Posts Tagged:drupal web desingers

rfp-robotRFP ROBOT: Website Request for Proposal Generator

The time has come for a new website (or website redesign), which means you need to write a website request for proposal or web RFP. A Google search produces a few examples, but they vary wildly and don’t seem to speak really to your goals for developing or redesigning a new website. You need to write a website RFP that will clearly articulate your needs and generate responses from the best website designers and developers out there. But how?

Have no fear, RFP Robot is here. He will walk you through a step-by-step process to help you work through the details of your project and create a PDF formatted website design RFP that will provide the information vendors need to write an accurate bid. RFP Robot will tell you what info you should include, point out pitfalls, and give examples.


Drupal Core – Moderately Critical – Multiple Vulnerabilities – SA-CORE-2016-002

Advisory ID: DRUPAL-SA-CORE-2016-002 Project: Drupal core Version: 7.x, 8.x Date: 2016-June-15 Security risk: 11/25 ( Moderately Critical) AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon Vulnerability: Access bypass, Multiple vulnerabilities Description Saving user accounts can sometimes grant the user all roles (User module – Drupal 7 – Moderately Critical) A vulnerability exists in the User module, where if some specific contributed or custom code triggers a rebuild of the user profile form, a registered user can be granted all user roles on the site. This would typically result in the user gaining administrative access. This issue is mitigated by the fact that it requires contributed or custom code that performs a form rebuild during submission of the user profile form. Views can allow unauthorized users to see Statistics information (Views module – Drupal 8 – Less Critical) An access bypass vulnerability exists in the Views module, where users without the “View content count” permission can see the…

Read More →

Drupal Core – Critical – Multiple Vulnerabilities – SA-CORE-2016-001

Advisory ID: SA-CORE-2016-001 Project: Drupal core Version: 6.x, 7.x, 8.x Date: 2016-February-24 Security risk: 15/25 ( Critical) AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All Vulnerability: Multiple vulnerabilities Description File upload access bypass and denial of service (File module – Drupal 7 and 8 – Moderately Critical) A vulnerability exists in the File module that allows a malicious user to view, delete or substitute a link to a file that the victim has uploaded to a form while the form has not yet been submitted and processed. If an attacker carries out this attack continuously, all file uploads to a site could be blocked by deleting all temporary files before they can be saved. This vulnerability is mitigated by the fact that the attacker must have permission to create content or comment and upload files as part of that process. Brute force amplification attacks via XML-RPC (XML-RPC server – Drupal 6 and 7 – Moderately Critical) The…

Read More →

Drupal Core – Overlay – Less Critical – Open Redirect – SA-CORE-2015-004

Advisory ID: DRUPAL-SA-CORE-2015-004 Project: Drupal core Version: 7.x Date: 2015-October-21 Security risk: 9/25 ( Less Critical) AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:Default Vulnerability: Open Redirect Description The Overlay module in Drupal core displays administrative pages as a layer over the current page (using JavaScript), rather than replacing the page in the browser window. The Overlay module does not sufficiently validate URLs prior to displaying their contents, leading to an open redirect vulnerability. This vulnerability is mitigated by the fact that it can only be used against site users who have the “Access the administrative overlay” permission, and that the Overlay module must be enabled. An incomplete fix for this issue was released as part of SA-CORE-2015-002. CVE identifier(s) issued CVE-2015-7943 Versions affected Drupal core 7.x versions prior to 7.41. Solution Install the latest version: If you use Drupal 7.x, upgrade to Drupal 7.41 Also see the Drupal core project page. Reported by Samuel Mortenson Pere…

Read More →

Drupal Core – Critical – Multiple Vulnerabilities – SA-CORE-2015-003

Advisory ID: DRUPAL-SA-CORE-2015-003 Project: Drupal core Version: 6.x, 7.x Date: 2015-August-19 Security risk: 18/25 ( Critical) AC:Complex/A:User/CI:All/II:All/E:Proof/TD:All Vulnerability: Cross Site Scripting, Access bypass, SQL Injection, Open Redirect, Multiple vulnerabilities This security advisory fixes multiple vulnerabilities. See below for a list. Cross-site Scripting – Ajax system – Drupal 7 A vulnerability was found that allows a malicious user to perform a cross-site scripting attack by invoking Drupal.ajax() on a whitelisted HTML element. This vulnerability is mitigated on sites that do not allow untrusted users to enter HTML. Drupal 6 core is not affected, but see the similar advisory for the Drupal 6 contributed Ctools module: SA-CONTRIB-2015-141. Cross-site Scripting – Autocomplete system – Drupal 6 and 7 A cross-site scripting vulnerability was found in the autocomplete functionality of forms. The requested URL is not sufficiently sanitized. This vulnerability is mitigated by the fact that the malicious user must be allowed to upload…

