://drupal.org/user/52142
[30] http://drupal.org/user/36762
[31] http://drupal.org/user/17943
[32] http://drupal.org/user/49851
[33] http://drupal.org/user/148199
[34] http://drupal.org/contact
[35] http://drupal.org/security-team
[36] http://drupal.org/writing-secure-code
[37] http://drupal.org/security/secure-configuration

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

January 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    16 Files
  • 4
    Jan 4th
    39 Files
  • 5
    Jan 5th
    26 Files
  • 6
    Jan 6th
    40 Files
  • 7
    Jan 7th
    2 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    25 Files
  • 10
    Jan 10th
    28 Files
  • 11
    Jan 11th
    44 Files
  • 12
    Jan 12th
    32 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    4 Files
  • 15
    Jan 15th
    31 Files
  • 16
    Jan 16th
    15 Files
  • 17
    Jan 17th
    16 Files
  • 18
    Jan 18th
    24 Files
  • 19
    Jan 19th
    0 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close