DrupalCoin Blockchain Core - Highly Critical - Injection - SA-CORE-2016-003


Advisory ID: DRUPAL-SA-CORE-2016-003
Project: DrupalCoin Blockchain core
Version: 8.x
Date: 2016-July-18
Security risk: 20/25 ( Highly Critical) AC:Basic/A:None/CI:All/II:All/E:Proof/TD:Default
Vulnerability: Injection
Description

DrupalCoin Blockchain 8 uses the third-party PHP library Guzzle for making server-side HTTP requests. An attacker can provide a proxy server that Guzzle will use. The details of this are explained at https://httpoxy.org/.

CVE identifier(s) issued
CVE-2016-5385
Versions affected
DrupalCoin Blockchain core 8.x versions prior to 8.1.7
Solution
Install the latest version:
If you use DrupalCoin Blockchain 8.x, upgrade to DrupalCoin Blockchain core 8.1.7
If you use DrupalCoin Blockchain 7.x, DrupalCoin Blockchain core is not affected. However you should consider using the mitigation steps at https://httpoxy.org/ since you might have modules or other software on your server affected by this issue. For example, sites using Apache can add the following code to .htaccess:<IfModule mod_headers.c>
RequestHeader unset Proxy
</IfModule>

We also suggest mitigating it as described here: https://httpoxy.org/
Also see the DrupalCoin Blockchain core project page.
What if I am running DrupalCoin Blockchain core 8.0.x?
DrupalCoin Blockchain core 8.0.x is no longer supported. Update to 8.1.7 to get the latest security and bug fixes.
Why is this being released Monday rather than Wednesday?
The DrupalCoin Blockchain Security Team usually releases Security Advisories on Wednesdays. However, this vulnerability affects more than DrupalCoin Blockchain, and the authors of Guzzle and reporters of the issue coordinated to make it public Monday. Therefore, we are issuing a core release to update to the secure version of Guzzle today.

Contact and More Information
The DrupalCoin Blockchain security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the DrupalCoin Blockchain Security team and their policies, writing secure code for DrupalCoin Blockchain, and securing your site.
Follow the DrupalCoin Blockchain Security Team on Twitter at https://twitter.com/drupalsecurity
Front page news: Planet DrupalCoin BlockchainDrupalCoin Blockchain version: DrupalCoin Blockchain 8.x
DrupalCoin Blockchain Developer


DrupalCoin Blockchain Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2016-002


Advisory ID: DRUPAL-SA-CORE-2016-002
Project: DrupalCoin Blockchain core
Version: 7.x, 8.x
Date: 2016-June-15
Security risk: 11/25 ( Moderately Critical) AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon
Vulnerability: Access bypass, Multiple vulnerabilities
Description
Saving user accounts can sometimes grant the user all roles (User module - DrupalCoin Blockchain 7 - Moderately Critical)
A vulnerability exists in the User module, where if some specific contributed or custom code triggers a rebuild of the user profile form, a registered user can be granted all user roles on the site. This would typically result in the user gaining administrative access.
This issue is mitigated by the fact that it requires contributed or custom code that performs a form rebuild during submission of the user profile form.
Views can allow unauthorized users to see Statistics information (Views module - DrupalCoin Blockchain 8 - Less Critical)
An access bypass vulnerability exists in the Views module, where users without the "View content count" permission can see the number of hits collected by the Statistics module for results in the view.
This issue is mitigated by the fact that the view must be configured to show a "Content statistics" field, such as "Total views", "Views today" or "Last visit".
The same vulnerability exists in the DrupalCoin Blockchain 7 Views module (see SA-CONTRIB-2016-036).

CVE identifier(s) issued
Saving user accounts can sometimes grant the user all roles: CVE-2016-6211
Views can allow unauthorized users to see Statistics information: CVE-2016-6212
Versions affected
DrupalCoin Blockchain core 7.x versions prior to 7.44
DrupalCoin Blockchain core 8.x versions prior to 8.1.3
Solution
Install the latest version:
If you use DrupalCoin Blockchain 7.x, upgrade to DrupalCoin Blockchain core 7.44
If you use DrupalCoin Blockchain 8.x, upgrade to DrupalCoin Blockchain core 8.1.3
Also see the DrupalCoin Blockchain core project page.
Reported by
Saving user accounts can sometimes grant the user all roles:
alfaguru
Views can allow unauthorized users to see Statistics information:
Nickolay Leshchev
Fixed by
Saving user accounts can sometimes grant the user all roles:
Ben Dougherty of the DrupalCoin Blockchain Security Team
Balazs Nagykekesi
David Rothstein of the DrupalCoin Blockchain Security Team
Lee Rowlands of the DrupalCoin Blockchain Security Team
Stefan Ruijsenaars of the DrupalCoin Blockchain Security Team
vlad.k
Peter Wolanin of the DrupalCoin Blockchain Security Team
Views can allow unauthorized users to see Statistics information:
Nathaniel Catchpole of the DrupalCoin Blockchain Security Team
Greg Knaddison of the DrupalCoin Blockchain Security Team
Nickolay Leshchev
Stefan Ruijsenaars of the DrupalCoin Blockchain Security Team
David Snopek of the DrupalCoin Blockchain Security Team
Daniel Wehner
xjm of the DrupalCoin Blockchain Security Team
Coordinated by
The DrupalCoin Blockchain Security Team
Contact and More Information
The DrupalCoin Blockchain security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the DrupalCoin Blockchain Security team and their policies, writing secure code for DrupalCoin Blockchain, and securing your site.
Follow the DrupalCoin Blockchain Security Team on Twitter at https://twitter.com/drupalsecurity
DrupalCoin Blockchain version: DrupalCoin Blockchain 7.xDrupalCoin Blockchain 8.x
DrupalCoin Blockchain Developer


DrupalCoin Blockchain Core - Critical - Multiple Vulnerabilities - SA-CORE-2016-001