Read More →

Drupal Core – Critical – Multiple Vulnerabilities – SA-CORE-2015-002

Advisory ID: DRUPAL-SA-CORE-2015-002 Project: Drupal core Version: 6.x, 7.x Date: 2015-June-17 Security risk: 15/25 ( Critical) AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default Vulnerability: Access bypass, Information Disclosure, Open Redirect, Multiple vulnerabilities Description Impersonation (OpenID module – Drupal 6 and 7 – Critical) A vulnerability was found in the OpenID module that allows a malicious user to log in as other users on the site, including administrators, and hijack their accounts. This vulnerability is mitigated by the fact that the victim must have an account with an associated OpenID identity from a particular set of OpenID providers (including, but not limited to, Verisign, LiveJournal, or StackExchange). Open redirect (Field UI module – Drupal 7 – Less critical) The Field UI module uses a “destinations” query string parameter in URLs to redirect users to new destinations after completing an action on a few administration pages. Under certain circumstances, malicious users can use this parameter to construct a…

Read More →

Drupal Core – Moderately Critical – Multiple Vulnerabilities – SA-CORE-2015-001

Advisory ID: DRUPAL-SA-CORE-2015-001 Project: Drupal core Version: 6.x, 7.x Date: 2015-March-18 Security risk: 14/25 ( Moderately Critical) AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:Default Vulnerability: Access bypass, Open Redirect, Multiple vulnerabilities Description Access bypass (Password reset URLs – Drupal 6 and 7) Password reset URLs can be forged under certain circumstances, allowing an attacker to gain access to another user’s account without knowing the account’s password. In Drupal 7, this vulnerability is mitigated by the fact that it can only be exploited on sites where accounts have been imported or programmatically edited in a way that results in the password hash in the database being the same for multiple user accounts. In Drupal 6, it can additionally be exploited on sites where administrators have created multiple new user accounts with the same password via the administrative interface, or where accounts have been imported or programmatically edited in a way that results in the password hash in…

Read More →

Drupal Core – Moderately Critical – Multiple Vulnerabilities – SA-CORE-2014-006

Advisory ID: DRUPAL-SA-CORE-2014-006 Project: Drupal core Version: 6.x, 7.x Date: 2014-November-19 Security risk: 14/25 ( Moderately Critical) AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon Vulnerability: Multiple vulnerabilities Description Session hijacking (Drupal 6 and 7) A specially crafted request can give a user access to another user’s session, allowing an attacker to hijack a random session. This attack is known to be possible on certain Drupal 7 sites which serve both HTTP and HTTPS content (“mixed-mode”), but it is possible there are other attack vectors for both Drupal 6 and Drupal 7. Denial of service (Drupal 7 only) Drupal 7 includes a password hashing API to ensure that user supplied passwords are not stored in plain text. A vulnerability in this API allows an attacker to send specially crafted requests resulting in CPU and memory exhaustion. This may lead to the site becoming unavailable or unresponsive (denial of service). This vulnerability can be exploited by anonymous users.…

Read More →

SA-CORE-2014-005 – Drupal core – SQL injection

Advisory ID: DRUPAL-SA-CORE-2014-005 Project: Drupal core Version: 7.x Date: 2014-Oct-15 Security risk: 25/25 ( Highly Critical) AC:None/A:None/CI:All/II:All/E:Exploit/TD:All Vulnerability: SQL Injection Description Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks. A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks. This vulnerability can be exploited by anonymous users. Update: Multiple exploits have been reported in the wild following the release of this security advisory, and Drupal 7 sites which did not update soon after the advisory was released may be compromised. See this follow-up announcement for more information: https://www.drupal.org/PSA-2014-003 CVE identifier(s) issued CVE-2014-3704 Versions affected Drupal core 7.x versions prior to 7.32. Solution Install the latest version: If you use…

Read More →

SA-CORE-2014-004 – Drupal core – Denial of service

Advisory ID: DRUPAL-SA-CORE-2014-004 Project: Drupal core Version: 6.x, 7.x Date: 2014-August-06 Security risk: 13/25 ( Moderately Critical ) AC:None/A:None/CI:None/II:None/E:Proof/TD:100 Exploitable from: Remote Vulnerability: Denial of service Description Drupal 6 and Drupal 7 include an XML-RPC endpoint which is publicly available (xmlrpc.php). The PHP XML parser used by this XML-RPC endpoint is vulnerable to an XML entity expansion attack and other related XML payload attacks which can cause CPU and memory exhaustion and the site’s database to reach the maximum number of open connections. Any of these may lead to the site becoming unavailable or unresponsive (denial of service). All Drupal sites are vulnerable to this attack whether XML-RPC is used or not. In addition, a similar vulnerability exists in the core OpenID module (for sites that have this module enabled). This is a joint release as the XML-RPC vulnerability also affects WordPress (see the announcement). CVE identifier(s) issued CVE-2014-5265 has…

