[SECURITY-L] [security-news em drupal.org: [Security-news] OSF for Drupal - Critical - Multiple vulnerabilities - SA-CONTRIB-2015-134]
CSIRT - UNICAMP
security em unicamp.br
Qua Jul 22 16:53:39 -03 2015
----- Forwarded message from security-news em drupal.org -----
Date: Wed, 22 Jul 2015 19:26:07 +0000 (UTC)
From: security-news em drupal.org
To: security-news em drupal.org
Subject: [Security-news] OSF for Drupal - Critical - Multiple vulnerabilities - SA-CONTRIB-2015-134
X-Mailer: Drupal
View online: https://www.drupal.org/node/2537860
* Advisory ID: DRUPAL-SA-CONTRIB-2015-134
* Project: OSF for Drupal [1] (third-party module)
* Version: 7.x
* Date: 2015-July-22
* Security risk: 15/25 ( Critical)
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2]
* Vulnerability: Cross Site Scripting, Access bypass, Cross Site Request
Forgery
-------- DESCRIPTION
---------------------------------------------------------
The Open Semantic Framework (OSF) for Drupal is a middleware layer that
allows structured data (RDF) and associated vocabularies (ontologies) to
"drive" tailored tools and data displays within Drupal.
The module is vulnerable to reflected Cross Site Scripting (XSS) because it
did not sufficiently filter user input values in some administration pages.
An attacker could exploit this vulnerability by making other users visit a
specially-crafted URL. Only sites with OSF Ontology module enabled are
affected.
Additionally, the module is vulnerable to Arbitrary file deletion. A
malicious user can cause an administrator to delete files by getting their
browser to make a request to a specially-crafted URL. Only sites with OSF
Ontology and OSF Import modules enabled are affected.
Also, some forms were vulnerable to Cross Site Request Forgery (CSRF). An
attacker could create new OSF datasets by getting an administrator's browser
to make a request to a specially-crafted URL. Only sites with OSF Import
module enabled are affected.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* OSF 7.x-3.x versions prior to 7.x-3.1.
Drupal core is not affected. If you do not use the contributed OSF for Drupal
[4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the OSF for Drupal module for Drupal 7.x, upgrade to OSF
7.x-3.1 [5]
Also see the OSF for Drupal [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Pere Orga [7] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Frederick Giasson [8], the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Pere Orga [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [14]
[1] https://www.drupal.org/project/osf
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/osf
[5] https://www.drupal.org/node/2537120
[6] https://www.drupal.org/project/osf
[7] https://www.drupal.org/user/2301194
[8] https://www.drupal.org/user/512874
[9] https://www.drupal.org/user/2301194
[10] https://www.drupal.org/contact
[11] https://www.drupal.org/security-team
[12] https://www.drupal.org/writing-secure-code
[13] https://www.drupal.org/security/secure-configuration
[14] https://twitter.com/drupalsecurity
_______________________________________________
Security-news mailing list
Security-news em drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
----- End forwarded message -----
Mais detalhes sobre a lista de discussão SECURITY-L