View online: https://www.drupal.org/SA-CORE-2015-003

* Advisory ID: DRUPAL-SA-CORE-2015-003
* Project: Drupal core [1]
* Version: 6.x, 7.x
* Date: 2015-August-19
* Security risk: 18/25 ( Critical)
AC:Complex/A:User/CI:All/II:All/E:Proof/TD:All [2]
* Vulnerability: Cross Site Scripting, Access bypass, SQL Injection, Open
Redirect, Multiple vulnerabilities

This security advisory fixes multiple vulnerabilities. See below for a list.

——– CROSS-SITE SCRIPTING – AJAX SYSTEM – DRUPAL 7
———————–

A vulnerability was found that allows a malicious user to perform a
cross-site scripting attack by invoking Drupal.ajax() on a whitelisted HTML
element.

This vulnerability is mitigated on sites that do not allow untrusted users to
enter HTML.

Drupal 6 core is not affected, but see the similar advisory for the Drupal 6
contributed Ctools module: SA-CONTRIB-2015-141 [3].

——– CROSS-SITE SCRIPTING – AUTOCOMPLETE SYSTEM – DRUPAL 6 AND 7
———

A cross-site scripting vulnerability was found in the autocomplete
functionality of forms. The requested URL is not sufficiently sanitized.

This vulnerability is mitigated by the fact that the malicious user must be
allowed to upload files.

——– SQL INJECTION – DATABASE API – DRUPAL 7
—————————–

A vulnerability was found in the SQL comment filtering system which could
allow a user with elevated permissions to inject malicious code in SQL
comments.

This vulnerability is mitigated by the fact that only one contributed module
that the security team found uses the comment filtering system in a way that
would trigger the vulnerability. That module requires you to have a very
high level of access in order to perform the attack.

——– CROSS-SITE REQUEST FORGERY – FORM API – DRUPAL 6 AND 7
————–

A vulnerability was discovered in Drupal’s form API that could allow file
upload value callbacks to run with untrusted input, due to form token
validation not being performed early enough. This vulnerability could allow a
malicious user to upload files to the site under another user’s account.

This vulnerability is mitigated by the fact that the uploaded files would be
temporary, and Drupal normally deletes temporary files automatically after 6
hours.

——– INFORMATION DISCLOSURE IN MENU LINKS – ACCESS SYSTEM – DRUPAL 6 AND
7
——————————————————————-

Users without the “access content” permission can see the titles of nodes
that they do not have access to, if the nodes are added to a menu on the site
that the users have access to.

——– CVE IDENTIFIER(S) ISSUED
——————————————–

* /CVE identifiers [4] have been requested and will be added upon issuance,
in accordance with Drupal Security Team processes./

——– VERSIONS AFFECTED
—————————————————

* Drupal core 6.x versions prior to 6.37
* Drupal core 7.x versions prior to 7.39

——– SOLUTION
————————————————————

Install the latest version:

* If you use Drupal 6.x, upgrade to Drupal core 6.37 [5]
* If you use Drupal 7.x, upgrade to Drupal core 7.39 [6]

Also see the Drupal core [7] project page.

——– CREDITS
————————————————————-

…. Cross-site Scripting – Ajax system – Drupal 7

.. Reported by

* Régis Leroy [8]
* Kay Leung [9], Drupal core JavaScript maintainer
* Samuel Mortenson [10]
* Pere Orga [11] of the Drupal Security Team

.. Fixed by

* Théodore Biadala [12], Drupal core JavaScript maintainer
* Alex Bronstein [13] of the Drupal Security Team
* Ben Dougherty [14] of the Drupal Security Team
* Gábor Hojtsy [15] of the Drupal Security Team
* Greg Knaddison [16] of the Drupal Security Team
* Kay Leung [17], Drupal core JavaScript maintainer
* Wim Leers [18]
* Samuel Mortenson [19]
* Pere Orga [20] of the Drupal Security Team
* Tim Plunkett [21]
* David Rothstein [22] of the Drupal Security Team
* Lee Rowlands [23] of the Drupal Security Team
* Peter Wolanin [24] of the Drupal Security Team
* znerol [25], maintainer of Authcache module

…. Cross-site Scripting – Autocomplete system – Drupal 6 and 7

.. Reported by

* Alex Bronstein [26] of the Drupal Security Team
* Pere Orga [27] of the Drupal Security Team

.. Fixed by

* Alex Bronstein [28] of the Drupal Security Team
* Ben Dougherty [29] of the Drupal Security Team
* Tim Plunkett [30]
* Lee Rowlands [31] of the Drupal Security Team
* Peter Wolanin [32] of the Drupal Security Team
* David Rothstein [33] of the Drupal Security Team