Read More →

SA-CORE-2014-003 – Drupal core – Multiple vulnerabilities

Advisory ID: DRUPAL-SA-CORE-2014-003 Project: Drupal core Version: 6.x, 7.x Date: 2014-July-16 Security risk: Critical Exploitable from: Remote Vulnerability: Multiple vulnerabilities Description Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7. Denial of service with malicious HTTP Host header (Base system – Drupal 6 and 7 – Critical) Drupal core’s multisite feature dynamically determines which configuration file to use based on the HTTP Host header. The HTTP Host header validation does not sufficiently check maliciously-crafted header values, thereby exposing a denial of service vulnerability. This vulnerability also affects sites that don’t actually use the multisite feature. Access bypass (File module – Drupal 7 – Critical) The File module included in Drupal 7 core allows attaching files to pieces of content. The module doesn’t sufficiently check permission to view the attached file when attaching a file that was previously uploaded. This could allow attackers to gain access to…

Read More →

SA-CORE-2014-002 – Drupal core – Information Disclosure

Advisory ID: DRUPAL-SA-CORE-2014-002 Project: Drupal core Version: 6.x, 7.x Date: 2014-April-16 Security risk: Moderately critical Exploitable from: Remote Vulnerability: Information Disclosure Description Drupal’s form API has built-in support for temporary storage of form state, for example user input. This is often used on multi-step forms, and is required on Ajax-enabled forms in order to allow the Ajax calls to access and update interim user input on the server. When pages are cached for anonymous users (either by Drupal or by an external system), form state may leak between anonymous users. As a consequence there is a chance that interim form input recorded for one anonymous user (which may include sensitive or private information, depending on the nature of the form) will be disclosed to other users interacting with the same form at the same time. This especially affects multi-step Ajax forms because the window of opportunity (i.e. the time span…

Read More →

SA-CORE-2014-001 – Drupal core – Multiple vulnerabilities

Advisory ID: DRUPAL-SA-CORE-2014-001 Project: Drupal core Version: 6.x, 7.x Date: 2014-January-15 Security risk: Highly critical Exploitable from: Remote Vulnerability: Multiple vulnerabilities Description Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7. Impersonation (OpenID module – Drupal 6 and 7 – Highly critical) A vulnerability was found in the OpenID module that allows a malicious user to log in as other users on the site, including administrators, and hijack their accounts. This vulnerability is mitigated by the fact that the malicious user must have an account on the site (or be able to create one), and the victim must have an account with one or more associated OpenID identities. Access bypass (Taxonomy module – Drupal 7 – Moderately critical) The Taxonomy module provides various listing pages which display content tagged with a particular taxonomy term. Custom or contributed modules may also provide similar lists. Under certain circumstances,…

Read More →

SA-CORE-2013-003 – Drupal core – Multiple vulnerabilities

Advisory ID: DRUPAL-SA-CORE-2013-003 Project: Drupal core Version: 6.x, 7.x Date: 2013-November-20 Security risk: Highly critical Exploitable from: Remote Vulnerability: Multiple vulnerabilities Description Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7. Multiple vulnerabilities due to optimistic cross-site request forgery protection (Form API validation – Drupal 6 and 7) Drupal’s form API has built-in cross-site request forgery (CSRF) validation, and also allows any module to perform its own validation on the form. In certain common cases, form validation functions may execute unsafe operations. Given that the CSRF protection is an especially important validation, the Drupal core form API has been changed in this release so that it now skips subsequent validation if the CSRF validation fails. This vulnerability is mitigated by the fact that a form validation callback with potentially unsafe side effects must be active on the site, and none exist in core. However, issues were…

Read More →

SA-CORE-2013-002 – Drupal core – Denial of service

Advisory ID: DRUPAL-SA-CORE-2013-002 Project: Drupal core Version: 7.x Date: 2013-February-20 Security risk: Critical Exploitable from: Remote Vulnerability: Denial of service Description Drupal core’s Image module allows for the on-demand generation of image derivatives. This capability can be abused by requesting a large number of new derivatives which can fill up the server disk space, and which can cause a very high CPU load. Either of these effects may lead to the site becoming unavailable or unresponsive. Please see the Drupal 7.20 release notes for important notes about the changes which were made to fix this issue, since some sites will require extra testing and care when deploying this Drupal core release. CVE identifier(s) issued CVE-2013-0316 Versions affected Drupal core 7.x versions prior to 7.20. Solution Install the latest version: If you use Drupal 7.x, upgrade to Drupal core 7.20. Also see the Drupal core project page. Reported by Bèr Kessels…