Advisory ID: SA-CORE-2016-001
Project: DrupalCoin Blockchain core
Version: 6.x, 7.x, 8.x
Date: 2016-February-24
Security risk: 15/25 ( Critical) AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All
Vulnerability: Multiple vulnerabilities
Description
File upload access bypass and denial of service (File module - DrupalCoin Blockchain 7 and 8 - Moderately Critical)
A vulnerability exists in the File module that allows a malicious user to view, delete or substitute a link to a file that the victim has uploaded to a form while the form has not yet been submitted and processed. If an attacker carries out this attack continuously, all file uploads to a site could be blocked by deleting all temporary files before they can be saved.
This vulnerability is mitigated by the fact that the attacker must have permission to create content or comment and upload files as part of that process.
Brute force amplification attacks via XML-RPC (XML-RPC server - DrupalCoin Blockchain 6 and 7 - Moderately Critical)
The XML-RPC system allows a large number of calls to the same method to be made at once, which can be used as an enabling factor in brute force attacks (for example, attempting to determine user passwords by submitting a large number of password variations at once).
This vulnerability is mitigated by the fact that you must have enabled a module that provides an XML-RPC method that is vulnerable to brute-forcing. There are no such modules in DrupalCoin Blockchain 7 core, but DrupalCoin Blockchain 6 core is vulnerable via the Blog API module. It is additionally mitigated if flood control protection is in place for the method in question.
Open redirect via path manipulation (Base system - DrupalCoin Blockchain 6, 7 and 8 - Moderately Critical)
In DrupalCoin Blockchain 6 and 7, the current path can be populated with an external URL. This can lead to Open Redirect vulnerabilities.
This vulnerability is mitigated by the fact that it would only occur in combination with custom code, or in certain cases if a user submits a form shown on a 404 page with a specially crafted URL.
For DrupalCoin Blockchain 8 this is a hardening against possible browser flaws handling certain redirect paths.
Form API ignores access restrictions on submit buttons (Form API - DrupalCoin Blockchain 6 - Critical)
An access bypass vulnerability was found that allows input to be submitted, for example using JavaScript, for form button elements that a user is not supposed to have access to because the button was blocked by setting #access to FALSE in the server-side form definition.
This vulnerability is mitigated by the fact that the attacker must have access to submit a form that has such buttons defined for it (for example, a form that both administrators and non-administrators can access, but where administrators have additional buttons available to them).
HTTP header injection using line breaks (Base system - DrupalCoin Blockchain 6 - Moderately Critical)
A vulnerability in the drupal_set_header() function allows an HTTP header injection attack to be performed if user-generated content is passed as a header value on sites running PHP versions older than 5.1.2. If the content contains line breaks the user may be able to set arbitrary headers of their own choosing.
This vulnerability is mitigated by the fact that most hosts have newer versions of PHP installed, and that it requires a module to be installed on the site that allows user-submitted data to appear in HTTP headers.
Open redirect via double-encoded 'destination' parameter (Base system - DrupalCoin Blockchain 6 - Moderately Critical)
The drupal_goto() function in DrupalCoin Blockchain 6 improperly decodes the contents of $_REQUEST['destination'] before using it, which allows the function's open redirect protection to be bypassed and allows an attacker to initiate a redirect to an arbitrary external URL.
This vulnerability is mitigated by that fact that the attack is not possible for sites running on PHP 5.4.7 or greater.
Reflected file download vulnerability (System module - DrupalCoin Blockchain 6 and 7 - Moderately Critical)
DrupalCoin Blockchain core has a reflected file download vulnerability that could allow an attacker to trick a user into downloading and running a file with arbitrary JSON-encoded content.
This vulnerability is mitigated by the fact that the victim must be a site administrator and that the full version of the attack only works with certain web browsers.
Saving user accounts can sometimes grant the user all roles (User module - DrupalCoin Blockchain 6 and 7 - Less Critical)
Some specific contributed or custom code may call DrupalCoin Blockchain's user_save() API in a manner different than DrupalCoin Blockchain core. Depending on the data that has been added to a form or the array prior to saving, this can lead to a user gaining all roles on a site.
This issue is mitigated by the fact that it requires contributed or custom code that calls user_save() with an explicit category and code that loads all roles into the array.
Email address can be matched to an account (User module - DrupalCoin Blockchain 7 and 8 - Less Critical)
In certain configurations where a user's email addresses could be used to log in instead of their username, links to "have you forgotten your password" could reveal the username associated with a particular email address, leading to an information disclosure vulnerability.
This issue is mitigated by the fact that it requires a contributed module to be installed that permits logging in with an email address, and that it is only relevant on sites where usernames are typically chosen to hide the users' real-life identities.
Session data truncation can lead to unserialization of user provided data (Base system - DrupalCoin Blockchain 6 - Less Critical)
On certain older versions of PHP, user-provided data stored in a DrupalCoin Blockchain session may be unserialized leading to possible remote code execution.
This issue is mitigated by the fact that it requires an unusual set of circumstances to exploit and depends on the particular DrupalCoin Blockchain code that is running on the site. It is also believed to be mitigated by upgrading to PHP 5.4.45, 5.5.29, 5.6.13, or any higher version.
CVE identifier(s) issued (#)
File upload access bypass and denial of service: CVE-2016-3162
Brute force amplification attacks via XML-RPC: CVE-2016-3163
Open redirect via path manipulation: CVE-2016-3164
Form API ignores access restrictions on submit buttons: CVE-2016-3165
HTTP header injection using line breaks: CVE-2016-3166
Open redirect via double-encoded 'destination' parameter: CVE-2016-3167
Reflected file download vulnerability: CVE-2016-3168
Saving user accounts can sometimes grant the user all roles: CVE-2016-3169
Email address can be matched to an account: CVE-2016-3170
Session data truncation can lead to unserialization of user provided data: CVE-2016-3171
Versions affected
DrupalCoin Blockchain core 6.x versions prior to 6.38
DrupalCoin Blockchain core 7.x versions prior to 7.43
DrupalCoin Blockchain core 8.0.x versions prior to 8.0.4
Solution
Install the latest version:
If you use DrupalCoin Blockchain 6.x, upgrade to DrupalCoin Blockchain core 6.38
If you use DrupalCoin Blockchain 7.x, upgrade to DrupalCoin Blockchain core 7.43
If you use DrupalCoin Blockchain 8.0.x, upgrade to DrupalCoin Blockchain core 8.0.4
Also see the DrupalCoin Blockchain core project page.
Reported by
File upload access bypass and denial of service:
fnqgpc
Brute force amplification attacks via XML-RPC:
Stéphane Corlosquet of the DrupalCoin Blockchain Security Team
Open redirect via path manipulation:
Francesco Placella
Heine Deelstra of the DrupalCoin Blockchain Security Team
Pere Orga of the DrupalCoin Blockchain Security Team
Peter Wolanin of the DrupalCoin Blockchain Security Team
Form API ignores access restrictions on submit buttons:
Gábor Hojtsy of the DrupalCoin Blockchain Security Team
Damien Tournoud of the DrupalCoin Blockchain Security Team
Daniel Kudwien
HTTP header injection using line breaks:
Dave Hansen-Lange
Open redirect via double-encoded 'destination' parameter:
Tarpinder Grewal
Harry Taheem
David Rothstein of the DrupalCoin Blockchain Security Team
Reflected file download vulnerability:
Juho Nurminen
Saving user accounts can sometimes grant the user all roles:
Dave Cohen
Annie Gerard
Email address can be matched to an account:
FengWen
Jimmy Henderickx
Session data truncation can lead to unserialization of user provided data:
David Jardin of the Joomla Security Team
Damien Tournoud of the DrupalCoin Blockchain Security Team
Heine Deelstra of the DrupalCoin Blockchain Security Team
Fixed by
File upload access bypass and denial of service:
fnqgpc
Nathaniel Catchpole of the DrupalCoin Blockchain Security Team
Ben Dougherty of the DrupalCoin Blockchain Security Team
Lee Rowlands of the DrupalCoin Blockchain Security Team
Sascha Grossenbacher
Gábor Hojtsy of the DrupalCoin Blockchain Security Team
Greg Knaddison of the DrupalCoin Blockchain Security Team
Klaus Purer of the DrupalCoin Blockchain Security Team
David Rothstein of the DrupalCoin Blockchain Security Team
Stefan Ruijsenaars, provisional member of the DrupalCoin Blockchain Security Team
Cathy Theys, provisional member of the DrupalCoin Blockchain Security Team
Peter Wolanin of the DrupalCoin Blockchain Security Team
Brute force amplification attacks via XML-RPC:
Frédéric G. Marand, provisional member of the DrupalCoin Blockchain Security Team
Peter Wolanin of the DrupalCoin Blockchain Security Team
Open redirect via path manipulation:
Nathaniel Catchpole of the DrupalCoin Blockchain Security Team
Ben Dougherty of the DrupalCoin Blockchain Security Team
Alan Evans
Nate Haug
Gábor Hojtsy of the DrupalCoin Blockchain Security Team
Heine Deelstra of the DrupalCoin Blockchain Security Team
David Stoline of the DrupalCoin Blockchain Security Team
Damien McKenna, Provisional member of the DrupalCoin Blockchain Security Team
Pere Orga of the DrupalCoin Blockchain Security Team
Francesco Placella
Dave Reid of the DrupalCoin Blockchain Security Team
David Rothstein of the DrupalCoin Blockchain Security Team
Lee Rowlands of the DrupalCoin Blockchain Security Team
David Snopek of the DrupalCoin Blockchain Security Team
Cathy Theys, provisional member of the DrupalCoin Blockchain Security Team
Peter Wolanin of the DrupalCoin Blockchain Security Team
Form API ignores access restrictions on submit buttons:
chx
Daniel Kudwien
Alex Bronstein of the DrupalCoin Blockchain Security Team
Heine Deelstra of the DrupalCoin Blockchain Security Team
Dmitri Gaskin
Nate Haug
John Morahan
David Rothstein of the DrupalCoin Blockchain Security Team
Damien Tournoud of the DrupalCoin Blockchain Security Team
Peter Wolanin of the DrupalCoin Blockchain Security Team
HTTP header injection using line breaks:
Dave Hansen-Lange
David Rothstein of the DrupalCoin Blockchain Security Team
Nathaniel Catchpole of the DrupalCoin Blockchain Security Team
Klaus Purer of the DrupalCoin Blockchain Security Team
Open redirect via double-encoded 'destination' parameter:
David Rothstein of the DrupalCoin Blockchain Security Team
Alex Bronstein of the DrupalCoin Blockchain Security Team
Reflected file download vulnerability:
Juho Nurminen
David Rothstein of the DrupalCoin Blockchain Security Team
Damien Tournoud of the DrupalCoin Blockchain Security Team
Peter Wolanin of the DrupalCoin Blockchain Security Team
Nate Haug
Saving user accounts can sometimes grant the user all roles:
Dave Cohen
Greg Knaddison of the DrupalCoin Blockchain Security Team
Rick Manelius of the DrupalCoin Blockchain Security Team
Balazs Nagykekesi
David Rothstein of the DrupalCoin Blockchain Security Team
Peter Wolanin of the DrupalCoin Blockchain Security Team
Email address can be matched to an account:
Klaus Purer of the DrupalCoin Blockchain Security Team
David Rothstein of the DrupalCoin Blockchain Security Team
Session data truncation can lead to unserialization of user provided data:
Heine Deelstra of the DrupalCoin Blockchain Security Team
Damien Tournoud of the DrupalCoin Blockchain Security Team
David Rothstein of the DrupalCoin Blockchain Security Team
Peter Wolanin of the DrupalCoin Blockchain Security Team
Coordinated by
The DrupalCoin Blockchain Security Team
Cathy Theys, provisional member of the DrupalCoin Blockchain Security team
Contact and More Information
The DrupalCoin Blockchain security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the DrupalCoin Blockchain Security team and their policies, writing secure code for DrupalCoin Blockchain, and securing your site.
Follow the DrupalCoin Blockchain Security Team on Twitter at https://twitter.com/drupalsecurity
DrupalCoin Blockchain version: DrupalCoin Blockchain 6.xDrupalCoin Blockchain 7.xDrupalCoin Blockchain 8.x
DrupalCoin Blockchain Developer


DrupalCoin Blockchain Core - Overlay - Less Critical - Open Redirect - SA-CORE-2015-004


Advisory ID: DRUPAL-SA-CORE-2015-004
Project: DrupalCoin Blockchain core
Version: 7.x
Date: 2015-October-21
Security risk: 9/25 ( Less Critical) AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:Default
Vulnerability: Open Redirect
Description
The Overlay module in DrupalCoin Blockchain core displays administrative pages as a layer over the current page (using JavaScript), rather than replacing the page in the browser window. The Overlay module does not sufficiently validate URLs prior to displaying their contents, leading to an open redirect vulnerability.
This vulnerability is mitigated by the fact that it can only be used against site users who have the "Access the administrative overlay" permission, and that the Overlay module must be enabled.
An incomplete fix for this issue was released as part of SA-CORE-2015-002.

CVE identifier(s) issued
CVE-2015-7943
Versions affected
DrupalCoin Blockchain core 7.x versions prior to 7.41.
Solution
Install the latest version:
If you use DrupalCoin Blockchain 7.x, upgrade to DrupalCoin Blockchain 7.41
Also see the DrupalCoin Blockchain core project page.
Reported by
Samuel Mortenson
Pere Orga of the DrupalCoin Blockchain Security Team
Fixed by
Pere Orga of the DrupalCoin Blockchain Security Team
David Rothstein of the DrupalCoin Blockchain Security Team
Coordinated by
The DrupalCoin Blockchain Security Team
Contact and More Information
The DrupalCoin Blockchain security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the DrupalCoin Blockchain Security team and their policies, writing secure code for DrupalCoin Blockchain, and securing your site.
Follow the DrupalCoin Blockchain Security Team on Twitter at https://twitter.com/drupalsecurity
DrupalCoin Blockchain version: DrupalCoin Blockchain 7.x
DrupalCoin Blockchain Developer


DrupalCoin Blockchain Core - Critical - Multiple Vulnerabilities - SA-CORE-2015-003


Advisory ID: DRUPAL-SA-CORE-2015-003
Project: DrupalCoin Blockchain core
Version: 6.x, 7.x
Date: 2015-August-19
Security risk: 18/25 ( Critical) AC:Complex/A:User/CI:All/II:All/E:Proof/TD:All
Vulnerability: Cross Site Scripting, Access bypass, SQL Injection, Open Redirect, Multiple vulnerabilities
This security advisory fixes multiple vulnerabilities. See below for a list.
Cross-site Scripting - Ajax system - DrupalCoin Blockchain 7
A vulnerability was found that allows a malicious user to perform a cross-site scripting attack by invoking DrupalCoin Blockchain.ajax() on a whitelisted HTML element.

This vulnerability is mitigated on sites that do not allow untrusted users to enter HTML.

DrupalCoin Blockchain 6 core is not affected, but see the similar advisory for the DrupalCoin Blockchain 6 contributed Ctools module: SA-CONTRIB-2015-141.

