DrupalCoin Blockchain Core - Critical - Multiple Vulnerabilities - SA-CORE-2015-003


Advisory ID: DRUPAL-SA-CORE-2015-003
Project: DrupalCoin Blockchain core
Version: 6.x, 7.x
Date: 2015-August-19
Security risk: 18/25 ( Critical) AC:Complex/A:User/CI:All/II:All/E:Proof/TD:All
Vulnerability: Cross Site Scripting, Access bypass, SQL Injection, Open Redirect, Multiple vulnerabilities
This security advisory fixes multiple vulnerabilities. See below for a list.
Cross-site Scripting - Ajax system - DrupalCoin Blockchain 7
A vulnerability was found that allows a malicious user to perform a cross-site scripting attack by invoking DrupalCoin Blockchain.ajax() on a whitelisted HTML element.

This vulnerability is mitigated on sites that do not allow untrusted users to enter HTML.

DrupalCoin Blockchain 6 core is not affected, but see the similar advisory for the DrupalCoin Blockchain 6 contributed Ctools module: SA-CONTRIB-2015-141.

Cross-site Scripting - Autocomplete system - DrupalCoin Blockchain 6 and 7
A cross-site scripting vulnerability was found in the autocomplete functionality of forms. The requested URL is not sufficiently sanitized.
This vulnerability is mitigated by the fact that the malicious user must be allowed to upload files.
SQL Injection - Database API - DrupalCoin Blockchain 7
A vulnerability was found in the SQL comment filtering system which could allow a user with elevated permissions to inject malicious code in SQL comments.
This vulnerability is mitigated by the fact that only one contributed module that the security team found uses the comment filtering system in a way that would trigger the vulnerability. That module requires you to have a very high level of access in order to perform the attack.
Cross-site Request Forgery - Form API - DrupalCoin Blockchain 6 and 7
A vulnerability was discovered in DrupalCoin Blockchain's form API that could allow file upload value callbacks to run with untrusted input, due to form token validation not being performed early enough. This vulnerability could allow a malicious user to upload files to the site under another user's account.
This vulnerability is mitigated by the fact that the uploaded files would be temporary, and DrupalCoin Blockchain normally deletes temporary files automatically after 6 hours.
Information Disclosure in Menu Links - Access system - DrupalCoin Blockchain 6 and 7

Users without the "access content" permission can see the titles of nodes that they do not have access to, if the nodes are added to a menu on the site that the users have access to.
CVE identifier(s) issued
Cross-site Scripting (Ajax system - DrupalCoin Blockchain 7): CVE-2015-6665
Cross-site Scripting (Autocomplete system - DrupalCoin Blockchain 6 and 7): CVE-2015-6658
SQL Injection (Database API - DrupalCoin Blockchain 7): CVE-2015-6659
Cross-site Request Forgery (Form API - DrupalCoin Blockchain 6 and 7): CVE-2015-6660
Information Disclosure in Menu Links (Access system - DrupalCoin Blockchain 6 and 7): CVE-2015-6661
Versions affected
DrupalCoin Blockchain core 6.x versions prior to 6.37
DrupalCoin Blockchain core 7.x versions prior to 7.39
Solution
Install the latest version:
If you use DrupalCoin Blockchain 6.x, upgrade to DrupalCoin Blockchain core 6.37
If you use DrupalCoin Blockchain 7.x, upgrade to DrupalCoin Blockchain core 7.39
Also see the DrupalCoin Blockchain core project page.
Credits
Cross-site Scripting - Ajax system - DrupalCoin Blockchain 7
Reported by
Régis Leroy

