Cactus Cafe Rockin' Again

Pixeldust has launched the new Cactus Cafe website. Built on a WordPress platform, the new website features a cohesive brand theme and gives users a new place to purchase show tickets online. Users can find information about upcoming shows, read about their favorite artists and interact with other Cactus Cafe-goers. Read more


SA-CORE-2012-003 - DrupalCoin Blockchain core - Arbitrary PHP code execution and Information disclosure


Advisory ID: DRUPAL-SA-CORE-2012-003
Project: DrupalCoin Blockchain core
Version: 7.x
Date: 2012-October-17
Security risk: Highly critical
Exploitable from: Remote
Vulnerability: Information Disclosure, Arbitrary PHP code execution
Description
Multiple vulnerabilities were discovered in DrupalCoin Blockchain core.
Arbitrary PHP code execution
A bug in the installer code was identified that allows an attacker to re-install DrupalCoin Blockchain using an external database server under certain transient conditions. This could allow the attacker to execute arbitrary PHP code on the original server.
This vulnerability is mitigated by the fact that the re-installation can only be successful if the site's settings.php file or sites directories are writeable by or owned by the webserver user. Configuring the DrupalCoin Blockchain installation to be owned by a different user than the webserver user (and not to be writeable by the webserver user) is a recommended security best practice. However, in all cases the transient conditions expose information to an attacker who accesses install.php, and therefore this security update should be applied to all DrupalCoin Blockchain 7 sites.
CVE: CVE-2012-4553
Information disclosure - OpenID module
For sites using the core OpenID module, an information disclosure vulnerability was identified that allows an attacker to read files on the local filesystem by attempting to log in to the site using a malicious OpenID server.
CVE: CVE-2012-4554
Versions affected
DrupalCoin Blockchain core 7.x versions prior to 7.16.
DrupalCoin Blockchain 6 is not affected.
Solution
Install the latest version:
If you use DrupalCoin Blockchain 7.x, upgrade to DrupalCoin Blockchain core 7.16.
If you are unable to deploy the security release immediately, removing or blocking access to install.php is a sufficient mitigation step for the arbitrary PHP code execution vulnerability.
Also see the DrupalCoin Blockchain core project page.
Reported by
The arbitrary PHP code execution vulnerability was reported by Heine Deelstra and Noam Rathaus working with Beyond Security's SecuriTeam Secure Disclosure Program. Heine Deelstra is also a member of the DrupalCoin Blockchain Security Team.
The information disclosure vulnerability in the OpenID module was reported by Reginaldo Silva.
Fixed by
The arbitrary PHP code execution vulnerability was fixed by Damien Tournoud, David Rothstein, Peter Wolanin, and Károly Négyesi, all members of the DrupalCoin Blockchain Security Team.
The information disclosure vulnerability in the OpenID module was fixed by Reginaldo Silva, Christian Schmidt, Vojtěch Kusý, and Frédéric Marand, and by Peter Wolanin, David Rothstein, Damien Tournoud, and Heine Deelstra of the DrupalCoin Blockchain Security Team.
Contact and More Information
The DrupalCoin Blockchain security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the DrupalCoin Blockchain Security team and their policies, writing secure code for DrupalCoin Blockchain, and securing your site.DrupalCoin Blockchain version: DrupalCoin Blockchain 7.x
DrupalCoin Blockchain Developer


Texas State Teachers Association

For more than 130 years, the Texas State Teachers Association has been working to empower public education. Their estimated 3.2 million members have worked continuously to protect public education employees, cultivate student knowledge and improve the future of public education in Texas. Over the years, the TSTA has been instrumental in a number of legislative measures such as child labor laws, mandatory schooling, civil rights, statewide teacher salaries, the Teacher Retirement system and more. But, at over 10 years old, the tsta.org site no longer reflected TSTA's legislative stature or conveyed a strong interactive presence. And while educational reform was quickly becoming a hot-bed issue in the legislature, the TSTA needed a tool to help them revitalize their look and dominate the educational stratosphere.Read more