====================================================================

                             CERT-Renater

                  Note d'Information No. 2012/VULN303
____________________________________________________________________

DATE                :  27/07/2012

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S) : Systems running

  Secure Login for DRUPAL version 7.x-1.x prior to 7.x-1.3,
  Location for DRUPAL version 6.x, 7.x prior to 6.x-3.2, 7.x-3.0-alpha1,
  Subuser for DRUPAL version 6.x prior to 6.x-1.8,
  Gallery formatterfor DRUPAL version 7.x prior to 7.x-1.2.

======================================================================
http://drupal.org/node/1700594
http://drupal.org/node/1700588
http://drupal.org/node/1700584
http://drupal.org/node/1700578
______________________________________________________________________

SA-CONTRIB-2012-118 - Secure Login - Open Redirect
Posted by Drupal Security Team on July 25, 2012 at 7:52pm

    Advisory ID: DRUPAL-SA-CONTRIB-2012-118
    Project: Secure Login (third-party module)
    Version: 7.x
    Date: 2012-July-25
    Security risk: Less critical
    Exploitable from: Remote
    Vulnerability: Open Redirect

Description

Secure Login module enables the user login and other forms to be
submitted securely via HTTPS, thus preventing passwords and other
private user data from being transmitted in clear text. In addition,
Secure Login module by default redirects non-HTTPS GET requests for
pages containing forms that it secures to the HTTPS site.

The module does not sufficiently validate that a requested path is
internal to the site, allowing an attacker to disguise a malicious
destination address as a GET query parameter passed to a non-HTTPS site
URL.

This vulnerability is mitigated by the fact that the target site must
render a form secured by Secure Login module on its 404 page, such as
in a block. A default installation of Drupal 7 renders the user login
block on the 404 page, and is thus vulnerable to the open redirect.

CVE: Requested

Versions affected

    Secure Login 7.x-1.x versions prior to 7.x-1.3.

Drupal core is not affected. If you do not use the contributed Secure
Login module, there is nothing you need to do.

Solution

Install the latest version:

    If you use the Secure Login module for Drupal 7.x, upgrade to
Secure Login 7.x-1.3.

Also see the Secure Login project page.

Reported by

    Albert Martin

Fixed by

    Mark Burdett, the module maintainer

Coordinated by

    Heine Deelstra of the Drupal Security Team
    Greg Knaddison of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or
via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing
secure code for Drupal, and securing your site.

Categories: Drupal 7.x

______________________________________________________________________

SA-CONTRIB-2012-117 - Location - Access Bypass
Posted by Drupal Security Team on July 25, 2012 at 7:48pm

    Advisory ID: DRUPAL-SA-CONTRIB-2012-117
    Project: Location (third-party module)
    Version: 6.x, 7.x
    Date: 2012-July-25
    Security risk: Moderately critical
    Exploitable from: Remote
    Vulnerability: Access bypass

Description

The Location module allows real-world geographic locations to be
associated with Drupal nodes, including people, places, and other
content. The Location Search sub-module adds a search page for
searching for locations.

The Location Search module fails to enforce content and user access
permissions and node access restrictions, meaning any user can see any
node or user results on the location search page.

From now on users must have the "access content" permission and any
relevant node access rights to see node based location results and the
"view user profiles" and "view all user locations" permissions to see
user based location results.

CVE: Requested

Versions affected

    Location Search (Location sub-module) 6.x versions prior to 6.x-3.2.
    Location Search (Location sub-module) 7.x versions prior to
7.x-3.0-alpha1.

Drupal core is not affected. If you do not use the contributed Location
module, there is nothing you need to do.

Solution

Install the latest version:

    If you use the Location Search (Location sub-module) module for
Drupal 6.x, upgrade to Location 6.x-3.2
    If you use the Location Search (Location sub-module) module for
Drupal 7.x, upgrade to Location 7.x-3.0-alpha1

Also see the Location project page.

Reported by

    Jon Daley

Fixed by

    Reuben Turk the module maintainer
    Ankur Rishi the module maintainer

Coordinated by

    Greg Knaddison of the Drupal Security Team
    Ben Jeavons of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or
via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing
secure code for Drupal, and securing your site.

Categories: Drupal 6.x, Drupal 7.x

_____________________________________________________________________

SA-CONTRIB-2012-116 - Subuser Cross Site Request Forgery (CSRF) and
Access Bypass
Posted by Drupal Security Team on July 25, 2012 at 7:42pm

    Advisory ID: DRUPAL-SA-CONTRIB-2012-116
    Project: Subuser (third-party module)
    Version: 6.x
    Date: 2012-July-25
    Security risk: Less critical
    Exploitable from: Remote
    Vulnerability: Access bypass, Cross Site Request Forgery

Description

The Subuser module allows users to be given the permission to create
subusers. The subusers may then be automatically assigned a role or
roles. The parent user then has the ability to manage the subusers they
have created.

A parent user is allowed to assume the role of a subuser they created
(switch users) without having the "switch subuser" permission. However,
users are prevented from switching to subusers that were not created by
them. Additionally users can be switched to a subuser without intending
to do so via a Cross Site Request Forgery attack (CSRF).

CVE: Requested

Versions affected

    subuser 6.x-1.x versions prior to 6.x-1.8.

Drupal core is not affected. If you do not use the contributed Subuser
module, there is nothing you need to do.

Solution

Install the latest version:

    If you use the Subuser module for Drupal 6.x, upgrade to Subuser 6.x-1.8

Also see the Subuser project page.

Reported by

    Stella Power of the Drupal Security Team

Fixed by

    Jimmy Berry the module maintainer
    Lee Rowlands

Coordinated by

    Stella Power of the Drupal Security Team
    Greg Knaddison of the Drupal Security Team
    Michael hess of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or
via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing
secure code for Drupal, and securing your site.

Categories: Drupal 6.x

_____________________________________________________________________

SA-CONTRIB-2012-115 - Gallery formatter - Cross Site Scripting (XSS)
Posted by Drupal Security Team on July 25, 2012 at 7:39pm

    Advisory ID: DRUPAL-SA-CONTRIB-2012-115
    Project: Gallery formatter (third-party module)
    Version: 7.x
    Date: 2012-July-25
    Security risk: Moderately critical
    Exploitable from: Remote
    Vulnerability: Cross Site Scripting

Description

Gallery formatter provides a field formatter for images that turns the
fields into jQuery galleries.
The module did not properly escape input from the user before printing
it to the browser, allowing malicious users to inject script code into
the page.

This vulnerability is mitigated by the fact that an attacker must have
a role with the permission to create the nodes / entities and the
fields that use the formatter.

CVE: Requested

Versions affected

    Gallery formatter 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Gallery
formatter module, there is nothing you need to do.

Solution

Install the latest version:

    If you use the Gallery formatter module for Drupal 7.x, upgrade to
Gallery formatter 7.x-1.2

Also see the Gallery formatter project page.

Reported by

    Sudipta Bandyopadhyay

Fixed by

    Manuel Garcia the module maintainer

Coordinated by

    Greg Knaddison of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or
via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing
secure code for Drupal, and securing your site.

Categories: Drupal 7.x


======================================================================

=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
=========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44          +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
+ 75013 Paris           | email: certsvp@renater.fr     +
=========================================================