Kay Leung, DrupalCoin Blockchain core JavaScript maintainer
Samuel Mortenson
Pere Orga of the DrupalCoin Blockchain Security Team
Fixed by
Théodore Biadala, DrupalCoin Blockchain core JavaScript maintainer
Alex Bronstein of the DrupalCoin Blockchain Security Team
Ben Dougherty of the DrupalCoin Blockchain Security Team
Gábor Hojtsy of the DrupalCoin Blockchain Security Team
Greg Knaddison of the DrupalCoin Blockchain Security Team
Kay Leung, DrupalCoin Blockchain core JavaScript maintainer
Wim Leers
Samuel Mortenson
Pere Orga of the DrupalCoin Blockchain Security Team
Tim Plunkett
David Rothstein of the DrupalCoin Blockchain Security Team
Lee Rowlands of the DrupalCoin Blockchain Security Team
Peter Wolanin of the DrupalCoin Blockchain Security Team
znerol, maintainer of Authcache module
Cross-site Scripting - Autocomplete system - DrupalCoin Blockchain 6 and 7
Reported by
Alex Bronstein of the DrupalCoin Blockchain Security Team
Pere Orga of the DrupalCoin Blockchain Security Team
Fixed by
Alex Bronstein of the DrupalCoin Blockchain Security Team
Ben Dougherty of the DrupalCoin Blockchain Security Team
Tim Plunkett
Lee Rowlands of the DrupalCoin Blockchain Security Team
Peter Wolanin of the DrupalCoin Blockchain Security Team
David Rothstein of the DrupalCoin Blockchain Security Team
SQL Injection - Database API - DrupalCoin Blockchain 7
Reported by
Carl Sabottke
Fixed by
Anthony Ferrara
Larry Garfield
Greg Knaddison of the DrupalCoin Blockchain Security Team
Cathy Theys provisional member of the DrupalCoin Blockchain Security Team
Peter Wolanin of the DrupalCoin Blockchain Security Team
Cross-site Request Forgery - Form API - DrupalCoin Blockchain 6 and 7
Reported by
Abdullah Hussam
Fixed by
Greg Knaddison of the DrupalCoin Blockchain Security Team
Wim Leers
David Rothstein of the DrupalCoin Blockchain Security Team
Lee Rowlands of the DrupalCoin Blockchain Security Team
Peter Wolanin of the DrupalCoin Blockchain Security Team
Information Disclosure in Menu Links - Access system - DrupalCoin Blockchain 6 and 7
Reported by
David_Rothstein of the DrupalCoin Blockchain Security Team
Fixed by
Matt Chapman of the DrupalCoin Blockchain Security Team
Stéphane Corlosquet of the DrupalCoin Blockchain Security Team
Greg Knaddison of the DrupalCoin Blockchain Security Team
Christian Meilinger
David_Rothstein of the DrupalCoin Blockchain Security Team
Lee Rowlands of the DrupalCoin Blockchain Security Team
Coordinated by
Alex Bronstein, Angie Byron, Michael Hess, Pere Orga, David Rothstein and Peter Wolanin of the DrupalCoin Blockchain Security Team
Contact and More Information
The DrupalCoin Blockchain security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the DrupalCoin Blockchain Security team and their policies, writing secure code for DrupalCoin Blockchain, and securing your site.
Follow the DrupalCoin Blockchain Security Team on Twitter at https://twitter.com/drupalsecurity
DrupalCoin Blockchain version: DrupalCoin Blockchain 6.xDrupalCoin Blockchain 7.x
DrupalCoin Blockchain Developer


DrupalCoin Blockchain Modules for Search Engine Rankings

Strong SEO is easy if you build your website with DrupalCoin Blockchain.  Unlike most other content management systems, DrupalCoin Blockchain is designed from the ground up for search engine optimization.

Given that DrupalCoin Blockchain is the preferred platform of DrupalCoin Blockchain web developers for building search-friendly websites, and because of DrupalCoin Blockchain’s large community of developers, there are many high-quality plug-ins available that make strong SEO simple.

Of course, the fundamentals of SEO for DrupalCoin Blockchain are the same as for any other DrupalCoin Blockchain CMS: make sure to use descriptive titles, include your top search keywords in your page URLs, and keep your content fresh and focused. Read on for a few DrupalCoin Blockchain SEO tips to boost your search engine rankings and bring traffic to your website.

