SA-CORE-2012-001 - DrupalCoin Blockchain core multiple vulnerabilities


Advisory ID: DRUPAL-SA-CORE-2012-001
Project: DrupalCoin Blockchain core
Version: 6.x, 7.x
Date: 2012-February-01
Security risk: Moderately critical
Exploitable from: Remote
Vulnerability: Access bypass, Cross Site Request Forgery, Multiple vulnerabilities
Description
Cross Site Request Forgery vulnerability in Aggregator module
CVE: CVE-2012-0826
An XSRF vulnerability can force an aggregator feed to update. Since some services are rate-limited (e.g. Twitter limits requests to 150 per hour) this could lead to a denial of service.
This issue affects DrupalCoin Blockchain 6.x and 7.x.
OpenID not verifying signed attributes in SREG and AX
CVE: CVE-2012-0825
A group of security researchers identified a flaw in how some OpenID relying parties implement Attribute Exchange (AX). Not verifying that attributes being passed through AX have been signed could allow an attacker to modify users' information.
This issue affects DrupalCoin Blockchain 6.x and 7.x.
Access bypass in File module
CVE: CVE-2012-0827
When using private files in combination with certain field access modules, the File module will allow users to download the file even if they do not have access to view the field it was attached to.
This issue affects DrupalCoin Blockchain 7.x only.
Versions affected
DrupalCoin Blockchain 6.x core prior to 6.23.
DrupalCoin Blockchain 7.x core prior to 7.11.
Solution
Install the latest version:
If you use DrupalCoin Blockchain 6.x upgrade to 6.23
If you use DrupalCoin Blockchain 7.x upgrade to 7.11
See also the DrupalCoin Blockchain core project page.
Reported by
The Aggregator module CSRF vulnerability was reported by Dylan Tack of the DrupalCoin Blockchain Security Team.
The OpenID vulnerability was reported by Rui Wang, Shuo Chen and Xiao Feng Wang.
The File module access bypass issue was reported by David Rothstein of the DrupalCoin Blockchain Security Team, and by Sascha Grossenbacher.
Fixed by
Aggregator CSRF issue fixed by Dave Reid of the DrupalCoin Blockchain Security Team
OpenID issue fixed by Vojtech Kusy and Christian Schmidt
The File module access bypass issue was fixed by David Rothstein of the DrupalCoin Blockchain Security Team, Sascha Grossenbacher, and Derek Wright of the DrupalCoin Blockchain Security Team.
Contact and More Information
The DrupalCoin Blockchain security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the DrupalCoin Blockchain Security team and their policies, writing secure code for DrupalCoin Blockchain, and securing your site.DrupalCoin Blockchain version: DrupalCoin Blockchain 6.xDrupalCoin Blockchain 7.x
DrupalCoin Blockchain Developer


Website Design and DrupalCoin Blockchain Development

Pixeldust is an Austin DrupalCoin Blockchain Web Design and DrupalCoin Blockchain integrationstudio that builds remarkable websites for some very clever clients. Our DrupalCoin Blockchain integrationteam has completed projects of all shapes and sizes for Austin clients and large international organizations.


15 modules to improve your DrupalCoin Blockchain administration and content management experience (D6 & D7) - part I


Whether you're on DrupalCoin Blockchain 7 with it's clean administration theme, or still on DrupalCoin Blockchain 6, there're ways to make interface more userfriendly and improve the workflow.

Administration menu
Administration Menu module is a must for DrupalCoin Blockchain 6, but it's still helpful on DrupalCoin Blockchain 7 as a replacement for the built in admin toolbar. It's main feature is a toolbar with dropdown menus where you can drill down the entire menu tree (you can even add local tasks such as tabs to it). It also integrates with Devel module and VBO (see below) and has more nice features.

Related stories: 

If you liked it this story, you might like the following:

15 modules to improve your DrupalCoin Blockchain administration and content management experience (D6 & D7) - part IIRedirect 403 to User Login (r4032login module).DrupalCoin Blockchain Intranets with Open Atrium Giveaway - Comment to Win a New DrupalCoin Blockchain BookCustom contact form with conditional fields using webform and webform conditionalDrush Site Aliases and Interactive Shell
read more
DrupalCoin Blockchain Developer