Transition Technology: Ticket Query

#809: [Security-news] Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2014-006

paul — Wed, 19 Nov 2014 21:35:25 GMT

View online: https://www.drupal.org/SA-CORE-2014-006

Advisory ID: DRUPAL-SA-CORE-2014-006
Project: Drupal core [1]
Version: 6.x, 7.x
Date: 2014-November-19
Security risk: 14/25 ( Moderately Critical) AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Multiple vulnerabilities

.... Session hijacking (Drupal 6 and 7)

A specially crafted request can give a user access to another user's session, allowing an attacker to hijack a random session.

This attack is known to be possible on certain Drupal 7 sites which serve both HTTP and HTTPS content ("mixed-mode" [3]), but it is possible there are other attack vectors for both Drupal 6 and Drupal 7.

.... Denial of service (Drupal 7 only)

Drupal 7 includes a password hashing API to ensure that user supplied passwords are not stored in plain text.

A vulnerability in this API allows an attacker to send specially crafted requests resulting in CPU and memory exhaustion. This may lead to the site becoming unavailable or unresponsive (denial of service).

This vulnerability can be exploited by anonymous users.

/A CVE identifier [4] will be requested, and added upon issuance, in accordance

with Drupal Security Team processes./

Drupal core 6.x versions prior to 6.34.
Drupal core 7.x versions prior to 7.34.

Install the latest version:

If you use Drupal 6.x, upgrade to Drupal core 6.34. [5]
If you use Drupal 7.x, upgrade to Drupal core 7.34. [6]

If you have configured a custom password.inc file for your Drupal 7 site you also need to make sure that it is not prone to the same denial of service vulnerability. See also the similar security advisory for the Drupal 6 contributed Secure Password Hashes module: SA-CONTRIB-2014-113 [7]

Also see the Drupal core [8] project page.

Session hijacking:

Aaron Averill [9]

Denial of service:

Michael Cullum [10]
Javier Nieto [11]
Andrés Rojas Guerrero [12]

Session hijacking:

Klaus Purer [13] of the Drupal Security Team
David Rothstein [14] of the Drupal Security Team
Peter Wolanin [15] of the Drupal Security Team

Denial of service:

Klaus Purer [16] of the Drupal Security Team
Peter Wolanin [17] of the Drupal Security Team
Heine Deelstra [18] of the Drupal Security Team
Tom Phethean [19]

The Drupal Security Team

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [20].

Learn more about the Drupal Security team and their policies [21], writing secure code for Drupal [22], and securing your site [23].

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [24]

#741: Views editor disappears in backend

annesley — Thu, 12 Jun 2014 10:42:13 GMT

admin > views > edit the view editor interface appears and then disappears immediately this happens in Chrome / Ubuntu and Firefox / Mac

#715: Views admin pages not visible.

sam — Tue, 08 Apr 2014 14:51:29 GMT

Hi I just tried to access the views admin interface here: https://www.transitionnetwork.org/admin/build/views

It doesn't load the views admin pages, just an overview of the 'site building' pages instead.

The page works as I expect it to on the stage site here: https://stg2.transitionnetwork.org/admin/build/views

I have checked and the module is still enabled, The permissions look right (site admin is allowed to administer views: https://www.transitionnetwork.org/admin/user/permissions)

Anyone got an idea whats going on?

Thanks

Sam

#646: Users denied access when trying to unsubscrbie

ed — Thu, 12 Dec 2013 10:16:23 GMT

I'm getting noticeably more complaints about users not being able to unsubscribe to email notifications for content or comment alerts and/or the newsletter.

The emerging pattern is that they are clicking on the unsubscribe link in their email alerts and going to an access denied page.

My sense says there's something in https/http? Or them not being logged in?

Something is definitely going on.

Adding this to Sam to pick up in January. SAM - tickets like this can bounce around the tech team a bit - stay on it!

#857: Tiny MCE weirdness

sam — Tue, 02 Jun 2015 15:24:33 GMT

Hi Paul,

Myself & Rob have both run into an intermittent issue where when editing a panel page the WYSYWG editor (Tiny MCE) sometimes appears, sometimes doesn't.

When it doesn't appear you are left with the plain text html editor.

There seems to be no obvious pattern to it. So might be a tricky one to debug.

I see the version of Tiny MCE we are using is quite old, so I was thinking perhaps we should just try upgrading it on a dev server and see if that fixes it?