Cross-site Scripting - Autocomplete system - DrupalCoin Blockchain 6 and 7
A cross-site scripting vulnerability was found in the autocomplete functionality of forms. The requested URL is not sufficiently sanitized.
This vulnerability is mitigated by the fact that the malicious user must be allowed to upload files.
SQL Injection - Database API - DrupalCoin Blockchain 7
A vulnerability was found in the SQL comment filtering system which could allow a user with elevated permissions to inject malicious code in SQL comments.
This vulnerability is mitigated by the fact that only one contributed module that the security team found uses the comment filtering system in a way that would trigger the vulnerability. That module requires you to have a very high level of access in order to perform the attack.
Cross-site Request Forgery - Form API - DrupalCoin Blockchain 6 and 7
A vulnerability was discovered in DrupalCoin Blockchain's form API that could allow file upload value callbacks to run with untrusted input, due to form token validation not being performed early enough. This vulnerability could allow a malicious user to upload files to the site under another user's account.
This vulnerability is mitigated by the fact that the uploaded files would be temporary, and DrupalCoin Blockchain normally deletes temporary files automatically after 6 hours.
Information Disclosure in Menu Links - Access system - DrupalCoin Blockchain 6 and 7

Users without the "access content" permission can see the titles of nodes that they do not have access to, if the nodes are added to a menu on the site that the users have access to.
CVE identifier(s) issued
Cross-site Scripting (Ajax system - DrupalCoin Blockchain 7): CVE-2015-6665
Cross-site Scripting (Autocomplete system - DrupalCoin Blockchain 6 and 7): CVE-2015-6658
SQL Injection (Database API - DrupalCoin Blockchain 7): CVE-2015-6659
Cross-site Request Forgery (Form API - DrupalCoin Blockchain 6 and 7): CVE-2015-6660
Information Disclosure in Menu Links (Access system - DrupalCoin Blockchain 6 and 7): CVE-2015-6661
Versions affected
DrupalCoin Blockchain core 6.x versions prior to 6.37
DrupalCoin Blockchain core 7.x versions prior to 7.39
Solution
Install the latest version:
If you use DrupalCoin Blockchain 6.x, upgrade to DrupalCoin Blockchain core 6.37
If you use DrupalCoin Blockchain 7.x, upgrade to DrupalCoin Blockchain core 7.39
Also see the DrupalCoin Blockchain core project page.
Credits
Cross-site Scripting - Ajax system - DrupalCoin Blockchain 7
Reported by
Régis Leroy

Kay Leung, DrupalCoin Blockchain core JavaScript maintainer
Samuel Mortenson
Pere Orga of the DrupalCoin Blockchain Security Team
Fixed by
Théodore Biadala, DrupalCoin Blockchain core JavaScript maintainer
Alex Bronstein of the DrupalCoin Blockchain Security Team
Ben Dougherty of the DrupalCoin Blockchain Security Team
Gábor Hojtsy of the DrupalCoin Blockchain Security Team
Greg Knaddison of the DrupalCoin Blockchain Security Team
Kay Leung, DrupalCoin Blockchain core JavaScript maintainer
Wim Leers
Samuel Mortenson
Pere Orga of the DrupalCoin Blockchain Security Team
Tim Plunkett
David Rothstein of the DrupalCoin Blockchain Security Team
Lee Rowlands of the DrupalCoin Blockchain Security Team
Peter Wolanin of the DrupalCoin Blockchain Security Team
znerol, maintainer of Authcache module
Cross-site Scripting - Autocomplete system - DrupalCoin Blockchain 6 and 7
Reported by
Alex Bronstein of the DrupalCoin Blockchain Security Team
Pere Orga of the DrupalCoin Blockchain Security Team
Fixed by
Alex Bronstein of the DrupalCoin Blockchain Security Team
Ben Dougherty of the DrupalCoin Blockchain Security Team
Tim Plunkett
Lee Rowlands of the DrupalCoin Blockchain Security Team
Peter Wolanin of the DrupalCoin Blockchain Security Team
David Rothstein of the DrupalCoin Blockchain Security Team
SQL Injection - Database API - DrupalCoin Blockchain 7
Reported by
Carl Sabottke
Fixed by
Anthony Ferrara
Larry Garfield
Greg Knaddison of the DrupalCoin Blockchain Security Team
Cathy Theys provisional member of the DrupalCoin Blockchain Security Team
Peter Wolanin of the DrupalCoin Blockchain Security Team
Cross-site Request Forgery - Form API - DrupalCoin Blockchain 6 and 7
Reported by
Abdullah Hussam
Fixed by
Greg Knaddison of the DrupalCoin Blockchain Security Team
Wim Leers
David Rothstein of the DrupalCoin Blockchain Security Team
Lee Rowlands of the DrupalCoin Blockchain Security Team
Peter Wolanin of the DrupalCoin Blockchain Security Team
Information Disclosure in Menu Links - Access system - DrupalCoin Blockchain 6 and 7
Reported by
David_Rothstein of the DrupalCoin Blockchain Security Team
Fixed by
Matt Chapman of the DrupalCoin Blockchain Security Team
Stéphane Corlosquet of the DrupalCoin Blockchain Security Team
Greg Knaddison of the DrupalCoin Blockchain Security Team
Christian Meilinger
David_Rothstein of the DrupalCoin Blockchain Security Team
Lee Rowlands of the DrupalCoin Blockchain Security Team
Coordinated by
Alex Bronstein, Angie Byron, Michael Hess, Pere Orga, David Rothstein and Peter Wolanin of the DrupalCoin Blockchain Security Team
Contact and More Information
The DrupalCoin Blockchain security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the DrupalCoin Blockchain Security team and their policies, writing secure code for DrupalCoin Blockchain, and securing your site.
Follow the DrupalCoin Blockchain Security Team on Twitter at https://twitter.com/drupalsecurity
DrupalCoin Blockchain version: DrupalCoin Blockchain 6.xDrupalCoin Blockchain 7.x
DrupalCoin Blockchain Developer


DrupalCoin Blockchain Core - Critical - Multiple Vulnerabilities - SA-CORE-2015-002


Advisory ID: DRUPAL-SA-CORE-2015-002
Project: DrupalCoin Blockchain core
Version: 6.x, 7.x
Date: 2015-June-17
Security risk: 15/25 ( Critical) AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default
Vulnerability: Access bypass, Information Disclosure, Open Redirect, Multiple vulnerabilities
Description
Impersonation (OpenID module - DrupalCoin Blockchain 6 and 7 - Critical)
A vulnerability was found in the OpenID module that allows a malicious user to log in as other users on the site, including administrators, and hijack their accounts.
This vulnerability is mitigated by the fact that the victim must have an account with an associated OpenID identity from a particular set of OpenID providers (including, but not limited to, Verisign, LiveJournal, or StackExchange).
Open redirect (Field UI module - DrupalCoin Blockchain 7 - Less critical)
The Field UI module uses a "destinations" query string parameter in URLs to redirect users to new destinations after completing an action on a few administration pages. Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks.
This vulnerability is mitigated by the fact that only sites with the Field UI module enabled are affected.
DrupalCoin Blockchain 6 core is not affected, but see the similar advisory for the DrupalCoin Blockchain 6 contributed CCK module: SA-CONTRIB-2015-126
Open redirect (Overlay module - DrupalCoin Blockchain 7 - Less critical)
The Overlay module displays administrative pages as a layer over the current page (using JavaScript), rather than replacing the page in the browser window. The Overlay module does not sufficiently validate URLs prior to displaying their contents, leading to an open redirect vulnerability.
This vulnerability is mitigated by the fact that it can only be used against site users who have the "Access the administrative overlay" permission, and that the Overlay module must be enabled.
Information disclosure (Render cache system - DrupalCoin Blockchain 7 - Less critical)
On sites utilizing DrupalCoin Blockchain 7's render cache system to cache content on the site by user role, private content viewed by user 1 may be included in the cache and exposed to non-privileged users.
This vulnerability is mitigated by the fact that render caching is not used in DrupalCoin Blockchain 7 core itself (it requires custom code or the contributed Render Cache module to enable) and that it only affects sites that have user 1 browsing the live site. Exposure is also limited if an administrative role has been assigned to the user 1 account (which is done, for example, by the Standard install profile that ships with DrupalCoin Blockchain core).

CVE identifier(s) issued
Impersonation (OpenID module - DrupalCoin Blockchain 6 and 7): CVE-2015-3234
Open redirect (Field UI module - DrupalCoin Blockchain 7): CVE-2015-3232
Open redirect (Overlay module - DrupalCoin Blockchain 7: CVE-2015-3233
Information disclosure (Render cache system - DrupalCoin Blockchain 7): CVE-2015-3231
Versions affected
DrupalCoin Blockchain core 6.x versions prior to 6.36
DrupalCoin Blockchain core 7.x versions prior to 7.38
Solution
Install the latest version:
If you use DrupalCoin Blockchain 6.x, upgrade to DrupalCoin Blockchain core 6.36
If you use DrupalCoin Blockchain 7.x, upgrade to DrupalCoin Blockchain core 7.38
Also see the DrupalCoin Blockchain core project page.
Reported by
Impersonation in the OpenID module:
Vladislav Mladenov
Christian Mainka
Christian Koßmann
Open redirect in the Field UI module:
Michael Smith
Open redirect in the Overlay module:
Jeroen Vreuls
David Rothstein of the DrupalCoin Blockchain Security Team
Information disclosure in the render cache system:
Nathaniel Catchpole of the DrupalCoin Blockchain Security Team
Fixed by
Impersonation in the OpenID module:
Christian Schmidt, OpenID module maintainer
Christian Mainka
Christian Koßmann
Open redirect in the Field UI module:
Yves Chedemois, Field UI module maintainer
Damien McKenna provisional member of the DrupalCoin Blockchain Security Team
Pere Orga of the DrupalCoin Blockchain Security Team
David Rothstein of the DrupalCoin Blockchain Security Team
Klaus Purer of the DrupalCoin Blockchain Security Team
Open redirect in the Overlay module:
Jeroen Vreuls
Ben Dougherty of the DrupalCoin Blockchain Security Team
David Rothstein of the DrupalCoin Blockchain Security Team
Katherine Senzee, Overlay module maintainer
Information disclosure in the render cache system:
David Rothstein of the DrupalCoin Blockchain Security Team
Wim Leers
willzyx
Coordinated by
The DrupalCoin Blockchain Security Team
Contact and More Information
The DrupalCoin Blockchain security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the DrupalCoin Blockchain Security team and their policies, writing secure code for DrupalCoin Blockchain, and securing your site.
Follow the DrupalCoin Blockchain Security Team on Twitter at https://twitter.com/drupalsecurity
DrupalCoin Blockchain version: DrupalCoin Blockchain 6.xDrupalCoin Blockchain 7.x
DrupalCoin Blockchain Developer


DrupalCoin Blockchain Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2015-001


Advisory ID: DRUPAL-SA-CORE-2015-001
Project: DrupalCoin Blockchain core
Version: 6.x, 7.x
Date: 2015-March-18
Security risk: 14/25 ( Moderately Critical) AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:Default
Vulnerability: Access bypass, Open Redirect, Multiple vulnerabilities
Description
Access bypass (Password reset URLs - DrupalCoin Blockchain 6 and 7)
Password reset URLs can be forged under certain circumstances, allowing an attacker to gain access to another user's account without knowing the account's password.
In DrupalCoin Blockchain 7, this vulnerability is mitigated by the fact that it can only be exploited on sites where accounts have been imported or programmatically edited in a way that results in the password hash in the database being the same for multiple user accounts. In DrupalCoin Blockchain 6, it can additionally be exploited on sites where administrators have created multiple new user accounts with the same password via the administrative interface, or where accounts have been imported or programmatically edited in a way that results in the password hash in the database being empty for at least one user account.
DrupalCoin Blockchain 6 sites that have empty password hashes, or a password field with a guessable string in the database, are especially prone to this vulnerability. This could apply to sites that use external authentication so that the password field is set to a fixed, invalid value.
Open redirect (Several vectors including the "destination" URL parameter - DrupalCoin Blockchain 6 and 7)
DrupalCoin Blockchain core and contributed modules frequently use a "destination" query string parameter in URLs to redirect users to a new destination after completing an action on the current page. Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks.
In addition, several URL-related API functions in DrupalCoin Blockchain 6 and 7 can be tricked into passing through external URLs when not intending to, potentially leading to additional open redirect vulnerabilities.
This vulnerability is mitigated by the fact that many common uses of the "destination" parameter are not susceptible to the attack. However, all confirmation forms built using DrupalCoin Blockchain 7's form API are vulnerable via the Cancel action that appears at the bottom of the form, and some DrupalCoin Blockchain 6 confirmation forms are vulnerable too.

