SA-CORE-2012-001 – Drupal core multiple vulnerabilities

rfp-robotRFP ROBOT: Website Request for Proposal Generator

The time has come for a new website (or website redesign), which means you need to write a website request for proposal or web RFP. A Google search produces a few examples, but they vary wildly and don’t seem to speak really to your goals for developing or redesigning a new website. You need to write a website RFP that will clearly articulate your needs and generate responses from the best website designers and developers out there. But how?

Have no fear, RFP Robot is here. He will walk you through a step-by-step process to help you work through the details of your project and create a PDF formatted website design RFP that will provide the information vendors need to write an accurate bid. RFP Robot will tell you what info you should include, point out pitfalls, and give examples.


Advisory ID: DRUPAL-SA-CORE-2012-001
Project: Drupal core
Version: 6.x, 7.x
Date: 2012-February-01
Security risk: Moderately critical
Exploitable from: Remote
Vulnerability: Access bypass, Cross Site Request Forgery, Multiple vulnerabilities
Description
Cross Site Request Forgery vulnerability in Aggregator module
CVE: CVE-2012-0826
An XSRF vulnerability can force an aggregator feed to update. Since some services are rate-limited (e.g. Twitter limits requests to 150 per hour) this could lead to a denial of service.
This issue affects Drupal 6.x and 7.x.
OpenID not verifying signed attributes in SREG and AX
CVE: CVE-2012-0825
A group of security researchers identified a flaw in how some OpenID relying parties implement Attribute Exchange (AX). Not verifying that attributes being passed through AX have been signed could allow an attacker to modify users’ information.
This issue affects Drupal 6.x and 7.x.
Access bypass in File module
CVE: CVE-2012-0827
When using private files in combination with certain field access modules, the File module will allow users to download the file even if they do not have access to view the field it was attached to.
This issue affects Drupal 7.x only.
Versions affected
Drupal 6.x core prior to 6.23.
Drupal 7.x core prior to 7.11.
Solution
Install the latest version:
If you use Drupal 6.x upgrade to 6.23
If you use Drupal 7.x upgrade to 7.11
See also the Drupal core project page.
Reported by
The Aggregator module CSRF vulnerability was reported by Dylan Tack of the Drupal Security Team.
The OpenID vulnerability was reported by Rui Wang, Shuo Chen and Xiao Feng Wang.
The File module access bypass issue was reported by David Rothstein of the Drupal Security Team, and by Sascha Grossenbacher.
Fixed by
Aggregator CSRF issue fixed by Dave Reid of the Drupal Security Team
OpenID issue fixed by Vojtech Kusy and Christian Schmidt
The File module access bypass issue was fixed by David Rothstein of the Drupal Security Team, Sascha Grossenbacher, and Derek Wright of the Drupal Security Team.
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.Drupal version: Drupal 6.xDrupal 7.x
Drupal Developer

Posted on February 1, 2012 in Austin Web Designer, Drupal Developer, Drupal Development Austin, Drupal in Austin, Expert Drupal Development, Web Design Services

Share the Story

Back to Top