If this seems reasonable could you stick the latest Tiny MCE on your dev server so we could test it out there? Or if you have any other ideas for getting to the bottom of it..

Thanks

Sam

#859: Subscription emails broken

sam — Tue, 16 Jun 2015 13:08:44 GMT

Hi just got this mail

"For some reason I realized I wasn't hearing from Rob. You might want to check your system because mine hasn't changed as far as I know."

Had a look in my inbox & the last mail from Drupal subscription system was on 27th of May.

I may be the guilty party, as I did go in to edit the message around this time.

I'll investigate via the Drupal admin interface, but has anything else happened/ been done that could have stopped the mails?

#742: Stg site to play with

sam — Thu, 12 Jun 2014 14:35:42 GMT

Hi Paul

I'm trying to set up a stage site, just to test rearranging the homepage blocks.

I created a site on the "Transition Network D6 S012 Booker" Platform, but I just get an empty pressflow site: http://stgsam.transitionnetwork.org/

Can I use your stg site to test the block arrangement instead: https://booker-stage-20140501.transitionnetwork.org/

Or could you let me know what might be going wrong?

Thanks

Sam

#802: Slovenian state information missing / 'Not listed' will not submit

sam — Thu, 23 Oct 2014 10:20:29 GMT

User reported: "I'm trying to register our fledgling initiative based in Dovje-Mojstrana, Slovenia. When I select the country, the Province/State? box automatically comes up as not listed. But then when I press preview to be ready to send, it says "The specified province was not found in the specified country." So I can't submit the form :-( Please help! I think we will be the first official Transition town in Slovenia!"

I had a go at creating the initiative in a different country, then editing it to Slovenia as a workaround, but that didn't work either: https://www.transitionnetwork.org/node/37435/edit

Any idea's as to why it won't accept 'not listed' as a valid choice? Or what we can do about it?

Thanks

Sam

#834: Slovenian State info missing again

sam — Thu, 26 Feb 2015 10:41:47 GMT

Hi Paul

The change that you made in this ticket: https://trac.transitionnetwork.org/trac/ticket/802

Seems to have been lost. I am no longer able to edit https://www.transitionnetwork.org/node/37435/edit

As the state/province information is missing.

Could you re-do the change please?

Thanks

Sam

#874: Please check & then install Georss if no problems

sam — Tue, 29 Sep 2015 13:31:02 GMT

Hi Paul

We'd like to play around with generating Georss from our current site.

Could you have a glance at the code /test https://www.drupal.org/project/georss

If it seems like it's going to be unproblematic then please install it on the live site.

Thanks

Sam

#701: Emails & Telephone calls

paul — Tue, 18 Mar 2014 09:38:24 GMT

#711: Emails & Telephone calls

paul — Tue, 01 Apr 2014 13:47:56 GMT

#689: Duplicate comments

sam — Fri, 14 Feb 2014 12:21:23 GMT

Hi I got the below message from Mike. Paul could you take a look if you have a minute?

Thanks

Sam

I am noticing that many of the comments are being duplicated quite often - sometimes once and Rob's last comments was added twice. I've been deleting them but will be offline from now over the weekend.

This article is getting lots of comments https://www.transitionnetwork.org/blogs/rob-hopkins/2014-02/open-letter-bbc-lord-lawsons-today-programme-appearance

#712: Create a new stgX.transitionnetwork.org site

sam — Tue, 01 Apr 2014 15:03:53 GMT

Hi Paul

I have been trying to build a staging site using your Github repository with the changes you made for ticket : https://trac.transitionnetwork.org/trac/ticket/693

I have edited the D6 s008 platform: https://tn.puffin.webarch.net/node/1157/edit to use your makefile.

It builds a site, but I just get an empty pressflow site at the end.

Could you build a staging site using your makefile?

Thanks

Sam

#727: Change background on block from orange to white

sam — Fri, 16 May 2014 10:02:17 GMT

Hi Ben

Rob wants a list of the themes presented in a block.

I did the block: https://www.transitionnetwork.org/admin/build/block/configure/block/97

But it appears with an orange background. The block is visible towards the bottom of the page (for logged in admins) here: https://www.transitionnetwork.org/blogs/rob-hopkins

If I put the block on other pages it appears with a white background.

I tried to hack it with some inline CSS but failed.

Could you take a look?

