Drupal Core Security

• Advisory ID: DRUPAL-SA-CORE-2012-002
• Project: Drupal core
• Version: 7.x
• Date: 2012-May-2
• Security risk: Critical
• Exploitable from: Remote
• Vulnerability: Denial of Service, Access bypass, Unvalidated form redirect

Description Denial of Service

CVE: CVE-2012-1588

Drupal core's text filtering system provides several features including removing inappropriate HTML tags and automatically linking content that appears to be a link. A pattern in Drupal's text matching was found to be inefficient with certain specially crafted strings. This vulnerability is mitigated by the fact that users must have the ability to post content sent to the filter system such as a role with the "post comments" or "Forum topic: Create new content" permission.

Unvalidated form redirect

CVE: CVE-2012-1589

Drupal core's Form API allows users to set a destination, but failed to validate that the URL was internal to the site. This weakness could be abused to redirect the login to a remote site with a malicious script that harvests the login credentials and redirects to the live site. This vulnerability is mitigated only by the end user's ability to recognize a URL with malicious query parameters to avoid the social engineering required to exploit the problem.

Access bypass - forum listing

CVE: CVE-2012-1590

Drupal core's forum lists fail to check user access to nodes when displaying them in the forum overview page. If an unpublished node was the most recently updated in a forum then users who should not have access to unpublished forum posts were still be able to see meta-data about the forum post such as the post title.

Access bypass - private images

CVE: CVE-2012-1591

Drupal core provides the ability to have private files, including images, and Image Styles which create derivative images from an original image that may differ, for example, in size or saturation. Drupal core failed to properly terminate the page request for cached image styles allowing users to access image derivatives for images they should not be able to view. Furthermore, Drupal didn't set the right headers to prevent image styles from being cached in the browser.

Access bypass - content administration

CVE: CVE-2012-2153

Drupal core provides the ability to list nodes on a site at admin/content. Drupal core failed to confirm a user viewing that page had access to each node in the list. This vulnerability only concerns sites running a contributed node access module and is mitigated by the fact that users must have a role with the "Access the content overview page" permission. Unpublished nodes were not displayed to users who only had the "Access the content overview page" permission.

Versions affected

• Drupal core 7.x versions prior to 7.13.

Solution

Install the latest version:

• If you use Drupal 7.x, upgrade to Drupal core 7.13

Also see the Drupal core project page.

Reported by

• The Denial of Service vulnerability was reported by Jay Wineinger and Lin Clark.
• The unvalidated form redirect vulnerability was reported by Károly Négyesi of the Drupal Security Team and Katsuhiko Nakanishi.
• The access bypass in forum listing vulnerability was reported by Glen W.
• The access bypass for private images vulnerability was reported by frega, Andreas Gonell, Jeremy Meier and Xenza.
• The access bypass for the content administration vulnerability was reported by Jennifer Hodgdon.

Fixed by

• The Denial of Service was fixed by Károly Négyesi of the Drupal Security Team.
• The unvalidated form redirect was fixed by Wolfgang Ziegler and Stéphane Corlosquet of the Drupal Security Team.
• The access bypass in forum listing was fixed by Michael Hess of the Drupal Security Team, Ben Jeavons of the Drupal Security Team and xjm.
• The Access bypass for private images was fixed by Károly Négyesi of the Drupal Security Team, Damien Tournoud of the Drupal Security Team, Greg Knaddison of the Drupal Security Team, Stéphane Corlosquet of the Drupal Security Team, Xenza and frega.
• The Access bypass for content administration was fixed by Jennifer Hodgdon.

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CORE-2012-002
• Project: Drupal core
• Version: 7.x
• Date: 2012-May-2
• Security risk: Critical
• Exploitable from: Remote
• Vulnerability: Denial of Service, Access bypass, Unvalidated form redirect

Description Denial of Service

CVE: CVE-2012-1588

Drupal core's text filtering system provides several features including removing inappropriate HTML tags and automatically linking content that appears to be a link. A pattern in Drupal's text matching was found to be inefficient with certain specially crafted strings. This vulnerability is mitigated by the fact that users must have the ability to post content sent to the filter system such as a role with the "post comments" or "Forum topic: Create new content" permission.

Unvalidated form redirect

CVE: CVE-2012-1589

Drupal core's Form API allows users to set a destination, but failed to validate that the URL was internal to the site. This weakness could be abused to redirect the login to a remote site with a malicious script that harvests the login credentials and redirects to the live site. This vulnerability is mitigated only by the end user's ability to recognize a URL with malicious query parameters to avoid the social engineering required to exploit the problem.

Access bypass - forum listing

CVE: CVE-2012-1590

Drupal core's forum lists fail to check user access to nodes when displaying them in the forum overview page. If an unpublished node was the most recently updated in a forum then users who should not have access to unpublished forum posts were still be able to see meta-data about the forum post such as the post title.

Access bypass - private images

CVE: CVE-2012-1591

Drupal core provides the ability to have private files, including images, and Image Styles which create derivative images from an original image that may differ, for example, in size or saturation. Drupal core failed to properly terminate the page request for cached image styles allowing users to access image derivatives for images they should not be able to view. Furthermore, Drupal didn't set the right headers to prevent image styles from being cached in the browser.

Access bypass - content administration

CVE: CVE-2012-2153

Drupal core provides the ability to list nodes on a site at admin/content. Drupal core failed to confirm a user viewing that page had access to each node in the list. This vulnerability only concerns sites running a contributed node access module and is mitigated by the fact that users must have a role with the "Access the content overview page" permission. Unpublished nodes were not displayed to users who only had the "Access the content overview page" permission.

