Changes between Initial Version and Version 1 of Ticket #809
- Timestamp:
- 11/20/14 10:52:01 (2 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #809
- Property Summary changed from [Security-news] SA-CONTRIB-2014-115 - Form Builder - Cross-Site Scripting (XSS) to [Security-news] Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2014-006
-
Ticket #809 – Description
initial v1 1 View online: https://www.drupal.org/ node/23784411 View online: https://www.drupal.org/SA-CORE-2014-006 2 2 3 * Advisory ID: DRUPAL-SA-CO NTRIB-2014-1154 * Project: Form Builder [1] (third-party module)3 * Advisory ID: DRUPAL-SA-CORE-2014-006 4 * Project: Drupal core [1] 5 5 * Version: 6.x, 7.x 6 6 * Date: 2014-November-19 7 7 * Security risk: 14/25 ( Moderately Critical) 8 AC:Basic/A: User/CI:Some/II:Some/E:Theoretical/TD:All[2]9 * Vulnerability: Cross Site Scripting8 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2] 9 * Vulnerability: Multiple vulnerabilities 10 10 11 11 -------- DESCRIPTION 12 12 --------------------------------------------------------- 13 13 14 The Form Builder module enables users to build entire Form API structures 15 through a graphical, AJAX-like interface. 14 .... Session hijacking (Drupal 6 and 7) 16 15 17 The module doesn't sufficiently sanitize form titles in some cases. 16 A specially crafted request can give a user access to another user's session, 17 allowing an attacker to hijack a random session. 18 18 19 This vulnerability is mitigated by the fact that an attacker must have a role 20 with the permission to create forms in another module that depends on Form 21 Builder, such as Survey Builder, Webform, or others. 19 This attack is known to be possible on certain Drupal 7 sites which serve 20 both HTTP and HTTPS content ("mixed-mode" [3]), but it is possible there are 21 other attack vectors for both Drupal 6 and Drupal 7. 22 23 .... Denial of service (Drupal 7 only) 24 25 Drupal 7 includes a password hashing API to ensure that user supplied 26 passwords are not stored in plain text. 27 28 A vulnerability in this API allows an attacker to send specially crafted 29 requests resulting in CPU and memory exhaustion. This may lead to the site 30 becoming unavailable or unresponsive (denial of service). 31 32 This vulnerability can be exploited by anonymous users. 22 33 23 34 … … 25 36 -------------------------------------------- 26 37 27 * /A CVE identifier [ 3] will be requested, and added upon issuance, in38 * /A CVE identifier [4] will be requested, and added upon issuance, in 28 39 accordance 29 40 with Drupal Security Team processes./ … … 32 43 --------------------------------------------------- 33 44 34 * Form Builder 7.x-1.x versions prior to 7.x-1.6. 35 * Form Builder 6.x-1.x versions prior to 6.x-1.6. 36 37 Drupal core is not affected. If you do not use the contributed Form Builder 38 [4] module, 39 there is nothing you need to do. 45 * Drupal core 6.x versions prior to 6.34. 46 * Drupal core 7.x versions prior to 7.34. 40 47 41 48 -------- SOLUTION … … 44 51 Install the latest version: 45 52 46 * If you use the Form Builder module for Drupal 7.x, upgrade to Form 47 Builder 48 7.x-1.6 [5] 49 * If you use the Form Builder module for Drupal 6.x, upgrade to Form 50 Builder 51 6.x-1.6 [6] 53 * If you use Drupal 6.x, upgrade to Drupal core 6.34. [5] 54 * If you use Drupal 7.x, upgrade to Drupal core 7.34. [6] 52 55 53 Also see the Form Builder [7] project page. 56 If you have configured a custom password.inc file for your Drupal 7 site you 57 also need to make sure that it is not prone to the same denial of service 58 vulnerability. See also the similar security advisory for the Drupal 6 59 contributed Secure Password