Thanks

Sam

#758: * Advisory ID: DRUPAL-SA-CORE-2014-003

paul — Wed, 16 Jul 2014 21:55:29 GMT

View online: https://www.drupal.org/SA-CORE-2014-003

Advisory ID: DRUPAL-SA-CORE-2014-003
Project: Drupal core [1]
Version: 6.x, 7.x
Date: 2014-July-16
Security risk: Critical [2]
Exploitable from: Remote
Vulnerability: Multiple vulnerabilities

Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7.

.... Denial of service with malicious HTTP Host header (Base system - Drupal 6 and 7 - Critical)

Drupal core's multisite feature dynamically determines which configuration file to use based on the HTTP Host header.

The HTTP Host header validation does not sufficiently check maliciously-crafted header values, thereby exposing a denial of service vulnerability.

.... Access bypass (File module - Drupal 7 - Critical)

The File module included in Drupal 7 core allows attaching files to pieces of content. The module doesn't sufficiently check permission to view the attached file when attaching a file that was previously uploaded. This could allow attackers to gain access to private files.

This vulnerability is mitigated by the fact that the attacker must have permission to create or edit content with a file field.

Note: The Drupal 6 FileField? [3] module is affected by a similar issue (see SA-CONTRIB-2014-071 - FileField? - Access bypass [4]) and requires an update to the current security release of Drupal 6 core in order for the fix released there to work correctly. However, Drupal 6 core itself is not directly affected.

.... Cross-site scripting (Form API option groups - Drupal 6 and 7 - Moderately critical)

A cross-site scripting vulnerability was found due to Drupal's form API failing to sanitize option group labels in select elements. This vulnerability affects Drupal 6 core directly, and likely affects Drupal 7 forms provided by contributed or custom modules.

This vulnerability is mitigated by the fact that it requires the "administer taxonomy" permission to exploit in Drupal 6 core, and there is no known exploit within Drupal 7 core itself.

.... Cross-site scripting (Ajax system - Drupal 7 - Moderately critical)

A reflected cross-site scripting vulnerability was found in certain forms containing a combination of an Ajax-enabled textfield (for example, an autocomplete field) and a file field.

This vulnerability is mitigated by the fact that an attacker can only trigger the attack in a limited set of circumstances, usually requiring custom or contributed modules.

/A CVE identifier [5] will be requested, and added upon issuance, in

accordance with Drupal Security Team processes./

Drupal core 6.x versions prior to 6.32.
Drupal core 7.x versions prior to 7.29.

Install the latest version:

If you use Drupal 6.x, upgrade to Drupal core 6.32. [6]
If you use Drupal 7.x, upgrade to Drupal core 7.29. [7]

Also see the Drupal core [8] project page.

The denial of service vulnerability using malicious HTTP Host headers was

reported by Régis Leroy [9].

The access bypass vulnerability in the File module was reported by Ivan

Ch [10].

The cross-site scripting vulnerability with Form API option groups was

reported by Károly Négyesi [11].

The cross-site scripting vulnerability in the Ajax system was reported by

mani22test [12].

The denial of service vulnerability using malicious HTTP Host headers was

fixed by Régis Leroy [13], and by Klaus Purer [14] of the Drupal Security Team.

The access bypass vulnerability in the File module was fixed by Nate Haug

[15] and Ivan Ch [16], and by Drupal Security Team members David Rothstein [17], Heine Deelstra [18] and David Snopek [19].

The cross-site scripting vulnerability with Form API option groups was

fixed by Greg Knaddison [20] of the Drupal Security Team.

The cross-site scripting vulnerability in the Ajax system was fixed by

Neil Drumm [21] of the Drupal Security Team.

The Drupal Security Team [22]

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [23].

Learn more about the Drupal Security team and their policies [24], writing secure code for Drupal [25], and securing your site [26].

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [27]

_ Security-news mailing list Security-news@… Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

#836: "Date is invalid" on film content type

sam — Thu, 05 Mar 2015 14:30:22 GMT

Hi Paul

Don't spend more than half an hour on this, if it takes longer I'll just remove the date field instead.

If I edit: https://www.transitionnetwork.org/node/35510/edit

Or add https://www.transitionnetwork.org/node/add/films

A film, the website it returns a "Year is invalid." error.

In the settings it's set to 'Y' https://www.transitionnetwork.org/admin/content/node-type/films/fields/field_film_year

I'm entering a four digit date, eg 2010

Any ideas?

Thanks

Sam