Read More →

SA-CORE-2013-001 – Drupal core – Multiple vulnerabilities

Advisory ID: DRUPAL-SA-CORE-2013-001 Project: Drupal core Version: 6.x, 7.x Date: 2013-January-16 Security risk: Highly critical Exploitable from: Remote Vulnerability: Cross Site Scripting, Access bypass Description Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7. Cross-site scripting (Various core and contributed modules – Drupal 6 and 7) A reflected cross-site scripting vulnerability (XSS) was identified in certain Drupal JavaScript functions that pass unexpected user input into jQuery causing it to insert HTML into the page when the intended behavior is to select DOM elements. Multiple core and contributed modules are affected by this issue. jQuery versions 1.6.3 and higher provide protection against common forms of this problem; thus, the vulnerability is mitigated if your site has upgraded to a recent version of jQuery. However, the versions of jQuery that are shipped with Drupal 6 and Drupal 7 core do not contain this protection. Although the fix added…

Read More →

SA-CORE-2012-004 – Drupal core – Multiple vulnerabilities

Advisory ID: DRUPAL-SA-CORE-2012-004 Project: Drupal core Version: 6.x, 7.x Date: 2012-December-19 Security risk: Moderately critical Exploitable from: Remote Vulnerability: Access bypass, Arbitrary PHP code execution Description Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7. Access bypass (User module search – Drupal 6 and 7) A vulnerability was identified that allows blocked users to appear in user search results, even when the search results are viewed by unprivileged users. This vulnerability is mitigated by the fact that the default Drupal core user search results only display usernames (and disclosure of usernames is not considered a security vulnerability). However, since modules or themes may override the search results to display more information from each user’s profile, this could result in additional information about blocked users being disclosed on some sites. Access bypass (Upload module – Drupal 6) A vulnerability was identified that allows information about uploaded files…

Read More →

SA-CORE-2012-003 – Drupal core – Arbitrary PHP code execution and Information disclosure

Advisory ID: DRUPAL-SA-CORE-2012-003 Project: Drupal core Version: 7.x Date: 2012-October-17 Security risk: Highly critical Exploitable from: Remote Vulnerability: Information Disclosure, Arbitrary PHP code execution Description Multiple vulnerabilities were discovered in Drupal core. Arbitrary PHP code execution A bug in the installer code was identified that allows an attacker to re-install Drupal using an external database server under certain transient conditions. This could allow the attacker to execute arbitrary PHP code on the original server. This vulnerability is mitigated by the fact that the re-installation can only be successful if the site’s settings.php file or sites directories are writeable by or owned by the webserver user. Configuring the Drupal installation to be owned by a different user than the webserver user (and not to be writeable by the webserver user) is a recommended security best practice. However, in all cases the transient conditions expose information to an attacker who accesses install.php,…

Read More →

SA-CORE-2012-002 – Drupal core multiple vulnerabilities

Advisory ID: DRUPAL-SA-CORE-2012-002 Project: Drupal core Version: 7.x Date: 2012-May-2 Security risk: Critical Exploitable from: Remote Vulnerability: Denial of Service, Access bypass, Unvalidated form redirect Description Denial of Service CVE: CVE-2012-1588 Drupal core’s text filtering system provides several features including removing inappropriate HTML tags and automatically linking content that appears to be a link. A pattern in Drupal’s text matching was found to be inefficient with certain specially crafted strings. This vulnerability is mitigated by the fact that users must have the ability to post content sent to the filter system such as a role with the “post comments” or “Forum topic: Create new content” permission. Unvalidated form redirect CVE: CVE-2012-1589 Drupal core’s Form API allows users to set a destination, but failed to validate that the URL was internal to the site. This weakness could be abused to redirect the login to a remote site with a malicious script…

Read More →

SA-CORE-2012-001 – Drupal core multiple vulnerabilities

Advisory ID: DRUPAL-SA-CORE-2012-001 Project: Drupal core Version: 6.x, 7.x Date: 2012-February-01 Security risk: Moderately critical Exploitable from: Remote Vulnerability: Access bypass, Cross Site Request Forgery, Multiple vulnerabilities Description Cross Site Request Forgery vulnerability in Aggregator module CVE: CVE-2012-0826 An XSRF vulnerability can force an aggregator feed to update. Since some services are rate-limited (e.g. Twitter limits requests to 150 per hour) this could lead to a denial of service. This issue affects Drupal 6.x and 7.x. OpenID not verifying signed attributes in SREG and AX CVE: CVE-2012-0825 A group of security researchers identified a flaw in how some OpenID relying parties implement Attribute Exchange (AX). Not verifying that attributes being passed through AX have been signed could allow an attacker to modify users’ information. This issue affects Drupal 6.x and 7.x. Access bypass in File module CVE: CVE-2012-0827 When using private files in combination with certain field access modules, the…

Read More →

Back to Top