Announcement Announcement Module
Collapse
No announcement yet.
Multiple Vulnerabilities in various modules for Drupal 6.x , 7.x Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Multiple Vulnerabilities in various modules for Drupal 6.x , 7.x

    Multiple Vulnerabilities in various modules for Drupal

    Severity Rating: Medium

    Systems Affected
    • Drupal 6.x and 7.x

    Components Affected
    • Webform Patched 6.x-3.x versions prior to 6.x-3.20.
    • Webform Patched 7.x-3.x versions prior to 7.x-3.20.
    • Twilio 7.x-1.x versions prior to 7.x-1.9
    • Services 7.x-3.x versions prior to 7.x-3.10

    Overview
    Multiple vulnerabilities have been reported in various modules of Drupal which could be exploited by a remote attacker to conduct Cross Site Scripting (XSS) attacks or bypass certain security restrictions.

    Description
    1. Cross Site Scripting vulnerability in Webform patched module

    This vulnerability exists in the Webform patched module which fails to properly sanitize input supplied to field label titles when the two fields have the same form_key .
    A malicious user could exploit this vulnerability to conduct Cross Site Scripting (XSS) attacks in context of the affected site.

    Note: Successful exploitation of this vulnerability requires that the attacker must possess a role with the permission "create webform content".

    2. Information disclosure vulnerability in Twilio Module

    The module is vulnerable to Information Disclosure since for viewing and editing the Twilio authentication tokens, the module relies only on "access administration pages" permission which is granted to less trusted users.

    Note: Successful exploitation of this vulnerability requires that the attacker must possess a role with the permission "access administration pages".



    3.Access Bypass Vulnerability in Services Module
    The vulnerability exists in the module as it sets weak password in _user_resource_create() when new users create accounts via this Services module.
    An attacker can exploit this issue to bypass access by conducting brute force attacks.

    Note: Successful exploitation of this vulnerability requires that the user resource had been enabled and new user registration permitted via Services.

    4.Cross Site Scripting (XSS) Vulnerability in Services Module

    The vulnerability exists in the module since the JSONP response of the callback parameter is unfiltered and yields output as raw HTTP data.
    An attacker may leverage this issue to execute arbitrary JavaScript and coduct Cross Site Scripting.

    Note: The vulnerability can be mitigated by the fact that the JSONP is not enabled by default in the REST server response formatters and the HTTP client Accept header must be set to text/javascript or
    application/javascript if the "xml" formatter is enabled.



    Solution
    Apply appropriate updates as mentioned in Drupal Security Advisory

    https://www.drupal.org/node/2344369
    https://www.drupal.org/node/2344363
    https://www.drupal.org/node/2344389


    Vendor Information

    Drupal
    https://drupal.org/security/contrib
    https://www.drupal.org/node/2344369
    https://www.drupal.org/node/2344363
    https://www.drupal.org/node/2344389

    References

    Drupal
    https://drupal.org/security/contrib
    https://www.drupal.org/node/2344369
    https://www.drupal.org/node/2344363
    https://www.drupal.org/node/2344389

    Vigilance
    http://vigilance.fr/vulnerability/Dr...isclosure-15409
    http://vigilance.fr/vulnerability/Dr...cripting-15410
Tag Cloud Tag Cloud Module
Collapse
Working...
X