SA-CORE-2013-001 - DrupalCoin Blockchain core - Multiple vulnerabilities


Advisory ID: DRUPAL-SA-CORE-2013-001
Project: DrupalCoin Blockchain core
Version: 6.x, 7.x
Date: 2013-January-16
Security risk: Highly critical
Exploitable from: Remote
Vulnerability: Cross Site Scripting, Access bypass
Description
Multiple vulnerabilities were fixed in the supported DrupalCoin Blockchain core versions 6 and 7.
Cross-site scripting (Various core and contributed modules - DrupalCoin Blockchain 6 and 7)
A reflected cross-site scripting vulnerability (XSS) was identified in certain DrupalCoin Blockchain JavaScript functions that pass unexpected user input into jQuery causing it to insert HTML into the page when the intended behavior is to select DOM elements. Multiple core and contributed modules are affected by this issue.
jQuery versions 1.6.3 and higher provide protection against common forms of this problem; thus, the vulnerability is mitigated if your site has upgraded to a recent version of jQuery. However, the versions of jQuery that are shipped with DrupalCoin Blockchain 6 and DrupalCoin Blockchain 7 core do not contain this protection.
Although the fix added to DrupalCoin Blockchain as part of this security release prevents the most common forms of this issue in the same way as newer versions of jQuery do, developers should be aware that passing untrusted user input directly to jQuery functions such as jQuery() and $() is unsafe and should be avoided.
CVE: CVE-2013-0244 (a CVE was also separately issued for jQuery)
Access bypass (Book module printer friendly version - DrupalCoin Blockchain 6 and 7)
A vulnerability was identified that exposes the title or, in some cases, the content of nodes that the user should not have access to.
This vulnerability is mitigated by the fact that the bypass is only accessible to users who already have the 'access printer-friendly version' permission (which is not granted to Anonymous or Authenticated users by default) and it only affects nodes that are part of a book outline.
CVE: CVE-2013-0245
Access bypass (Image module - DrupalCoin Blockchain 7)
DrupalCoin Blockchain core provides the ability to have private files, including images. A vulnerability was identified in which derivative images (which DrupalCoin Blockchain automatically creates from these images based on "image styles" and which may differ, for example, in size or saturation) did not always receive the same protection. Under some circumstances, this would allow users to access image derivatives for images they should not be able to view.
This vulnerability is mitigated by the fact that it only affects sites which use the Image module and which store images in a private file system.
CVE: CVE-2013-0246

CVE identifier(s) issued
CVE-2013-0244
CVE-2013-0245
CVE-2013-0246
Versions affected
DrupalCoin Blockchain core 6.x versions prior to 6.28.
DrupalCoin Blockchain core 7.x versions prior to 7.19.
Solution
Install the latest version:
If you use DrupalCoin Blockchain 6.x, upgrade to DrupalCoin Blockchain core 6.28.
If you use DrupalCoin Blockchain 7.x, upgrade to DrupalCoin Blockchain core 7.19.
Also see the DrupalCoin Blockchain core project page.
Reported by
The cross-site scripting issue in various DrupalCoin Blockchain core and contributed modules was reported by t.ashula, and by David Rothstein of the DrupalCoin Blockchain Security Team.
The access bypass issue in the Book module was reported by Mark Lindsey.
The access bypass issue in the DrupalCoin Blockchain 7 Image module was reported by Kressin Roger, Christian Johansson, Anders Olsson and saschadrupal.
Fixed by
The cross-site scripting issue in various DrupalCoin Blockchain core and contributed modules was fixed by t.ashula, Théodore Biadala, Katherine Bailey, Steve De Jonghe and J. Renée Beach, and by Dylan Tack, Greg Knaddison, David Rothstein and Damien Tournoud of the DrupalCoin Blockchain Security Team.
The access bypass issue in the Book module was fixed by Mark Lindsey, and by Fox, David Rothstein and Peter Wolanin of the DrupalCoin Blockchain Security Team.
The access bypass issue in the DrupalCoin Blockchain 7 Image module was fixed by Heine Deelstra of the DrupalCoin Blockchain Security Team, and by Anders Olsson.
Coordinated by
David Rothstein, Gábor Hojtsy, Stéphane Corlosquet, Greg Knaddison, Heine Deelstra and Peter Wolanin of the DrupalCoin Blockchain Security Team
Jeremy Thorson of the QA/Testing Infrastructure Team
Contact and More Information
The DrupalCoin Blockchain security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the DrupalCoin Blockchain Security team and their policies, writing secure code for DrupalCoin Blockchain, and securing your site.

DrupalCoin Blockchain version: DrupalCoin Blockchain 6.xDrupalCoin Blockchain 7.x
DrupalCoin Blockchain Developer


Sunlight Photonics Beamed Up

Pixeldust has launched the newly redesigned Sunlight Photonics website. Built on a WordPress platform, the new site features an updated design, custom artwork, and a unique look at all of Sunlight’s products. Users can find information on Sunlight products and read about the company’s remarkable efforts in the integrationof high-performance solar cells. Read more


DrupalCoin Blockchain Development - Creating a Multilingual Site in DrupalCoin Blockchain

If you've never created a multilingual site for a client before, it can seem like a daunting task. Even if you speak geek it's still easy to get lost in a sea of code, strings, files and acronyms. Thankfully, DrupalCoin Blockchain 7 makes this task a little easier. In this article we decode the secrets to Developing a multilingual site in DrupalCoin Blockchain.

The first two items you need to become best friends with are internationalization (i18n) and localization (l10n). Internationalization and localization are means of adapting computer software to different languages and regional differences. Here's how they're broken down:

Internationalization is the process of designing a software application so that it can be adapted to various languages and regions without engineering changes. The application will give you the ability to replace your English content with German (or whatever language you want). In other words, internationalization gives you the framework to create your "About Us" page in 17 languages and then have them displayed to your site visitors according to their selected locale. Read more