Drupal security announcement

Syndicate content
Updated: 7 min 34 sec ago

SA-CORE-2014-004 - Drupal core - Denial of service

Wed, 2014-08-06 13:41
Description

Drupal 6 and Drupal 7 include an XML-RPC endpoint which is publicly available (xmlrpc.php). The PHP XML parser used by this XML-RPC endpoint is vulnerable to an XML entity expansion attack and other related XML payload attacks which can cause CPU and memory exhaustion and the site's database to reach the maximum number of open connections. Any of these may lead to the site becoming unavailable or unresponsive (denial of service).

All Drupal sites are vulnerable to this attack whether XML-RPC is used or not.

In addition, a similar vulnerability exists in the core OpenID module (for sites that have this module enabled).

This is a joint release as the XML-RPC vulnerability also affects WordPress (see the announcement).

CVE identifier(s) issued
  • CVE-2014-5265 has been issued for the code changes in xmlrpc.inc which prevent entity declarations and therefore address the "vulnerable to an XML entity expansion attack ... can cause CPU and memory exhaustion" concern.
  • CVE-2014-5266 has been issued for the "Skip parsing if there is an unreasonably large number of tags" in both xmlrpc.inc and xrds.inc.
  • CVE-2014-5267 has been issued for the code change to reject any XRDS document with a /<!DOCTYPE/i match.
Versions affected
  • Drupal core 7.x versions prior to 7.31.
  • Drupal core 6.x versions prior to 6.33.
Solution

Install the latest version:

If you are unable to install the latest version of Drupal immediately, you can alternatively remove the xmlrpc.php file from the root of Drupal core (or add a rule to .htaccess to prevent access to xmlrpc.php) and disable the OpenID module. These steps are sufficient to mitigate the vulnerability in Drupal core if your site does not require the use of XML-RPC or OpenID functionality. However, this mitigation will not be effective if you are using a contributed module that exposes Drupal's XML-RPC API at a different URL (for example, the Services module); updating Drupal core is therefore strongly recommended.

Also see the Drupal core project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security Watch

SA-CORE-2014-003 - Drupal core - Multiple vulnerabilities

Wed, 2014-07-16 10:48
  • Advisory ID: DRUPAL-SA-CORE-2014-003
  • Project: Drupal core
  • Version: 6.x, 7.x
  • Date: 2014-July-16
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities
Description

Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7.

Denial of service with malicious HTTP Host header (Base system - Drupal 6 and 7 - Critical)

Drupal core's multisite feature dynamically determines which configuration file to use based on the HTTP Host header.

The HTTP Host header validation does not sufficiently check maliciously-crafted header values, thereby exposing a denial of service vulnerability. This vulnerability also affects sites that don't actually use the multisite feature.

Access bypass (File module - Drupal 7 - Critical)

The File module included in Drupal 7 core allows attaching files to pieces of content. The module doesn't sufficiently check permission to view the attached file when attaching a file that was previously uploaded. This could allow attackers to gain access to private files.

This vulnerability is mitigated by the fact that the attacker must have permission to create or edit content with a file field.

Note: The Drupal 6 FileField module is affected by a similar issue (see SA-CONTRIB-2014-071 - FileField - Access bypass) and requires an update to the current security release of Drupal 6 core in order for the fix released there to work correctly. However, Drupal 6 core itself is not directly affected.

Cross-site scripting (Form API option groups - Drupal 6 and 7 - Moderately critical)

A cross-site scripting vulnerability was found due to Drupal's form API failing to sanitize option group labels in select elements. This vulnerability affects Drupal 6 core directly, and likely affects Drupal 7 forms provided by contributed or custom modules.

This vulnerability is mitigated by the fact that it requires the "administer taxonomy" permission to exploit in Drupal 6 core, and there is no known exploit within Drupal 7 core itself.

Cross-site scripting (Ajax system - Drupal 7 - Moderately critical)

A reflected cross-site scripting vulnerability was found in certain forms containing a combination of an Ajax-enabled textfield (for example, an autocomplete field) and a file field.

This vulnerability is mitigated by the fact that an attacker can only trigger the attack in a limited set of circumstances, usually requiring custom or contributed modules.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Drupal core 6.x versions prior to 6.32.
  • Drupal core 7.x versions prior to 7.29.
Solution

Install the latest version:

Also see the Drupal core project page.