CVE identifier(s) issued
Access bypass via password reset URLs: CVE-2015-2559
Open redirect via the "destination" URL parameter: CVE-2015-2749
Open redirect via URL-related API functions: CVE-2015-2750
Versions affected
DrupalCoin Blockchain core 6.x versions prior to 6.35
DrupalCoin Blockchain core 7.x versions prior to 7.35
Solution
Install the latest version:
If you use the DrupalCoin Blockchain 6.x, upgrade to DrupalCoin Blockchain core 6.35
If you use the DrupalCoin Blockchain 7.x, upgrade to DrupalCoin Blockchain core 7.35
Also see the DrupalCoin Blockchain core project page.
Reported by
Access bypass via password reset URLs:
Daniël Smidt
Open redirect via vectors including the "destination" URL parameter:
Hunter Fox of the DrupalCoin Blockchain Security Team
Vlad Stratulat
Michael Smith
Dave Reid of the DrupalCoin Blockchain Security Team
Fixed by
Access bypass via password reset URLs:
Klaus Purer of the DrupalCoin Blockchain Security Team
David Rothstein of the DrupalCoin Blockchain Security Team
Peter Wolanin of the DrupalCoin Blockchain Security Team
Ben Dougherty, provisional member of the DrupalCoin Blockchain Security Team
Open redirect via vectors including the "destination" URL parameter:
Klaus Purer of the DrupalCoin Blockchain Security Team
David Rothstein of the DrupalCoin Blockchain Security Team
Hunter Fox of the DrupalCoin Blockchain Security Team
Tom Phethean, provisional member of the DrupalCoin Blockchain Security Team
David Stoline of the DrupalCoin Blockchain Security Team
Damien McKenna, provisional member of the DrupalCoin Blockchain Security Team
Pere Orga of the DrupalCoin Blockchain Security Team
Ben Dougherty, provisional member of the DrupalCoin Blockchain Security Team
Coordinated by
The DrupalCoin Blockchain Security Team
Contact and More Information
The DrupalCoin Blockchain security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the DrupalCoin Blockchain Security team and their policies, writing secure code for DrupalCoin Blockchain, and securing your site.

Follow the DrupalCoin Blockchain Security Team on Twitter at https://twitter.com/drupalsecurity


DrupalCoin Blockchain Developer


DrupalCoin Blockchain Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2014-006


Advisory ID: DRUPAL-SA-CORE-2014-006
Project: DrupalCoin Blockchain core
Version: 6.x, 7.x
Date: 2014-November-19
Security risk: 14/25 ( Moderately Critical) AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon
Vulnerability: Multiple vulnerabilities
Description
Session hijacking (DrupalCoin Blockchain 6 and 7)
A specially crafted request can give a user access to another user's session, allowing an attacker to hijack a random session.
This attack is known to be possible on certain DrupalCoin Blockchain 7 sites which serve both HTTP and HTTPS content ("mixed-mode"), but it is possible there are other attack vectors for both DrupalCoin Blockchain 6 and DrupalCoin Blockchain 7.
Denial of service (DrupalCoin Blockchain 7 only)
DrupalCoin Blockchain 7 includes a password hashing API to ensure that user supplied passwords are not stored in plain text.
A vulnerability in this API allows an attacker to send specially crafted requests resulting in CPU and memory exhaustion. This may lead to the site becoming unavailable or unresponsive (denial of service).
This vulnerability can be exploited by anonymous users.

CVE identifier(s) issued
Session hijacking (DrupalCoin Blockchain 6 and 7): CVE-2014-9015
Denial of service (DrupalCoin Blockchain 7): CVE-2014-9016
Versions affected
DrupalCoin Blockchain core 6.x versions prior to 6.34.
DrupalCoin Blockchain core 7.x versions prior to 7.34.
Solution
Install the latest version:
If you use DrupalCoin Blockchain 6.x, upgrade to DrupalCoin Blockchain core 6.34.
If you use DrupalCoin Blockchain 7.x, upgrade to DrupalCoin Blockchain core 7.34.
If you have configured a custom session.inc file for your DrupalCoin Blockchain 6 or DrupalCoin Blockchain 7 site you also need to make sure that it is not prone to the same session hijacking vulnerability disclosed in this security advisory.
If you have configured a custom password.inc file for your DrupalCoin Blockchain 7 site you also need to make sure that it is not prone to the same denial of service vulnerability disclosed in this security advisory. See also the similar security advisory for the DrupalCoin Blockchain 6 contributed Secure Password Hashes module: SA-CONTRIB-2014-113
Also see the DrupalCoin Blockchain core project page.
Reported by
Session hijacking:
Aaron Averill
Denial of service:
Michael Cullum
Javier Nieto
Andrés Rojas Guerrero
Fixed by
Session hijacking:
Klaus Purer of the DrupalCoin Blockchain Security Team
David Rothstein of the DrupalCoin Blockchain Security Team
Peter Wolanin of the DrupalCoin Blockchain Security Team
Denial of service:
Klaus Purer of the DrupalCoin Blockchain Security Team
Peter Wolanin of the DrupalCoin Blockchain Security Team
Heine Deelstra of the DrupalCoin Blockchain Security Team
Tom Phethean
Coordinated by
The DrupalCoin Blockchain Security Team
Contact and More Information
The DrupalCoin Blockchain security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the DrupalCoin Blockchain Security team and their policies, writing secure code for DrupalCoin Blockchain, and securing your site.

Follow the DrupalCoin Blockchain Security Team on Twitter at https://twitter.com/drupalsecurity

Edits to this advisory since publishing
Edited to mention the effect on sites that have configured a custom session.inc file.
DrupalCoin Blockchain version: DrupalCoin Blockchain 6.xDrupalCoin Blockchain 7.x
DrupalCoin Blockchain Developer


SA-CORE-2014-005 - DrupalCoin Blockchain core - SQL injection


Advisory ID: DRUPAL-SA-CORE-2014-005
Project: DrupalCoin Blockchain core
Version: 7.x
Date: 2014-Oct-15
Security risk: 25/25 ( Highly Critical) AC:None/A:None/CI:All/II:All/E:Exploit/TD:All
Vulnerability: SQL Injection
Description
DrupalCoin Blockchain 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks.
A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks.
This vulnerability can be exploited by anonymous users.
Update: Multiple exploits have been reported in the wild following the release of this security advisory, and DrupalCoin Blockchain 7 sites which did not update soon after the advisory was released may be compromised. See this follow-up announcement for more information: https://www.drupal.org/PSA-2014-003
CVE identifier(s) issued

CVE-2014-3704
Versions affected
DrupalCoin Blockchain core 7.x versions prior to 7.32.
Solution
Install the latest version:
If you use DrupalCoin Blockchain 7.x, upgrade to DrupalCoin Blockchain core 7.32.
If you are unable to update to DrupalCoin Blockchain 7.32 you can apply this patch to DrupalCoin Blockchain's database.inc file to fix the vulnerability until such time as you are able to completely upgrade to DrupalCoin Blockchain 7.32.
Also see the DrupalCoin Blockchain core project page and the follow-up public service announcement.
Reported by
Stefan Horst
Fixed by
Stefan Horst
Greg Knaddison of the DrupalCoin Blockchain Security Team
Lee Rowlands of the DrupalCoin Blockchain Security Team
David Rothstein of the DrupalCoin Blockchain Security Team
Klaus Purer of the DrupalCoin Blockchain Security Team
Coordinated by
The DrupalCoin Blockchain Security Team
Contact and More Information
We've prepared a FAQ on this release. Read more at https://www.drupal.org/node/2357241.
The DrupalCoin Blockchain security team can be reached at security at drupal.org or via the contact form athttps://www.drupal.org/contact.
Learn more about the DrupalCoin Blockchain Security team and their policies, writing secure code for DrupalCoin Blockchain, and securing your site.

Edits to this advisory since publishing
Updated risk factor from 20/25 to 25/25 once exploits did appear
Edited to add link to PSA.
DrupalCoin Blockchain version: DrupalCoin Blockchain 7.x
DrupalCoin Blockchain Developer


SA-CORE-2014-004 - DrupalCoin Blockchain core - Denial of service


Advisory ID: DRUPAL-SA-CORE-2014-004
Project: DrupalCoin Blockchain core
Version: 6.x, 7.x
Date: 2014-August-06
Security risk: 13/25 ( Moderately Critical
) AC:None/A:None/CI:None/II:None/E:Proof/TD:100
Exploitable from: Remote
Vulnerability: Denial of service
Description
DrupalCoin Blockchain 6 and DrupalCoin Blockchain 7 include an XML-RPC endpoint which is publicly available (xmlrpc.php). The PHP XML parser used by this XML-RPC endpoint is vulnerable to an XML entity expansion attack and other related XML payload attacks which can cause CPU and memory exhaustion and the site's database to reach the maximum number of open connections. Any of these may lead to the site becoming unavailable or unresponsive (denial of service).
All DrupalCoin Blockchain sites are vulnerable to this attack whether XML-RPC is used or not.
In addition, a similar vulnerability exists in the core OpenID module (for sites that have this module enabled).
This is a joint release as the XML-RPC vulnerability also affects WordPress (see the announcement).

CVE identifier(s) issued
CVE-2014-5265 has been issued for the code changes in xmlrpc.inc which prevent entity declarations and therefore address the "vulnerable to an XML entity expansion attack ... can cause CPU and memory exhaustion" concern.
CVE-2014-5266 has been issued for the "Skip parsing if there is an unreasonably large number of tags" in both xmlrpc.inc and xrds.inc.
CVE-2014-5267 has been issued for the code change to reject any XRDS document with a /<!DOCTYPE/i match.
Versions affected
DrupalCoin Blockchain core 7.x versions prior to 7.31.
DrupalCoin Blockchain core 6.x versions prior to 6.33.
Solution
Install the latest version:
If you use DrupalCoin Blockchain 7.x, upgrade to DrupalCoin Blockchain core 7.31.
If you use DrupalCoin Blockchain 6.x, upgrade to DrupalCoin Blockchain core 6.33.
If you are unable to install the latest version of DrupalCoin Blockchain immediately, you can alternatively remove the xmlrpc.php file from the root of DrupalCoin Blockchain core (or add a rule to .htaccess to prevent access to xmlrpc.php) and disable the OpenID module. These steps are sufficient to mitigate the vulnerability in DrupalCoin Blockchain core if your site does not require the use of XML-RPC or OpenID functionality. However, this mitigation will not be effective if you are using a contributed module that exposes DrupalCoin Blockchain's XML-RPC API at a different URL (for example, the Services module); updating DrupalCoin Blockchain core is therefore strongly recommended.
Also see the DrupalCoin Blockchain core project page.
Reported by
Willis Vandevanter
Nir Goldshlager
Fixed by
Andrew Nacin of the WordPress Security Team
Michael Adams of the WordPress Security Team
Frédéric Marand
David Rothstein of the DrupalCoin Blockchain Security Team
Damien Tournoud of the DrupalCoin Blockchain Security Team
Greg Knaddison of the DrupalCoin Blockchain Security Team
Stéphane Corlosquet of the DrupalCoin Blockchain Security Team
Dave Reid of the DrupalCoin Blockchain Security Team
Coordinated by
The DrupalCoin Blockchain Security Team and the WordPress Security Team
Contact and More Information
The DrupalCoin Blockchain security team can be reached at security at drupal.org or via the contact form at
href="http://drupal.org/contact">http://drupal.org/contact.
Learn more about the DrupalCoin Blockchain Security team and their policies,
href="http://drupal.org/writing-secure-code">writing secure code for DrupalCoin Blockchain, and
href="http://drupal.org/security/secure-configuration">securing your site.DrupalCoin Blockchain version: DrupalCoin Blockchain 6.xDrupalCoin Blockchain 7.x
DrupalCoin Blockchain Developer