…. SQL Injection – Database API – Drupal 7

.. Reported by

* Carl Sabottke [34]

.. Fixed by

* Anthony Ferrara [35]
* Larry Garfield [36]
* Greg Knaddison [37] of the Drupal Security Team
* Cathy Theys [38] provisional member of the Drupal Security Team
* Peter Wolanin [39] of the Drupal Security Team

…. Cross-site Request Forgery – Form API – Drupal 6 and 7

.. Reported by

* Abdullah Hussam [40]

.. Fixed by

* Greg Knaddison [41] of the Drupal Security Team
* Wim Leers [42]
* David Rothstein [43] of the Drupal Security Team
* Lee Rowlands [44] of the Drupal Security Team
* Peter Wolanin [45] of the Drupal Security Team

…. Information Disclosure in Menu Links – Access system – Drupal 6 and 7

.. Reported by

* David_Rothstein [46] of the Drupal Security Team

.. Fixed by

* Matt Chapman [47] of the Drupal Security Team
* Stéphane Corlosquet [48] of the Drupal Security Team
* Greg Knaddison [49] of the Drupal Security Team
* Christian Meilinger [50]
* David_Rothstein [51] of the Drupal Security Team
* Lee Rowlands [52] of the Drupal Security Team

——– COORDINATED BY
——————————————————

* Alex Bronstein, Angie Byron, Michael Hess, Pere Orga, David Rothstein and
Peter Wolanin of the The Drupal Security Team [53]

——– CONTACT AND MORE INFORMATION
—————————————-

The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [54].

Learn more about the Drupal Security team and their policies [55], writing
secure code for Drupal [56], and securing your site [57].

Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [58]

[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/node/2554145
[4] http://cve.mitre.org/
[5] https://www.drupal.org/drupal-6.37-release-notes
[6] https://www.drupal.org/drupal-7.39-release-notes
[7] https://www.drupal.org/project/drupal
[8] https://www.drupal.org/u/regilero
[9] https://www.drupal.org/u/droplet
[10] https://www.drupal.org/u/samuel.mortenson
[11] https://www.drupal.org/u/pere-orga
[12] https://www.drupal.org/u/nod_
[13] https://www.drupal.org/u/effulgentsia
[14] https://www.drupal.org/u/benjy
[15] https://www.drupal.org/u/g%C3%A1bor-hojtsy
[16] https://www.drupal.org/u/greggles
[17] https://www.drupal.org/u/droplet
[18] https://www.drupal.org/u/wim-leers
[19] https://www.drupal.org/u/samuel.mortenson
[20] https://www.drupal.org/u/pere-orga
[21] https://www.drupal.org/u/tim.plunkett
[22] https://www.drupal.org/u/david_rothstein
[23] https://www.drupal.org/u/larowlan
[24] https://www.drupal.org/u/pwolanin
[25] https://www.drupal.org/u/znerol
[26] https://www.drupal.org/user/78040
[27] https://www.drupal.org/user/2301194
[28] https://www.drupal.org/u/effulgentsia
[29] https://www.drupal.org/u/benjy
[30] https://www.drupal.org/u/tim.plunkett
[31] https://www.drupal.org/u/larowlan
[32] https://www.drupal.org/user/49851
[33] https://www.drupal.org/u/david_rothstein
[34] https://www.drupal.org/u/csabot3
[35] https://www.drupal.org/u/ircmaxell
[36] https://www.drupal.org/u/crell
[37] https://www.drupal.org/u/greggles
[38] https://www.drupal.org/u/yesct
[39] https://www.drupal.org/u/pwolanin
[40] https://www.drupal.org/u/abdullah-hussam
[41] https://www.drupal.org/u/greggles
[42] https://www.drupal.org/u/wim-leers
[43] https://www.drupal.org/u/david_rothstein
[44] https://www.drupal.org/u/larowlan
[45] https://www.drupal.org/u/pwolanin
[46] https://www.drupal.org/u/David_Rothstein
[47] https://www.drupal.org/u/matt2000
[48] https://www.drupal.org/u/scor
[49] https://www.drupal.org/u/greggles
[50] https://www.drupal.org/u/meichr
[51] https://www.drupal.org/u/David_Rothstein
[52] https://www.drupal.org/u/larowlan
[53] https://www.drupal.org/security-team
[54] https://www.drupal.org/contact
[55] https://www.drupal.org/security-team
[56] https://www.drupal.org/writing-secure-code
[57] https://www.drupal.org/security/secure-configuration
[58] https://twitter.com/drupalsecurity

_______________________________________________
Security-news mailing list
Security-news@drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news