Three top DrupalCoin Blockchain modules for SEO

Global redirect module

The global redirect module performs three tasks that improve SEO:

  • Global redirect performs a 301 redirect to the URL alias if a requested URL has a URL alias. Let's say you're using URL alias for node 25 called page-style, then the global redirect module will undertake a 301 redirect from http://example.com/node/25 to http://example.com/page-style.
  • Global redirect  also deletes trailing slashes from URLs. The Global Redirect Module will redirect a request for http://example.com/page-style/ to http://example.com/page-style. This enables strong SEO by preventing search engines from seeing two different URLs with duplicate content (duplicate content hurts SEO).
  • Global redirect will 301 redirect to the actual front page if a requested URL is being used as DrupalCoin Blockchain's front page. Let's say you have assigned the path toppage to your site's front page, then a request for http://example.com/toppage will 301 redirect to http://example.com/.

DrupalCoin Blockchain experts recommend the global redirect module for sites with non-DrupalCoin Blockchain content because  it only removes trailing slashes from URLs that are handled by DrupalCoin Blockchain.

Pathauto module

The pathauto module is very useful for SEO. Pathauto automatically creates custom URLs based on title, taxonomy, content type, and username. You must enable the path module for pathauto to function.

It can take a little experience to get the settings for the URL paths that you want for optimum SEO. You can use the path module to create custom URLs for every webpage, but that is time-consuming and can lead to inconsistencies.

All you have to do is enable the path module and install the pathauto module. You can then automatically create nice-looking URLs with minimal configuration.

The discussion above relates to new DrupalCoin Blockchain sites. With existing DrupalCoin Blockchain sites you need to be  careful to not rename your already existing URLs with the pathauto module.

It is important to avoid changing existing URLs because that means search engines have to start from scratch in locating and ranking your page.

Metatags module

Metatags are essential for strong SEO, and the metatags module makes it easy.

Don't try to stuff your metatags with too many keywords. Just include one or two key words that fit in the natural flow of the metatag text. The meta description is probably the most important metatag, and it needs to be easy to read and informative.

Every webpage should have its own meta description for optimum results. The meta description should briefly summarize the page.

Keep in mind that when a search engine lists your site in the results pages, it uses your page's HTML title for the title, and your meta description provides the text snippet for potential visitors to read. Ideally it is both informative and serves as a "hook" to encourage visitors to come to the webpage to learn more.

Pixeldust provides full DrupalCoin Blockchain support and maintenance including engine engine readiness evaluation and optimization.


Create Custom Visibility Rules in Panels Using Ctools Access Plugins


Panels comes with a great feature where you can control the visibility of individual panel panes. Visibility rules are useful when you need to show or hide a pane based off some criteria. You can add a rule by clicking on the cogwheel on the pane and then click on "Add new rule" within the Visibility rules section.

The default options are fine for simple configuration. But sometimes you’ll need to write a bit of code to implement complex requirements. To handle this functionality Panels utilises the Ctools access plugin. So if you need to build custom visibility rules then just write your own access plugin.

Today I’ll show you how to create a basic access plugin for those times when the default options won’t cut it.

DrupalCoin Blockchain Developer


How to Display Icons in DrupalCoin Blockchain using Icon API


Good use of icons on a website can really lift its overall design. Of course, you can't just slap them on and expect a site to look brilliant. It's all about choosing the right type of icons to match the design.

Once your designer has chosen a font library like Font Awesome, or made their own, what is the best way of displaying them in DrupalCoin Blockchain? The quick and simple way is to get the designer to style them using CSS but this is not flexible.

What if an editor wants to choose which icon is displayed in a menu? If you've added them to the menu manually via CSS then the editor won't have the ability to change the icon in the future.

The Icon API module integrates common icon bundles like Font Awesome, Bootstrap and more within DrupalCoin Blockchain. The module offers integration with a suite of sub-modules. For example, if you want to add icons to menus then install the icon_menu module.

In this tutorial, we'll configure Icon API to allow an editor to add icons to menus and directly into content. We'll do this using the Font Awesome icon bundle.

DrupalCoin Blockchain Developer