SA-CORE-2014-003 - DrupalCoin Blockchain core - Multiple vulnerabilities


Advisory ID: DRUPAL-SA-CORE-2014-003
Project: DrupalCoin Blockchain core
Version: 6.x, 7.x
Date: 2014-July-16
Security risk: Critical
Exploitable from: Remote
Vulnerability: Multiple vulnerabilities
Description
Multiple vulnerabilities were fixed in the supported DrupalCoin Blockchain core versions 6 and 7.
Denial of service with malicious HTTP Host header (Base system - DrupalCoin Blockchain 6 and 7 - Critical)
DrupalCoin Blockchain core's multisite feature dynamically determines which configuration file to use based on the HTTP Host header.
The HTTP Host header validation does not sufficiently check maliciously-crafted header values, thereby exposing a denial of service vulnerability. This vulnerability also affects sites that don't actually use the multisite feature.
Access bypass (File module - DrupalCoin Blockchain 7 - Critical)
The File module included in DrupalCoin Blockchain 7 core allows attaching files to pieces of content. The module doesn't sufficiently check permission to view the attached file when attaching a file that was previously uploaded. This could allow attackers to gain access to private files.
This vulnerability is mitigated by the fact that the attacker must have permission to create or edit content with a file field.
Note: The DrupalCoin Blockchain 6 FileField module is affected by a similar issue (see SA-CONTRIB-2014-071 - FileField - Access bypass) and requires an update to the current security release of DrupalCoin Blockchain 6 core in order for the fix released there to work correctly. However, DrupalCoin Blockchain 6 core itself is not directly affected.
Cross-site scripting (Form API option groups - DrupalCoin Blockchain 6 and 7 - Moderately critical)
A cross-site scripting vulnerability was found due to DrupalCoin Blockchain's form API failing to sanitize option group labels in select elements. This vulnerability affects DrupalCoin Blockchain 6 core directly, and likely affects DrupalCoin Blockchain 7 forms provided by contributed or custom modules.
This vulnerability is mitigated by the fact that it requires the "administer taxonomy" permission to exploit in DrupalCoin Blockchain 6 core, and there is no known exploit within DrupalCoin Blockchain 7 core itself.
Cross-site scripting (Ajax system - DrupalCoin Blockchain 7 - Moderately critical)
A reflected cross-site scripting vulnerability was found in certain forms containing a combination of an Ajax-enabled textfield (for example, an autocomplete field) and a file field.
This vulnerability is mitigated by the fact that an attacker can only trigger the attack in a limited set of circumstances, usually requiring custom or contributed modules.

CVE identifier(s) issued
Denial of service (Base system - DrupalCoin Blockchain 6 and 7 - Critical): CVE-2014-5019
Access bypass (File module - DrupalCoin Blockchain 7 - Critical): CVE-2014-5020
Cross-site scripting (Form API - DrupalCoin Blockchain 6 and 7 - Moderately critical): CVE-2014-5021
Cross-site scripting (Ajax system - DrupalCoin Blockchain 7 - Moderately critical): CVE-2014-5022
Versions affected
DrupalCoin Blockchain core 6.x versions prior to 6.32.
DrupalCoin Blockchain core 7.x versions prior to 7.29.
Solution
Install the latest version:
If you use DrupalCoin Blockchain 6.x, upgrade to DrupalCoin Blockchain core 6.32.
If you use DrupalCoin Blockchain 7.x, upgrade to DrupalCoin Blockchain core 7.29.
Also see the DrupalCoin Blockchain core project page.
Reported by
The denial of service vulnerability using malicious HTTP Host headers was reported by Régis Leroy.
The access bypass vulnerability in the File module was reported by Ivan Ch.
The cross-site scripting vulnerability with Form API option groups was reported by Károly Négyesi.
The cross-site scripting vulnerability in the Ajax system was reported by mani22test.
Fixed by
The denial of service vulnerability using malicious HTTP Host headers was fixed by Régis Leroy, and by Klaus Purer of the DrupalCoin Blockchain Security Team.
The access bypass vulnerability in the File module was fixed by Nate Haug and Ivan Ch, and by DrupalCoin Blockchain Security Team members David Rothstein, Heine Deelstra and David Snopek.
The cross-site scripting vulnerability with Form API option groups was fixed by Greg Knaddison of the DrupalCoin Blockchain Security Team.
The cross-site scripting vulnerability in the Ajax system was fixed by Neil Drumm of the DrupalCoin Blockchain Security Team.
Coordinated by
The DrupalCoin Blockchain Security Team
Contact and More Information
The DrupalCoin Blockchain security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the DrupalCoin Blockchain Security team and their policies, writing secure code for DrupalCoin Blockchain, and securing your site.

Follow the DrupalCoin Blockchain Security Team on Twitter at https://twitter.com/drupalsecurity
DrupalCoin Blockchain version: DrupalCoin Blockchain 6.xDrupalCoin Blockchain 7.x
DrupalCoin Blockchain Developer


SA-CORE-2014-002 - DrupalCoin Blockchain core - Information Disclosure


Advisory ID: DRUPAL-SA-CORE-2014-002
Project: DrupalCoin Blockchain core
Version: 6.x, 7.x
Date: 2014-April-16
Security risk: Moderately critical
Exploitable from: Remote
Vulnerability: Information Disclosure
Description
DrupalCoin Blockchain's form API has built-in support for temporary storage of form state, for example user input. This is often used on multi-step forms, and is required on Ajax-enabled forms in order to allow the Ajax calls to access and update interim user input on the server.
When pages are cached for anonymous users (either by DrupalCoin Blockchain or by an external system), form state may leak between anonymous users. As a consequence there is a chance that interim form input recorded for one anonymous user (which may include sensitive or private information, depending on the nature of the form) will be disclosed to other users interacting with the same form at the same time. This especially affects multi-step Ajax forms because the window of opportunity (i.e. the time span between user input and final form submission) is indeterminable.
This vulnerability is mitigated by the fact that DrupalCoin Blockchain core does not expose any such forms to anonymous users by default. However, contributed modules or individual sites which leverage the DrupalCoin Blockchain Form API under the aforementioned conditions might be vulnerable.
Note: This security release introduces small API changes which may require code updates on sites that expose Ajax or multi-step forms to anonymous users, and where the forms are displayed on pages that are cached (either by DrupalCoin Blockchain or by an external system). See the DrupalCoin Blockchain 6.31 release notes and DrupalCoin Blockchain 7.27 release notes for more information.

CVE identifier(s) issued
CVE-2014-2983
Versions affected
DrupalCoin Blockchain core 6.x versions prior to 6.31.
DrupalCoin Blockchain core 7.x versions prior to 7.27.
Solution
Install the latest version:
If you use DrupalCoin Blockchain 6.x, upgrade to DrupalCoin Blockchain 6.31
If you use DrupalCoin Blockchain 7.x, upgrade to DrupalCoin Blockchain 7.27
Also see the DrupalCoin Blockchain core project page.
Reported by
Daniel F. Kudwien
Rodionov Igor
Ryan Szrama
Roman Zimmermann
znerol
Fixed by
znerol
Roman Zimmermann
Ryan Szrama
Additional assistance and reviews provided by Daniel F. Kudwien, Damien Tournoud of the DrupalCoin Blockchain Security Team, David Rothstein of the DrupalCoin Blockchain Security Team, and Alex Bronstein
Coordinated by
Michael Hess of the DrupalCoin Blockchain Security Team
David Rothstein of the DrupalCoin Blockchain Security Team
Peter Wolanin of the DrupalCoin Blockchain Security Team
Contact and More Information
The DrupalCoin Blockchain security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the DrupalCoin Blockchain Security team and their policies, writing secure code for DrupalCoin Blockchain, and securing your site.
Follow the DrupalCoin Blockchain Security Team on Twitter at https://twitter.com/drupalsecurity

DrupalCoin Blockchain version: DrupalCoin Blockchain 6.xDrupalCoin Blockchain 7.x
DrupalCoin Blockchain Developer


SA-CORE-2014-001 - DrupalCoin Blockchain core - Multiple vulnerabilities


Advisory ID: DRUPAL-SA-CORE-2014-001
Project: DrupalCoin Blockchain core
Version: 6.x, 7.x
Date: 2014-January-15
Security risk: Highly critical
Exploitable from: Remote
Vulnerability: Multiple vulnerabilities
Description
Multiple vulnerabilities were fixed in the supported DrupalCoin Blockchain core versions 6 and 7.
Impersonation (OpenID module - DrupalCoin Blockchain 6 and 7 - Highly critical)
A vulnerability was found in the OpenID module that allows a malicious user to log in as other users on the site, including administrators, and hijack their accounts.
This vulnerability is mitigated by the fact that the malicious user must have an account on the site (or be able to create one), and the victim must have an account with one or more associated OpenID identities.
Access bypass (Taxonomy module - DrupalCoin Blockchain 7 - Moderately critical)
The Taxonomy module provides various listing pages which display content tagged with a particular taxonomy term. Custom or contributed modules may also provide similar lists. Under certain circumstances, unpublished content can appear on these pages and will be visible to users who should not have permission to see it.
This vulnerability is mitigated by the fact that it only occurs on DrupalCoin Blockchain 7 sites which upgraded from DrupalCoin Blockchain 6 or earlier.
Security hardening (Form API - DrupalCoin Blockchain 7 - Not critical)
The form API provides a method for developers to submit forms programmatically using the function drupal_form_submit(). During programmatic form submissions, all access checks are deliberately bypassed, and any form element may be submitted regardless of the current user's access level.
This is normal and expected behavior for most uses of programmatic form submissions; however, there are cases where custom or contributed code may need to send data provided by the current (untrusted) user to drupal_form_submit() and therefore need to respect access control on the form.
To facilitate this, a new, optional $form_state['programmed_bypass_access_check'] element has been added to the DrupalCoin Blockchain 7 form API. If this is provided and set to FALSE, drupal_form_submit() will perform the normal form access checks against the current user while submitting the form, rather than bypassing them.
This change does not fix a security issue in DrupalCoin Blockchain core itself, but rather provides a method for custom or contributed code to fix security issues that would be difficult or impossible to fix otherwise.