Reported by
  • The denial of service vulnerability using malicious HTTP Host headers was reported by Régis Leroy.
  • The access bypass vulnerability in the File module was reported by Ivan Ch.
  • The cross-site scripting vulnerability with Form API option groups was reported by Károly Négyesi.
  • The cross-site scripting vulnerability in the Ajax system was reported by mani22test.
Fixed by
  • The denial of service vulnerability using malicious HTTP Host headers was fixed by Régis Leroy, and by Klaus Purer of the Drupal Security Team.
  • The access bypass vulnerability in the File module was fixed by Nate Haug and Ivan Ch, and by Drupal Security Team members David Rothstein, Heine Deelstra and David Snopek.
  • The cross-site scripting vulnerability with Form API option groups was fixed by Greg Knaddison of the Drupal Security Team.
  • The cross-site scripting vulnerability in the Ajax system was fixed by Neil Drumm of the Drupal Security Team.
Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security Watch

How is the module intended to work?

Sat, 2014-06-28 11:16
Project: UUID Node PropertiesVersion: 7.x-1.0-beta1Status: ActivePriority: NormalCategory: Support requestComponent: MiscellaneousAssigned: Unassigned

If used with deployments, should it add dependencies (e.g., from a leaf book page to its parents) automatically?

It currently does not seem to handle such dependencies. If that's the current state of affairs (which is fine, I can take care in own code) it would be nice however to have an explicit hint on the module page.

Thank you very much for the module, it enables using books with deploy!

Categories: Security Watch

Error when running cron

Sat, 2014-06-28 11:15

When I run cron, I get an error message and a link to https://www.drupal.org/SA-CORE-2013-003

Can someone explain me what this means and how to solve the problem?

Drupal version: Drupal 7.x
Categories: Security Watch

Installing Zend Optimizer on Linux/windows

Sat, 2014-06-28 11:11

Installing in windows

Download Zend Optimizer from following link

http://downloads.php.net/pierre/

You should download the thread safe one if you are using mode_php with Apache 2 (ZendfOptimizerPlus-20130214-5.3-ts-vc9-x86.zip)

Change the following in your php.ini

;Zend OPtimizer
zend_extension = "C:\php-5.3\ext\php_ZendOptimizerPlus.dll"
opcache.memory_consumption=128
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=4000
opcache.revalidate_freq=60
opcache.fast_shutdown=1
opcache.enable_cli=1
;opcache.save_comments=0
;opcache.enable_file_override=1
;XDEBUG
zend_extension = "C:\php-5.3\ext\php_xdebug-2.2.5-5.3-vc9.dll"
xdebug.remote_enable=1
xdebug.remote_host=127.0.0.1
xdebug.remote_port=9000
; Port number must match debugger port number in NetBeans IDE Tools > Options > PHP
xdebug.remote_handler=dbgp
xdebug.profiler_enable=1
xdebug.profiler_output_dir="D:\www\tmp"

If you are using Xdebug then always load Zend Optimizer before Xbebug as shown above.

Check the installation with php -v

c:\>php -v
PHP 5.3.28 (cli) (built: Dec 10 2013 22:27:36)
Copyright (c) 1997-2013 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2013 Zend Technologies
    with Zend Optimizer+ v7.0.0, Copyright (c) 1999-2013, by Zend Technologies
    with Xdebug v2.2.5, Copyright (c) 2002-2014, by Derick Rethans

For further optimization please look at https://github.com/zendtech/ZendOptimizerPlus

Installing on Linux

$PHP_DIR/bin/phpize
./configure \
      --with-php-config=$PHP_DIR/bin/php-config
make
make install # this will copy opcache.so into PHP extension directory

Goto to https://github.com/zendtech/ZendOptimizerPlus for more information

Drupal version: Drupal 7.x
Categories: Security Watch

Setting an affiliate value using rules

Sat, 2014-06-28 11:09

I have installed the Affiliate module and am trying to set all of the users as affiliates when they create new accounts as opposed to them having to go into their profile and check the box.

I have tried 2 ways that haven't worked for me i.e. when I do them users still aren't marked as affiliates with out having to go into the profile turn it on and save the account.

Method 1:

function **edited**(&$edit, $account, $category) {
      if($account->is_new){
      $edit['data']['affiliate_optin'] = isset($edit['affiliate_optin']) ? $edit['affiliate_optin'] : 1;
  }
}

Method 2:

I created a rule that executes this custom PHP

affiliate_insert_affiliate([account:uid],1);
affiliate_set_affiliate_status([account:uid],1);
affiliate_optin([account:uid],1);

I am starting to get pretty desperate so any help would be greatly appreciated.