Hashes module: SA-CONTRIB-2014-113 [7] 60 61 Also see the Drupal core [8] project page. 54 62 55 63 -------- REPORTED BY 56 64 --------------------------------------------------------- 57 65 58 * Matt Vance [8] provisional member of the Drupal Security Team 66 Session hijacking: 67 68 * Aaron Averill [9] 69 70 Denial of service: 71 72 * Michael Cullum [10] 73 * Javier Nieto [11] 74 * Andrés Rojas Guerrero [12] 59 75 60 76 -------- FIXED BY 61 77 ------------------------------------------------------------ 62 78 63 * Francisco José Cruz Romanos [9] provisional member of the Drupal 64 Security 65 Team 66 * Nate Haug [10] 79 Session hijacking: 80 81 * Klaus Purer [13] of the Drupal Security Team 82 * David Rothstein [14] of the Drupal Security Team 83 * Peter Wolanin [15] of the Drupal Security Team 84 85 Denial of service: 86 87 * Klaus Purer [16] of the Drupal Security Team 88 * Peter Wolanin [17] of the Drupal Security Team 89 * Heine Deelstra [18] of the Drupal Security Team 90 * Tom Phethean [19] 67 91 68 92 -------- COORDINATED BY 69 93 ------------------------------------------------------ 70 94 71 * Matt Vance [11] provisional member of the Drupal Security Team95 * The Drupal Security Team 72 96 73 97 -------- CONTACT AND MORE INFORMATION … … 75 99 76 100 The Drupal security team can be reached at security at drupal.org or via the 77 contact form at https://www.drupal.org/contact [ 12].101 contact form at https://www.drupal.org/contact [20]. 78 102 79 Learn more about the Drupal Security team and their policies [ 13], writing80 secure code for Drupal [ 14], and securing your site [15].103 Learn more about the Drupal Security team and their policies [21], writing 104 secure code for Drupal [22], and securing your site [23]. 81 105 82 106 Follow the Drupal Security Team on Twitter at 83 https://twitter.com/drupalsecurity [ 16]107 https://twitter.com/drupalsecurity [24] 84 108 85 109 86 [1] https://www.drupal.org/project/ form_builder110 [1] https://www.drupal.org/project/drupal 87 111 [2] https://www.drupal.org/security-team/risk-levels 88 [3] http://cve.mitre.org/ 89 [4] https://www.drupal.org/project/form_builder 90 [5] https://www.drupal.org/node/2378445 91 [6] https://www.drupal.org/node/2378433 92 [7] https://www.drupal.org/project/form_builder 93 [8] https://www.drupal.org/user/88338 94 [9] https://www.drupal.org/user/848238 95 [10] https://www.drupal.org/user/35821 96 [11] https://www.drupal.org/user/88338 97 [12] https://www.drupal.org/contact 98 [13] https://www.drupal.org/security-team 99 [14] https://www.drupal.org/writing-secure-code 100 [15] https://www.drupal.org/security/secure-configuration 101 [16] https://twitter.com/drupalsecurity 112 [3] https://www.drupal.org/https-information 113 [4] http://cve.mitre.org/ 114 [5] https://www.drupal.org/drupal-6.34-release-notes 115 [6] https://www.drupal.org/drupal-7.34-release-notes 116 [7] https://www.drupal.org/node/2378367 117 [8] https://www.drupal.org/project/drupal 118 [9] https://www.drupal.org/user/1317732 119 [10] https://www.drupal.org/u/MichaelCu 120 [11] https://www.drupal.org/u/jnietotn 121 [12] https://www.drupal.org/u/c0r3dump3d 122 [13] https://www.drupal.org/u/klausi 123 [14] https://www.drupal.org/u/David_Rothstein 124 [15] https://www.drupal.org/u/pwolanin 125 [16] https://www.drupal.org/u/klausi 126 [17] https://www.drupal.org/u/pwolanin 127 [18] https://www.drupal.org/u/Heine 128 [19] https://www.drupal.org/u/tsphethean 129 [20] https://www.drupal.org/contact 130 [21] https://www.drupal.org/security-team 131 [22] https://www.drupal.org/writing-secure-code 132 [23] https://www.drupal.org/security/secure-configuration 133 [24] https://twitter.com/drupalsecurity