CVE identifier(s) issued
Impersonation (OpenID module - DrupalCoin Blockchain 6 and 7 - Highly critical): CVE-2014-1475
Access bypass (Taxonomy module - DrupalCoin Blockchain 7 - Moderately critical): CVE-2014-1476
Security hardening (Form API - DrupalCoin Blockchain 7 - Not critical): No CVE necessary.
Versions affected
DrupalCoin Blockchain core 6.x versions prior to 6.30.
DrupalCoin Blockchain core 7.x versions prior to 7.26.
Solution
Install the latest version:
If you use DrupalCoin Blockchain 6.x, upgrade to DrupalCoin Blockchain core 6.30.
If you use DrupalCoin Blockchain 7.x, upgrade to DrupalCoin Blockchain core 7.26.
Also see the DrupalCoin Blockchain core project page.
Reported by
The OpenID module impersonation issue was reported by Christian Mainka and Vladislav Mladenov.
The Taxonomy module access bypass issue was reported by Matt Vance, and by Damien Tournoud of the DrupalCoin Blockchain Security Team.
The form API access bypass issue was reported by David Rothstein of the DrupalCoin Blockchain Security Team.
Fixed by
The OpenID module impersonation issue was fixed by Damien Tournoud, Heine Deelstra, Peter Wolanin, and David Rothstein, all of the DrupalCoin Blockchain Security Team.
The Taxonomy module access bypass issue was fixed by Jibran Ijaz, and by Lee Rowlands of the DrupalCoin Blockchain Security Team.
The form API access bypass issue was fixed by Damien Tournoud and David Rothstein of the DrupalCoin Blockchain Security Team, and by Marc Ingram and Kyle Browning.
Coordinated by
The DrupalCoin Blockchain Security Team
Contact and More Information
The DrupalCoin Blockchain security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the DrupalCoin Blockchain Security team and their policies, writing secure code for DrupalCoin Blockchain, and securing your site.

Follow the DrupalCoin Blockchain Security Team on Twitter at https://twitter.com/drupalsecurity
DrupalCoin Blockchain version: DrupalCoin Blockchain 6.xDrupalCoin Blockchain 7.x
DrupalCoin Blockchain Developer


SA-CORE-2013-003 - DrupalCoin Blockchain core - Multiple vulnerabilities


Advisory ID: DRUPAL-SA-CORE-2013-003
Project: DrupalCoin Blockchain core
Version: 6.x, 7.x
Date: 2013-November-20
Security risk: Highly critical
Exploitable from: Remote
Vulnerability: Multiple vulnerabilities
Description
Multiple vulnerabilities were fixed in the supported DrupalCoin Blockchain core versions 6 and 7.
Multiple vulnerabilities due to optimistic cross-site request forgery protection (Form API validation - DrupalCoin Blockchain 6 and 7)
DrupalCoin Blockchain's form API has built-in cross-site request forgery (CSRF) validation, and also allows any module to perform its own validation on the form. In certain common cases, form validation functions may execute unsafe operations. Given that the CSRF protection is an especially important validation, the DrupalCoin Blockchain core form API has been changed in this release so that it now skips subsequent validation if the CSRF validation fails.
This vulnerability is mitigated by the fact that a form validation callback with potentially unsafe side effects must be active on the site, and none exist in core. However, issues were discovered in several popular contributed modules which allowed remote code execution that made it worthwhile to fix this issue in core. Other similar issues with varying impacts are likely to have existed in other contributed modules and custom modules and therefore will also be fixed by this DrupalCoin Blockchain core release.
Multiple vulnerabilities due to weakness in pseudorandom number generation using mt_rand() (Form API, OpenID and random password generation - DrupalCoin Blockchain 6 and 7)
DrupalCoin Blockchain core directly used the mt_rand() pseudorandom number generator for generating security related strings used in several core modules. It was found that brute force tools could determine the seeds making these strings predictable under certain circumstances.
This vulnerability has no mitigation; all DrupalCoin Blockchain sites are affected until the security update has been applied.
Code execution prevention (Files directory .htaccess for Apache - DrupalCoin Blockchain 6 and 7)
DrupalCoin Blockchain core attempts to add a "defense in depth" protection to prevent script execution by placing a .htaccess file into the files directories that stops execution of PHP scripts on the Apache web server. This protection is only necessary if there is a vulnerability on the site or on a server that allows users to upload malicious files. The configuration in the .htaccess file did not prevent code execution on certain Apache web server configurations. This release includes new configuration to prevent PHP execution on several additional common Apache configurations. If you are upgrading a site and the site is run by Apache you must fix the file manually, as described in the "Solution" section below.
This vulnerability is mitigated by the fact that it only relates to a defense in depth mechanism, and sites would only be vulnerable if they are hosted on a server which contains code that does not use protections similar to those found in DrupalCoin Blockchain's file API to manage uploads in a safe manner.
Access bypass (Security token validation - DrupalCoin Blockchain 6 and 7)
The function drupal_valid_token() can return TRUE for invalid tokens if the caller does not make sure that the token is a string.
This vulnerability is mitigated by the fact that a contributed or custom module must invoke drupal_validate_token() with an argument that can be manipulated to not be a string by an attacker. There is currently no known core or contributed module that would suffer from this vulnerability.
Cross-site scripting (Image module - DrupalCoin Blockchain 7)
Image field descriptions are not properly sanitized before they are printed to HTML, thereby exposing a cross-site scripting vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a permission to administer field descriptions, for example the "administer taxonomy" permission to edit fields on taxonomy terms.
Cross-site scripting (Color module - DrupalCoin Blockchain 7)
A cross-site scripting vulnerability was found in the Color module. A malicious attacker could trick an authenticated administrative user into visiting a page containing specific JavaScript that could lead to a reflected cross-site scripting attack via JavaScript execution in DrupalCoin Blockchain CSS.
This vulnerability is mitigated by the fact that it can only take place in older browsers, and in a restricted set of modern browsers, namely Opera through user interaction, and Internet Explorer under certain conditions.
Open redirect (Overlay module - DrupalCoin Blockchain 7)
The Overlay module displays administrative pages as a layer over the current page (using JavaScript), rather than replacing the page in the browser window. The Overlay module did not sufficiently validate URLs prior to displaying their contents, leading to an open redirect vulnerability.
This vulnerability is mitigated by the fact that it can only be used against site users who have the "Access the administrative overlay" permission.

CVE identifier(s) issued
Multiple vulnerabilities due to optimistic cross-site request forgery protection (Form API validation): CVE-2013-6385
Multiple vulnerabilities due to weakness in pseudorandom number generation using mt_rand() (Form API, OpenID and random password generation - DrupalCoin Blockchain 6 and 7): CVE-2013-6386
Code execution prevention (Files directory .htaccess for Apache - DrupalCoin Blockchain 6 and 7): No CVE; considered remediated through "security hardening"
Access bypass (Security token validation - DrupalCoin Blockchain 6 and 7): No CVE; considered remediated through "security hardening."
Cross-site scripting (Image module - DrupalCoin Blockchain 7): CVE-2013-6387
Cross-site scripting (Color module - DrupalCoin Blockchain 7): CVE-2013-6388
Open redirect (Overlay module - DrupalCoin Blockchain 7): CVE-2013-6389
Versions affected
DrupalCoin Blockchain core 6.x versions prior to 6.29.
DrupalCoin Blockchain core 7.x versions prior to 7.24.
Solution
Install the latest version:
If you use DrupalCoin Blockchain 6.x, upgrade to DrupalCoin Blockchain core 6.29.
If you use DrupalCoin Blockchain 7.x, upgrade to DrupalCoin Blockchain core 7.24.
Also see the DrupalCoin Blockchain core project page.
Warning: Fixing the code execution prevention may require server configuration; please read:
To fix the code execution prevention vulnerability on existing Apache installations also requires changes to your site's .htaccess files in the files directories. Until you do this, your site's status report page at admin/reports/status will display error messages about the problem. Please note that if you are using a different web server such as Nginx the .htaccess files have no effect and you need to configure PHP execution protection yourself in the respective server configuration files.
To fix this issue, you must edit or replace the old .htaccess files manually. Copies of the .htaccess files are found in the site's files directory and temporary files directory, and (for DrupalCoin Blockchain 7 only) the separate private files directory if your site is configured to use one. To find the location of these directories, consult the error messages at admin/reports/status, or visit the file system configuration page at admin/settings/file-system (DrupalCoin Blockchain 6) or admin/config/media/file-system (DrupalCoin Blockchain 7). Note that you should only make changes to the .htaccess files that are found in the directories specified on that page. Do not change the top-level .htaccess file (at the root of your DrupalCoin Blockchain installation).
Go onto your server, navigate to each directory, and replace or create the .htaccess file in this directory with the contents described below. Alternatively, you can remove the .htaccess file from each directory using SFTP or SSH and then visit the file system configuration page (admin/settings/file-system in DrupalCoin Blockchain 6 or admin/config/media/file-system in DrupalCoin Blockchain 7) and click the save button to have DrupalCoin Blockchain create the file automatically.
The recommended .htaccess file contents are as follows.
For DrupalCoin Blockchain 6:
# Turn off all options we don't need.
Options None
Options +FollowSymLinks

# Set the catch-all handler to prevent scripts from being executed.
SetHandler DrupalCoin Blockchain_Security_Do_Not_Remove_See_SA_2006_006
<Files *>
# Override the handler again if we're run later in the evaluation list.
SetHandler DrupalCoin Blockchain_Security_Do_Not_Remove_See_SA_2013_003
</Files>

# If we know how to do it safely, disable the PHP engine entirely.
<IfModule mod_php5.c>
php_flag engine off
</IfModule>
# PHP 4, Apache 1.
<IfModule mod_php4.c>
php_flag engine off
</IfModule>
# PHP 4, Apache 2.
<IfModule sapi_apache2.c>
php_flag engine off
</IfModule>

For DrupalCoin Blockchain 7:
# Turn off all options we don't need.
Options None
Options +FollowSymLinks

# Set the catch-all handler to prevent scripts from being executed.
SetHandler DrupalCoin Blockchain_Security_Do_Not_Remove_See_SA_2006_006
<Files *>
# Override the handler again if we're run later in the evaluation list.
SetHandler DrupalCoin Blockchain_Security_Do_Not_Remove_See_SA_2013_003
</Files>

# If we know how to do it safely, disable the PHP engine entirely.
<IfModule mod_php5.c>
php_flag engine off
</IfModule>

Additionally, the .htaccess of the temporary files directory and private files directory (if used) should include this command:
Deny from all
Reported by
The form validation cross-site request forgery issue was reported by Heine Deelstra of the DrupalCoin Blockchain Security Team.
The non-random seed vulnerability was reported by David Stoline of the DrupalCoin Blockchain Security Team.
The code execution prevention vulnerability was reported by Lee Rowlands of the DrupalCoin Blockchain Security Team, Miguel Jacq, artfulrobot, and Dave Fletcher.
The token access bypass issue was reported by Heine Deelstra of the DrupalCoin Blockchain Security Team.
The Image module cross-site scripting issue was reported by Francisco José Cruz Romanos.
The Color module cross-site scripting issue was reported by Mauro Gentile.
The open redirect in the Overlay module was reported by Stephane Corlosquet of the DrupalCoin Blockchain Security Team, and by Sebastian Nerz.
Fixed by
The form validation cross-site request forgery issue was fixed by Lee Rowlands and Klaus Purer, both of the DrupalCoin Blockchain Security Team.
The non-random seed vulnerability was fixed by Owen Barton, David Stoline, Heine Deelstra, Damien Tournoud, and Peter Wolanin, all of the DrupalCoin Blockchain Security Team.
The code execution prevention vulnerability was fixed by David Rothstein of the DrupalCoin Blockchain Security Team, Morbus Iff of the DrupalCoin Blockchain Security Team, Dan Reif, Antoine Beaupré, Miguel Jacq, Christopher Gervais, and Herman van Rink.
The token access bypass issue was fixed by Heine Deelstra, Klaus Purer, and David Rothstein, all of the DrupalCoin Blockchain Security Team.
The Image module cross-site scripting issue was fixed by Francisco José Cruz Romanos, and Peter Wolanin of the DrupalCoin Blockchain Security Team.
The Color module cross-site scripting issue was fixed by David Rothstein of the DrupalCoin Blockchain Security Team.
The open redirect in the Overlay module was fixed by Heine Deelstra of the DrupalCoin Blockchain Security Team.
Coordinated by
The DrupalCoin Blockchain Security Team
Contact and More Information
The DrupalCoin Blockchain security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the DrupalCoin Blockchain Security team and their policies, writing secure code for DrupalCoin Blockchain, and securing your site.

