Security Watch

Advisory ID: DRUPAL-SA-CORE-2012-001
Project: Drupal core
Version: 6.x, 7.x
Date: 2012-February-01
Security risk: Moderately critical
Exploitable from: Remote
Vulnerability: Access bypass, Cross Site Request Forgery, Multiple vulnerabilities

Description Cross Site Request Forgery vulnerability in Aggregator module

CVE: CVE-2012-0826
An XSRF vulnerability can force an aggregator feed to update. Since some services are rate-limited (e.g. Twitter limits requests to 150 per hour) this could lead to a denial of service.

This issue affects Drupal 6.x and 7.x.

OpenID not verifying signed attributes in SREG and AX

CVE: CVE-2012-0825
A group of security researchers identified a flaw in how some OpenID relying parties implement Attribute Exchange (AX). Not verifying that attributes being passed through AX have been signed could allow an attacker to modify users' information.

This issue affects Drupal 6.x and 7.x.

Access bypass in File module

CVE: CVE-2012-0827
When using private files in combination with certain field access modules, the File module will allow users to download the file even if they do not have access to view the field it was attached to.

This issue affects Drupal 7.x only.

Versions affected

Drupal 6.x core prior to 6.23.
Drupal 7.x core prior to 7.11.

Solution

Install the latest version:

If you use Drupal 6.x upgrade to 6.23
If you use Drupal 7.x upgrade to 7.11

SA-CORE-2012-001 - Drupal core multiple vulnerabilities

Drupal security announcement - Wed, 2012-02-01 17:06

Advisory ID: DRUPAL-SA-CORE-2012-001
Project: Drupal core
Version: 6.x, 7.x
Date: 2012-February-01
Security risk: Moderately critical
Exploitable from: Remote
Vulnerability: Access bypass, Cross Site Request Forgery, Multiple vulnerabilities

Description Cross Site Request Forgery vulnerability in Aggregator module

CVE: CVE-2012-0826
An XSRF vulnerability can force an aggregator feed to update. Since some services are rate-limited (e.g. Twitter limits requests to 150 per hour) this could lead to a denial of service.

This issue affects Drupal 6.x and 7.x.

OpenID not verifying signed attributes in SREG and AX

CVE: CVE-2012-0825
A group of security researchers identified a flaw in how some OpenID relying parties implement Attribute Exchange (AX). Not verifying that attributes being passed through AX have been signed could allow an attacker to modify users' information.

This issue affects Drupal 6.x and 7.x.

Access bypass in File module

CVE: CVE-2012-0827
When using private files in combination with certain field access modules, the File module will allow users to download the file even if they do not have access to view the field it was attached to.

This issue affects Drupal 7.x only.

Versions affected

Drupal 6.x core prior to 6.23.
Drupal 7.x core prior to 7.11.

Solution

Install the latest version:

If you use Drupal 6.x upgrade to 6.23
If you use Drupal 7.x upgrade to 7.11

TA11-221A: Microsoft Updates for Multiple Vulnerabilities

US-CERT Technical Cyber Security Alerts - Tue, 2012-01-24 20:40

Microsoft Updates for Multiple Vulnerabilities

Categories: Security Watch

TA11-201A: Oracle Updates for Multiple Vulnerabilities

US-CERT Technical Cyber Security Alerts - Tue, 2012-01-10 10:50

Oracle Updates for Multiple Vulnerabilities

Categories: Security Watch

TA11-200A: Security Recommendations to Prevent Cyber Intrusions

US-CERT Technical Cyber Security Alerts - Fri, 2012-01-06 15:25

Security Recommendations to Prevent Cyber Intrusions

Categories: Security Watch

TA11-193A: Microsoft Updates for Multiple Vulnerabilities

US-CERT Technical Cyber Security Alerts - Fri, 2011-12-16 10:45

Microsoft Updates for Multiple Vulnerabilities

Categories: Security Watch

TA11-166A: Adobe Updates for Multiple Vulnerabilities

US-CERT Technical Cyber Security Alerts - Tue, 2011-12-13 13:55

Adobe Updates for Multiple Vulnerabilities

Categories: Security Watch

TA11-165A: Microsoft Updates for Multiple Vulnerabilities

US-CERT Technical Cyber Security Alerts - Tue, 2011-11-08 15:05

Microsoft Updates for Multiple Vulnerabilities

Categories: Security Watch

Security - We will get there

TA12-024A: "Anonymous" DDoS Activity

TA12-010A: Microsoft Updates for Multiple Vulnerabilities

TA12-006A: Wi-Fi Protected Setup (WPS) Vulnerable to Brute-Force Attack

TA11-350A: Adobe Updates for Multiple Vulnerabilities

TA11-347A: Microsoft Updates for Multiple Vulnerabilities

TA11-312A: Microsoft Updates for Multiple Vulnerabilities

TA11-286A: Apple Updates for Multiple Vulnerabilities

TA11-284A: Microsoft Updates for Multiple Vulnerabilities

TA11-256A: Microsoft Updates for Multiple Vulnerabilities

TA11-222A: Adobe Updates for Multiple Vulnerabilities

SA-CORE-2012-001 - Drupal core multiple vulnerabilities

SA-CORE-2012-001 - Drupal core multiple vulnerabilities

TA11-221A: Microsoft Updates for Multiple Vulnerabilities

TA11-201A: Oracle Updates for Multiple Vulnerabilities

TA11-200A: Security Recommendations to Prevent Cyber Intrusions

TA11-193A: Microsoft Updates for Multiple Vulnerabilities

TA11-166A: Adobe Updates for Multiple Vulnerabilities

TA11-165A: Microsoft Updates for Multiple Vulnerabilities

Recent blog posts

Recent comments

Syndicate

Security Watch

Navigation