Thanks,

Kris

Drupal version: Drupal 7.x
Categories: Security Watch

How to manage your photos on Flickr.com

Sat, 2014-06-28 10:50

To get the most out of the Drupal Flickr module, on your flickr.com account you should:

  1. complete the information associated with your account and your own photos
  2. put your own photos that you want to embed as a slideshow in photosets (aka 'albums' on Flickr)
  3. put the photos from others you want to embed as an album in galleries (not for your own photos, not available as slideshow)
  4. create an invite-only public group if you intend to display photos of a fixed group of flickr members without the need of giving them permissions on your website, e.g. for a sports club website
  5. know how to find appropriate keywords to fill a site quickly with public images related to the content based on taxonomy terms attached to a post.
1. Complete the information associated with your account and your own photos. 2. Put own photos you want to embed as a slideshow in photosets. 3. Put the photos from others you want to embed as an album in galleries. 4. Create an invite-only public group. 5. Find appropriate keywords to fill a site quickly with public images.
Categories: Security Watch

No minimal password length?

Sat, 2014-06-28 10:43
Project: Password Reset Landing Page (PRLP)Version: 7.x-1.0Status: ActivePriority: NormalCategory: Feature requestComponent: CodeAssigned: Unassigned

I installed this module, but I noticed I was able to create passwords with only 1 character?

On my normal password reset I had : https://www.drupal.org/project/password_policy installed, but it seems this module and password_policy don't go together?

Categories: Security Watch

Tests with dependencies do not show up if the dependencies are present

Sat, 2014-06-28 10:34
Project: Drupal coreVersion: 8.x-devStatus: ActivePriority: NormalCategory: Bug reportComponent: simpletest.moduleAssigned: Unassigned

The relevant code checks $dependency_data, but that is not defined anywhere.

We have a test for this, but we only test that we can hide a test, not that a test with valid dependencies shows up

Categories: Security Watch

Nube Question: Satellite Footprint Image Browser

Sat, 2014-06-28 10:28

Design Goal: build a two-panel screen layout, with a list of satellite beams on the left, and a selected satellite footprint image on the right.

Can anyone please recommend a module and/or configuration to do this?

Use Case: A user scrolls through the list of satellite beams in the left window; when the user clicks on any item in the list, an associated image will appear in the right window.

I have already generated the content and view to display the list of satellite beams.

There are probably many ways to do this. I am new to Drupal, so not sure what is the simplest best-practice way of going about this.

Note, I am an moderately-experienced programmer, but have never coded anything in Drupal... and willing to learn if recommended.

Thanks,
--Chris Chaudoir

p.s., if interested, what I have done so far is at verticalvector dot com

Drupal version: Drupal 7.x
Categories: Security Watch

Inconsistencies with entity hooks

Sat, 2014-06-28 10:25
Project: Drupal coreVersion: 8.x-devStatus: ActivePriority: NormalCategory: Bug reportComponent: entity systemAssigned: Unassigned

While I was working on #2216535: Replace Node overview topic and Node API topic with Entity Hooks topic, I noticed several problems with the entity hooks:

a) When the entity CRUD hooks are invoked, the generic ones like hook_entity_create() and hook_entity_load() all have the entity type ID passed in. This was not documented in most of the hook documentation in entity.api.php (I'm fixing that).

However, this is not being tested in entity_crud_hook_test.module where it tests all the entity CRUD hooks. I think that should be fixed?

b) Inconsistency: In all cases but one, the EntityStorageBase::invokeHook() method is used to invoke the entity hooks from the storage controller. This makes the type-specific hook run before the generic hook (hook_ENTITY_TYPE_create() before hook_entity_create() for instance).

However, during load it goes in the opposite order. It seems like this should be reversed? See EntityStorageBase::postLoad().

Categories: Security Watch

.ht.sqlite database folder -- false permissions warning

Sat, 2014-06-28 10:20
Project: Security ReviewVersion: 7.x-1.1Status: ActivePriority: NormalCategory: Bug reportComponent: CodeAssigned: Unassigned

I am receiving a warning about "Web server file system permissions" :

The following files and directories appear to be writeable by your web server. In most cases you can fix this by simply altering the file permissions or ownership. If you have command-line access to your host try running "chmod 644 [file path]" where [file path] is one of the following paths (relative to your webroot). For more information consult the Drupal.org handbooks on file permissions.
./sites/default/db

"db" directory contains .ht.sqlite database file. This directory, as well as database file, should be writeable by web server (permissions 755) ! otherwise (if permissions are 644) the website will be unable to work

So, there should be no warnings about folders that contain ".ht.sqlite" file

Categories: Security Watch