DrupalCoin Blockchain version: DrupalCoin Blockchain 6.xDrupalCoin Blockchain 7.x
DrupalCoin Blockchain Developer


SA-CORE-2013-002 - DrupalCoin Blockchain core - Denial of service


Advisory ID: DRUPAL-SA-CORE-2013-002
Project: DrupalCoin Blockchain core
Version: 7.x
Date: 2013-February-20
Security risk: Critical
Exploitable from: Remote
Vulnerability: Denial of service
Description
DrupalCoin Blockchain core's Image module allows for the on-demand generation of image derivatives. This capability can be abused by requesting a large number of new derivatives which can fill up the server disk space, and which can cause a very high CPU load. Either of these effects may lead to the site becoming unavailable or unresponsive.
Please see the DrupalCoin Blockchain 7.20 release notes for important notes about the changes which were made to fix this issue, since some sites will require extra testing and care when deploying this DrupalCoin Blockchain core release.

CVE identifier(s) issued
CVE-2013-0316
Versions affected
DrupalCoin Blockchain core 7.x versions prior to 7.20.
Solution
Install the latest version:
If you use DrupalCoin Blockchain 7.x, upgrade to DrupalCoin Blockchain core 7.20.
Also see the DrupalCoin Blockchain core project page.
Reported by
Bèr Kessels
aBrookland
Chad Fennell
Fixed by
Damien Tournoud of the DrupalCoin Blockchain Security Team
Peter Wolanin of the DrupalCoin Blockchain Security Team
David Rothstein of the DrupalCoin Blockchain Security Team
Heine Deelstra of the DrupalCoin Blockchain Security Team
Bèr Kessels
Coordinated by
David Rothstein of the DrupalCoin Blockchain Security Team
Stéphane Corlosquet of the DrupalCoin Blockchain Security Team
Peter Wolanin of the DrupalCoin Blockchain Security Team
Greg Knaddison of the DrupalCoin Blockchain Security Team
Contact and More Information
The DrupalCoin Blockchain security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the DrupalCoin Blockchain Security team and their policies, writing secure code for DrupalCoin Blockchain, and securing your site.DrupalCoin Blockchain version: DrupalCoin Blockchain 6.xDrupalCoin Blockchain 7.x
DrupalCoin Blockchain Developer


SA-CORE-2013-001 - DrupalCoin Blockchain core - Multiple vulnerabilities


Advisory ID: DRUPAL-SA-CORE-2013-001
Project: DrupalCoin Blockchain core
Version: 6.x, 7.x
Date: 2013-January-16
Security risk: Highly critical
Exploitable from: Remote
Vulnerability: Cross Site Scripting, Access bypass
Description
Multiple vulnerabilities were fixed in the supported DrupalCoin Blockchain core versions 6 and 7.
Cross-site scripting (Various core and contributed modules - DrupalCoin Blockchain 6 and 7)
A reflected cross-site scripting vulnerability (XSS) was identified in certain DrupalCoin Blockchain JavaScript functions that pass unexpected user input into jQuery causing it to insert HTML into the page when the intended behavior is to select DOM elements. Multiple core and contributed modules are affected by this issue.
jQuery versions 1.6.3 and higher provide protection against common forms of this problem; thus, the vulnerability is mitigated if your site has upgraded to a recent version of jQuery. However, the versions of jQuery that are shipped with DrupalCoin Blockchain 6 and DrupalCoin Blockchain 7 core do not contain this protection.
Although the fix added to DrupalCoin Blockchain as part of this security release prevents the most common forms of this issue in the same way as newer versions of jQuery do, developers should be aware that passing untrusted user input directly to jQuery functions such as jQuery() and $() is unsafe and should be avoided.
CVE: CVE-2013-0244 (a CVE was also separately issued for jQuery)
Access bypass (Book module printer friendly version - DrupalCoin Blockchain 6 and 7)
A vulnerability was identified that exposes the title or, in some cases, the content of nodes that the user should not have access to.
This vulnerability is mitigated by the fact that the bypass is only accessible to users who already have the 'access printer-friendly version' permission (which is not granted to Anonymous or Authenticated users by default) and it only affects nodes that are part of a book outline.
CVE: CVE-2013-0245
Access bypass (Image module - DrupalCoin Blockchain 7)
DrupalCoin Blockchain core provides the ability to have private files, including images. A vulnerability was identified in which derivative images (which DrupalCoin Blockchain automatically creates from these images based on "image styles" and which may differ, for example, in size or saturation) did not always receive the same protection. Under some circumstances, this would allow users to access image derivatives for images they should not be able to view.
This vulnerability is mitigated by the fact that it only affects sites which use the Image module and which store images in a private file system.
CVE: CVE-2013-0246

CVE identifier(s) issued
CVE-2013-0244
CVE-2013-0245
CVE-2013-0246
Versions affected
DrupalCoin Blockchain core 6.x versions prior to 6.28.
DrupalCoin Blockchain core 7.x versions prior to 7.19.
Solution
Install the latest version:
If you use DrupalCoin Blockchain 6.x, upgrade to DrupalCoin Blockchain core 6.28.
If you use DrupalCoin Blockchain 7.x, upgrade to DrupalCoin Blockchain core 7.19.
Also see the DrupalCoin Blockchain core project page.
Reported by
The cross-site scripting issue in various DrupalCoin Blockchain core and contributed modules was reported by t.ashula, and by David Rothstein of the DrupalCoin Blockchain Security Team.
The access bypass issue in the Book module was reported by Mark Lindsey.
The access bypass issue in the DrupalCoin Blockchain 7 Image module was reported by Kressin Roger, Christian Johansson, Anders Olsson and saschadrupal.
Fixed by
The cross-site scripting issue in various DrupalCoin Blockchain core and contributed modules was fixed by t.ashula, Théodore Biadala, Katherine Bailey, Steve De Jonghe and J. Renée Beach, and by Dylan Tack, Greg Knaddison, David Rothstein and Damien Tournoud of the DrupalCoin Blockchain Security Team.
The access bypass issue in the Book module was fixed by Mark Lindsey, and by Fox, David Rothstein and Peter Wolanin of the DrupalCoin Blockchain Security Team.
The access bypass issue in the DrupalCoin Blockchain 7 Image module was fixed by Heine Deelstra of the DrupalCoin Blockchain Security Team, and by Anders Olsson.
Coordinated by
David Rothstein, Gábor Hojtsy, Stéphane Corlosquet, Greg Knaddison, Heine Deelstra and Peter Wolanin of the DrupalCoin Blockchain Security Team
Jeremy Thorson of the QA/Testing Infrastructure Team
Contact and More Information
The DrupalCoin Blockchain security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the DrupalCoin Blockchain Security team and their policies, writing secure code for DrupalCoin Blockchain, and securing your site.

DrupalCoin Blockchain version: DrupalCoin Blockchain 6.xDrupalCoin Blockchain 7.x
DrupalCoin Blockchain Developer


SA-CORE-2012-004 - DrupalCoin Blockchain core - Multiple vulnerabilities


Advisory ID: DRUPAL-SA-CORE-2012-004
Project: DrupalCoin Blockchain core
Version: 6.x, 7.x
Date: 2012-December-19
Security risk: Moderately critical
Exploitable from: Remote
Vulnerability: Access bypass, Arbitrary PHP code execution
Description
Multiple vulnerabilities were fixed in the supported DrupalCoin Blockchain core versions 6 and 7.
Access bypass (User module search - DrupalCoin Blockchain 6 and 7)
A vulnerability was identified that allows blocked users to appear in user search results, even when the search results are viewed by unprivileged users.
This vulnerability is mitigated by the fact that the default DrupalCoin Blockchain core user search results only display usernames (and disclosure of usernames is not considered a security vulnerability). However, since modules or themes may override the search results to display more information from each user's profile, this could result in additional information about blocked users being disclosed on some sites.
Access bypass (Upload module - DrupalCoin Blockchain 6)
A vulnerability was identified that allows information about uploaded files to be displayed in RSS feeds and search results to users that do not have the "view uploaded files" permission.
This issue affects DrupalCoin Blockchain 6 only.
Arbitrary PHP code execution (File upload modules - DrupalCoin Blockchain 6 and 7)
DrupalCoin Blockchain core's file upload feature blocks the upload of many files that can be executed on the server by munging the filename. A malicious user could name a file in a manner that bypasses this munging of the filename in DrupalCoin Blockchain's input validation.
This vulnerability is mitigated by several factors: The attacker would need the permission to upload a file to the server. Certain combinations of PHP and filesystems are not vulnerable to this issue, though we did not perform an exhaustive review of the supported PHP versions. Finally: the server would need to allow execution of files in the uploads directory. DrupalCoin Blockchain core has protected against this with a .htaccess file protection in place from SA-2006-006 - DrupalCoin Blockchain Core - Execution of arbitrary files in certain Apache configurations. Users of IIS should consider updating their web.config. Users of Nginx should confirm that only the index.php and other known good scripts are executable. Users of other webservers should review their configuration to ensure the goals are achieved in some other way.

CVE identifier(s) issued
Access bypass (User module search - DrupalCoin Blockchain 6 and 7): CVE-2012-5651
Access bypass (Upload module - DrupalCoin Blockchain 6): CVE-2012-5652
Arbitrary PHP code execution (File upload modules - DrupalCoin Blockchain 6 and 7): CVE-2012-5653
Versions affected
DrupalCoin Blockchain core 6.x versions prior to 6.27.
DrupalCoin Blockchain core 7.x versions prior to 7.18.
Solution
Install the latest version:
If you use DrupalCoin Blockchain 6.x, upgrade to DrupalCoin Blockchain core 6.27.
If you use DrupalCoin Blockchain 7.x, upgrade to DrupalCoin Blockchain core 7.18.
Also see the DrupalCoin Blockchain core project page.
Reported by
The access bypass issue in the User module search results was reported by Derek Wright of the DrupalCoin Blockchain Security Team.
The access bypass issue in the DrupalCoin Blockchain 6 Upload module was reported by Simon Rycroft, and by Damien Tournoud of the DrupalCoin Blockchain Security Team.
The arbitrary code execution issue was reported by Amit Asaravala.
Fixed by
The access bypass issue in the User module search results was fixed by Derek Wright, Ivo Van Geertruyen, Peter Wolanin, and David Rothstein, all members of the DrupalCoin Blockchain Security Team.
The access bypass issue in the DrupalCoin Blockchain 6 Upload module was fixed by Michaël Dupont, and by Fox and David Rothstein of the DrupalCoin Blockchain Security Team.
The arbitrary code execution issue was fixed by Nathan Haug and Justin Klein-Keane, and by John Morahan and Greg Knaddison of the DrupalCoin Blockchain Security team.