Versions affected

• Drupal core 7.x versions prior to 7.13.

Solution

Install the latest version:

• If you use Drupal 7.x, upgrade to Drupal core 7.13

Also see the Drupal core project page.

Reported by

• The Denial of Service vulnerability was reported by Jay Wineinger and Lin Clark.
• The unvalidated form redirect vulnerability was reported by Károly Négyesi of the Drupal Security Team and Katsuhiko Nakanishi.
• The access bypass in forum listing vulnerability was reported by Glen W.
• The access bypass for private images vulnerability was reported by frega, Andreas Gonell, Jeremy Meier and Xenza.
• The access bypass for the content administration vulnerability was reported by Jennifer Hodgdon.

Fixed by

• The Denial of Service was fixed by Károly Négyesi of the Drupal Security Team.
• The unvalidated form redirect was fixed by Wolfgang Ziegler and Stéphane Corlosquet of the Drupal Security Team.
• The access bypass in forum listing was fixed by Michael Hess of the Drupal Security Team, Ben Jeavons of the Drupal Security Team and xjm.
• The Access bypass for private images was fixed by Károly Négyesi of the Drupal Security Team, Damien Tournoud of the Drupal Security Team, Greg Knaddison of the Drupal Security Team, Stéphane Corlosquet of the Drupal Security Team, Xenza and frega.
• The Access bypass for content administration was fixed by Jennifer Hodgdon.

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CORE-2012-001
• Project: Drupal core
• Version: 6.x, 7.x
• Date: 2012-February-01
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Access bypass, Cross Site Request Forgery, Multiple vulnerabilities

Description Cross Site Request Forgery vulnerability in Aggregator module

CVE: CVE-2012-0826
An XSRF vulnerability can force an aggregator feed to update. Since some services are rate-limited (e.g. Twitter limits requests to 150 per hour) this could lead to a denial of service.

This issue affects Drupal 6.x and 7.x.

OpenID not verifying signed attributes in SREG and AX

CVE: CVE-2012-0825
A group of security researchers identified a flaw in how some OpenID relying parties implement Attribute Exchange (AX). Not verifying that attributes being passed through AX have been signed could allow an attacker to modify users' information.

This issue affects Drupal 6.x and 7.x.

Access bypass in File module

CVE: CVE-2012-0827
When using private files in combination with certain field access modules, the File module will allow users to download the file even if they do not have access to view the field it was attached to.

This issue affects Drupal 7.x only.

Versions affected

• Drupal 6.x core prior to 6.23.
• Drupal 7.x core prior to 7.11.

Solution

Install the latest version:

• If you use Drupal 6.x upgrade to 6.23
• If you use Drupal 7.x upgrade to 7.11

See also the Drupal core project page.

Reported by

• The Aggregator module CSRF vulnerability was reported by Dylan Tack of the Drupal Security Team.
• The OpenID vulnerability was reported by Rui Wang, Shuo Chen and Xiao Feng Wang.
• The File module access bypass issue was reported by David Rothstein of the Drupal Security Team, and by Sascha Grossenbacher.

Fixed by

• Aggregator CSRF issue fixed by Dave Reid of the Drupal Security Team
• OpenID issue fixed by Vojtech Kusy and Christian Schmidt
• The File module access bypass issue was fixed by David Rothstein of the Drupal Security Team, Sascha Grossenbacher, and Derek Wright of the Drupal Security Team.

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CORE-2012-001
• Project: Drupal core
• Version: 6.x, 7.x
• Date: 2012-February-01
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Access bypass, Cross Site Request Forgery, Multiple vulnerabilities

Description Cross Site Request Forgery vulnerability in Aggregator module

CVE: CVE-2012-0826
An XSRF vulnerability can force an aggregator feed to update. Since some services are rate-limited (e.g. Twitter limits requests to 150 per hour) this could lead to a denial of service.

This issue affects Drupal 6.x and 7.x.

OpenID not verifying signed attributes in SREG and AX

CVE: CVE-2012-0825
A group of security researchers identified a flaw in how some OpenID relying parties implement Attribute Exchange (AX). Not verifying that attributes being passed through AX have been signed could allow an attacker to modify users' information.

This issue affects Drupal 6.x and 7.x.

Access bypass in File module

CVE: CVE-2012-0827
When using private files in combination with certain field access modules, the File module will allow users to download the file even if they do not have access to view the field it was attached to.

This issue affects Drupal 7.x only.

Versions affected

• Drupal 6.x core prior to 6.23.
• Drupal 7.x core prior to 7.11.

Solution

Install the latest version:

• If you use Drupal 6.x upgrade to 6.23
• If you use Drupal 7.x upgrade to 7.11

See also the Drupal core project page.

Reported by

• The Aggregator module CSRF vulnerability was reported by Dylan Tack of the Drupal Security Team.
• The OpenID vulnerability was reported by Rui Wang, Shuo Chen and Xiao Feng Wang.
• The File module access bypass issue was reported by David Rothstein of the Drupal Security Team, and by Sascha Grossenbacher.

Fixed by

• Aggregator CSRF issue fixed by Dave Reid of the Drupal Security Team
• OpenID issue fixed by Vojtech Kusy and Christian Schmidt
• The File module access bypass issue was fixed by David Rothstein of the Drupal Security Team, Sascha Grossenbacher, and Derek Wright of the Drupal Security Team.

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.