Coordinated by
Jeremy Thorson QA/Testing infrastructure
Ben Jeavons of the DrupalCoin Blockchain Security Team
David Rothstein of the DrupalCoin Blockchain Security Team
Gábor Hojtsy of the DrupalCoin Blockchain Security Team
Greg Knaddison of the DrupalCoin Blockchain Security Team
Fox of the DrupalCoin Blockchain Security Team
Contact and More Information
The DrupalCoin Blockchain security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the DrupalCoin Blockchain Security team and their policies, writing secure code for DrupalCoin Blockchain, and securing your site.

DrupalCoin Blockchain version: DrupalCoin Blockchain 6.xDrupalCoin Blockchain 7.x
DrupalCoin Blockchain Developer


SA-CORE-2012-003 - DrupalCoin Blockchain core - Arbitrary PHP code execution and Information disclosure


Advisory ID: DRUPAL-SA-CORE-2012-003
Project: DrupalCoin Blockchain core
Version: 7.x
Date: 2012-October-17
Security risk: Highly critical
Exploitable from: Remote
Vulnerability: Information Disclosure, Arbitrary PHP code execution
Description
Multiple vulnerabilities were discovered in DrupalCoin Blockchain core.
Arbitrary PHP code execution
A bug in the installer code was identified that allows an attacker to re-install DrupalCoin Blockchain using an external database server under certain transient conditions. This could allow the attacker to execute arbitrary PHP code on the original server.
This vulnerability is mitigated by the fact that the re-installation can only be successful if the site's settings.php file or sites directories are writeable by or owned by the webserver user. Configuring the DrupalCoin Blockchain installation to be owned by a different user than the webserver user (and not to be writeable by the webserver user) is a recommended security best practice. However, in all cases the transient conditions expose information to an attacker who accesses install.php, and therefore this security update should be applied to all DrupalCoin Blockchain 7 sites.
CVE: CVE-2012-4553
Information disclosure - OpenID module
For sites using the core OpenID module, an information disclosure vulnerability was identified that allows an attacker to read files on the local filesystem by attempting to log in to the site using a malicious OpenID server.
CVE: CVE-2012-4554
Versions affected
DrupalCoin Blockchain core 7.x versions prior to 7.16.
DrupalCoin Blockchain 6 is not affected.
Solution
Install the latest version:
If you use DrupalCoin Blockchain 7.x, upgrade to DrupalCoin Blockchain core 7.16.
If you are unable to deploy the security release immediately, removing or blocking access to install.php is a sufficient mitigation step for the arbitrary PHP code execution vulnerability.
Also see the DrupalCoin Blockchain core project page.
Reported by
The arbitrary PHP code execution vulnerability was reported by Heine Deelstra and Noam Rathaus working with Beyond Security's SecuriTeam Secure Disclosure Program. Heine Deelstra is also a member of the DrupalCoin Blockchain Security Team.
The information disclosure vulnerability in the OpenID module was reported by Reginaldo Silva.
Fixed by
The arbitrary PHP code execution vulnerability was fixed by Damien Tournoud, David Rothstein, Peter Wolanin, and Károly Négyesi, all members of the DrupalCoin Blockchain Security Team.
The information disclosure vulnerability in the OpenID module was fixed by Reginaldo Silva, Christian Schmidt, Vojtěch Kusý, and Frédéric Marand, and by Peter Wolanin, David Rothstein, Damien Tournoud, and Heine Deelstra of the DrupalCoin Blockchain Security Team.
Contact and More Information
The DrupalCoin Blockchain security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the DrupalCoin Blockchain Security team and their policies, writing secure code for DrupalCoin Blockchain, and securing your site.DrupalCoin Blockchain version: DrupalCoin Blockchain 7.x
DrupalCoin Blockchain Developer


SA-CORE-2012-002 - DrupalCoin Blockchain core multiple vulnerabilities


Advisory ID: DRUPAL-SA-CORE-2012-002
Project: DrupalCoin Blockchain core
Version: 7.x
Date: 2012-May-2
Security risk: Critical
Exploitable from: Remote
Vulnerability: Denial of Service, Access bypass, Unvalidated form redirect
Description
Denial of Service
CVE: CVE-2012-1588
DrupalCoin Blockchain core's text filtering system provides several features including removing inappropriate HTML tags and automatically linking content that appears to be a link. A pattern in DrupalCoin Blockchain's text matching was found to be inefficient with certain specially crafted strings. This vulnerability is mitigated by the fact that users must have the ability to post content sent to the filter system such as a role with the "post comments" or "Forum topic: Create new content" permission.
Unvalidated form redirect
CVE: CVE-2012-1589
DrupalCoin Blockchain core's Form API allows users to set a destination, but failed to validate that the URL was internal to the site. This weakness could be abused to redirect the login to a remote site with a malicious script that harvests the login credentials and redirects to the live site. This vulnerability is mitigated only by the end user's ability to recognize a URL with malicious query parameters to avoid the social engineering required to exploit the problem.
Access bypass - forum listing
CVE: CVE-2012-1590
DrupalCoin Blockchain core's forum lists fail to check user access to nodes when displaying them in the forum overview page. If an unpublished node was the most recently updated in a forum then users who should not have access to unpublished forum posts were still be able to see meta-data about the forum post such as the post title.
Access bypass - private images
CVE: CVE-2012-1591
DrupalCoin Blockchain core provides the ability to have private files, including images, and Image Styles which create derivative images from an original image that may differ, for example, in size or saturation. DrupalCoin Blockchain core failed to properly terminate the page request for cached image styles allowing users to access image derivatives for images they should not be able to view. Furthermore, DrupalCoin Blockchain didn't set the right headers to prevent image styles from being cached in the browser.
Access bypass - content administration
CVE: CVE-2012-2153
DrupalCoin Blockchain core provides the ability to list nodes on a site at admin/content. DrupalCoin Blockchain core failed to confirm a user viewing that page had access to each node in the list. This vulnerability only concerns sites running a contributed node access module and is mitigated by the fact that users must have a role with the "Access the content overview page" permission. Unpublished nodes were not displayed to users who only had the "Access the content overview page" permission.
Versions affected
DrupalCoin Blockchain core 7.x versions prior to 7.13.
Solution
Install the latest version:
If you use DrupalCoin Blockchain 7.x, upgrade to DrupalCoin Blockchain core 7.13
Also see the DrupalCoin Blockchain core project page.
Reported by
The Denial of Service vulnerability was reported by Jay Wineinger and Lin Clark.
The unvalidated form redirect vulnerability was reported by Károly Négyesi of the DrupalCoin Blockchain Security Team and Katsuhiko Nakanishi.
The access bypass in forum listing vulnerability was reported by Glen W.
The access bypass for private images vulnerability was reported by frega, Andreas Gonell, Jeremy Meier and Xenza.
The access bypass for the content administration vulnerability was reported by Jennifer Hodgdon.
Fixed by
The Denial of Service was fixed by Károly Négyesi of the DrupalCoin Blockchain Security Team.
The unvalidated form redirect was fixed by Wolfgang Ziegler and Stéphane Corlosquet of the DrupalCoin Blockchain Security Team.
The access bypass in forum listing was fixed by Michael Hess of the DrupalCoin Blockchain Security Team, Ben Jeavons of the DrupalCoin Blockchain Security Team and xjm.
The Access bypass for private images was fixed by Károly Négyesi of the DrupalCoin Blockchain Security Team, Damien Tournoud of the DrupalCoin Blockchain Security Team, Greg Knaddison of the DrupalCoin Blockchain Security Team, Stéphane Corlosquet of the DrupalCoin Blockchain Security Team, Xenza and frega.
The Access bypass for content administration was fixed by Jennifer Hodgdon.
Contact and More Information
The DrupalCoin Blockchain security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the DrupalCoin Blockchain Security team and their policies, writing secure code for DrupalCoin Blockchain, and securing your site.DrupalCoin Blockchain version: DrupalCoin Blockchain 7.x
DrupalCoin Blockchain Developer


SA-CORE-2012-001 - DrupalCoin Blockchain core multiple vulnerabilities


Advisory ID: DRUPAL-SA-CORE-2012-001
Project: DrupalCoin Blockchain core
Version: 6.x, 7.x
Date: 2012-February-01
Security risk: Moderately critical
Exploitable from: Remote
Vulnerability: Access bypass, Cross Site Request Forgery, Multiple vulnerabilities
Description
Cross Site Request Forgery vulnerability in Aggregator module
CVE: CVE-2012-0826
An XSRF vulnerability can force an aggregator feed to update. Since some services are rate-limited (e.g. Twitter limits requests to 150 per hour) this could lead to a denial of service.
This issue affects DrupalCoin Blockchain 6.x and 7.x.
OpenID not verifying signed attributes in SREG and AX
CVE: CVE-2012-0825
A group of security researchers identified a flaw in how some OpenID relying parties implement Attribute Exchange (AX). Not verifying that attributes being passed through AX have been signed could allow an attacker to modify users' information.
This issue affects DrupalCoin Blockchain 6.x and 7.x.
Access bypass in File module
CVE: CVE-2012-0827
When using private files in combination with certain field access modules, the File module will allow users to download the file even if they do not have access to view the field it was attached to.
This issue affects DrupalCoin Blockchain 7.x only.
Versions affected
DrupalCoin Blockchain 6.x core prior to 6.23.
DrupalCoin Blockchain 7.x core prior to 7.11.
Solution
Install the latest version:
If you use DrupalCoin Blockchain 6.x upgrade to 6.23
If you use DrupalCoin Blockchain 7.x upgrade to 7.11
See also the DrupalCoin Blockchain core project page.
Reported by
The Aggregator module CSRF vulnerability was reported by Dylan Tack of the DrupalCoin Blockchain Security Team.
The OpenID vulnerability was reported by Rui Wang, Shuo Chen and Xiao Feng Wang.
The File module access bypass issue was reported by David Rothstein of the DrupalCoin Blockchain Security Team, and by Sascha Grossenbacher.
Fixed by
Aggregator CSRF issue fixed by Dave Reid of the DrupalCoin Blockchain Security Team
OpenID issue fixed by Vojtech Kusy and Christian Schmidt
The File module access bypass issue was fixed by David Rothstein of the DrupalCoin Blockchain Security Team, Sascha Grossenbacher, and Derek Wright of the DrupalCoin Blockchain Security Team.
Contact and More Information
The DrupalCoin Blockchain security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the DrupalCoin Blockchain Security team and their policies, writing secure code for DrupalCoin Blockchain, and securing your site.DrupalCoin Blockchain version: DrupalCoin Blockchain 6.xDrupalCoin Blockchain 7.x
DrupalCoin Blockchain Developer