====================================================================

                                CERT-Renater

                    Note d'Information No. 2015/VULN160
_____________________________________________________________________

DATE                : 20/08/2015

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Drupal core versions 6.x, 7.x
                                    prior to 6.37, 7.39.

======================================================================
https://www.drupal.org/SA-CORE-2015-003
______________________________________________________________________

Drupal Core - Critical - Multiple Vulnerabilities - SA-CORE-2015-003
Posted by Drupal Security Team on August 19, 2015 at 7:27pm

      Advisory ID: DRUPAL-SA-CORE-2015-003
      Project: Drupal core
      Version: 6.x, 7.x
      Date: 2015-August-19
      Security risk: 18/25 ( Critical) 
AC:Complex/A:User/CI:All/II:All/E:Proof/TD:All
      Vulnerability: Cross Site Scripting, Access bypass, SQL Injection,
                     Open Redirect, Multiple vulnerabilities

This security advisory fixes multiple vulnerabilities. See below for a
list.


Cross-site Scripting - Ajax system - Drupal 7

A vulnerability was found that allows a malicious user to perform a
cross-site scripting attack by invoking Drupal.ajax() on a whitelisted
HTML element.

This vulnerability is mitigated on sites that do not allow untrusted
users to enter HTML.

Drupal 6 core is not affected, but see the similar advisory for the
Drupal 6 contributed Ctools module: SA-CONTRIB-2015-141 [3].


Cross-site Scripting - Autocomplete system - Drupal 6 and 7

A cross-site scripting vulnerability was found in the autocomplete
functionality of forms. The requested URL is not sufficiently sanitized.

This vulnerability is mitigated by the fact that the malicious user
must be allowed to upload files.


SQL Injection - Database API - Drupal 7

A vulnerability was found in the SQL comment filtering system which
could allow a user with elevated permissions to inject malicious code
in SQL comments.

This vulnerability is mitigated by the fact that only one contributed
module that the security team found uses the comment filtering system
in a way that would trigger the vulnerability.  That module requires
you to have a very high level of access in order to perform the attack.


Cross-site Request Forgery - Form API - Drupal 6 and 7

A vulnerability was discovered in Drupal's form API that could allow
file upload value callbacks to run with untrusted input, due to form
token validation not being performed early enough. This vulnerability
could allow a malicious user to upload files to the site under another
user's account.

This vulnerability is mitigated by the fact that the uploaded files
would be temporary, and Drupal normally deletes temporary files
automatically after 6 hours.


Information Disclosure in Menu Links - Access system - Drupal 6 and 7

Users without the "access content" permission can see the titles of
nodes that they do not have access to, if the nodes are added to a menu
on the site that the users have access to.


CVE identifier(s) issued

     * /CVE identifiers [4] have been requested and will be added upon
issuance, in accordance with Drupal Security Team processes./


Versions affected

     * Drupal core 6.x versions prior to 6.37
     * Drupal core 7.x versions prior to 7.39


Solution

Install the latest version:

     * If you use Drupal 6.x, upgrade to Drupal core 6.37 [5]
     * If you use Drupal 7.x, upgrade to Drupal core 7.39 [6]

Also see the Drupal core [7] project page.


Credits

.... Cross-site Scripting - Ajax system - Drupal 7

.. Reported by

     * Régis Leroy [8]
     * Kay Leung [9], Drupal core JavaScript maintainer
     * Samuel Mortenson [10]
     * Pere Orga [11] of the Drupal Security Team

.. Fixed by

     * Théodore Biadala [12], Drupal core JavaScript maintainer
     * Alex Bronstein [13] of the Drupal Security Team
     * Ben Dougherty [14] of the Drupal Security Team
     * Gábor Hojtsy [15] of the Drupal Security Team
     * Greg Knaddison [16] of the Drupal Security Team
     * Kay Leung [17], Drupal core JavaScript maintainer
     * Wim Leers [18]
     * Samuel Mortenson [19]
     * Pere Orga [20] of the Drupal Security Team
     * Tim Plunkett [21]
     * David Rothstein [22] of the Drupal Security Team
     * Lee Rowlands [23] of the Drupal Security Team
     * Peter Wolanin [24] of the Drupal Security Team
     * znerol [25], maintainer of Authcache module

.... Cross-site Scripting - Autocomplete system - Drupal 6 and 7

.. Reported by

     * Alex Bronstein [26] of the Drupal Security Team
     * Pere Orga [27] of the Drupal Security Team

.. Fixed by

     * Alex Bronstein [28]  of the Drupal Security Team
     * Ben Dougherty [29]  of the Drupal Security Team
     * Tim Plunkett [30]
     * Lee Rowlands [31]  of the Drupal Security Team
     * Peter Wolanin [32] of the Drupal Security Team
     * David Rothstein [33] of the Drupal Security Team

.... SQL Injection - Database API - Drupal 7

.. Reported by

     * Carl Sabottke [34]

.. Fixed by

     * Anthony Ferrara [35]
     * Larry Garfield [36]
     * Greg Knaddison [37]  of the Drupal Security Team
     * Cathy Theys [38] provisional member of the Drupal Security Team
     * Peter Wolanin [39]  of the Drupal Security Team

.... Cross-site Request Forgery - Form API - Drupal 6 and 7

.. Reported by

     * Abdullah Hussam [40]

.. Fixed by

     * Greg Knaddison [41] of the Drupal Security Team
     * Wim Leers [42]
     * David Rothstein [43] of the Drupal Security Team
     * Lee Rowlands [44] of the Drupal Security Team
     * Peter Wolanin [45] of the Drupal Security Team

.... Information Disclosure in Menu Links -  Access system - Drupal 6 and 7

.. Reported by

     * David_Rothstein [46] of the Drupal Security Team

.. Fixed by

     * Matt Chapman [47] of the Drupal Security Team
     * Stéphane Corlosquet [48] of the Drupal Security Team
     * Greg Knaddison [49] of the Drupal Security Team
     * Christian Meilinger [50]
     * David_Rothstein [51] of the Drupal Security Team
     * Lee Rowlands [52] of the Drupal Security Team


Coordinated by

     * Alex Bronstein, Angie Byron, Michael Hess, Pere Orga, David
Rothstein and Peter Wolanin of the The Drupal Security Team [53]


Contact and More Information

The Drupal security team can be reached at security at drupal.org or
via the contact form at https://www.drupal.org/contact [54].

Learn more about the Drupal Security team and their policies [55],
writing secure code for Drupal [56], and  securing your site [57].

Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [58]


[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/node/2554145
[4] http://cve.mitre.org/
[5] https://www.drupal.org/drupal-6.37-release-notes
[6] https://www.drupal.org/drupal-7.39-release-notes
[7] https://www.drupal.org/project/drupal
[8] https://www.drupal.org/u/regilero
[9] https://www.drupal.org/u/droplet
[10] https://www.drupal.org/u/samuel.mortenson
[11] https://www.drupal.org/u/pere-orga
[12] https://www.drupal.org/u/nod_
[13] https://www.drupal.org/u/effulgentsia
[14] https://www.drupal.org/u/benjy
[15] https://www.drupal.org/u/g%C3%A1bor-hojtsy
[16] https://www.drupal.org/u/greggles
[17] https://www.drupal.org/u/droplet
[18] https://www.drupal.org/u/wim-leers
[19] https://www.drupal.org/u/samuel.mortenson
[20] https://www.drupal.org/u/pere-orga
[21] https://www.drupal.org/u/tim.plunkett
[22] https://www.drupal.org/u/david_rothstein
[23] https://www.drupal.org/u/larowlan
[24] https://www.drupal.org/u/pwolanin
[25] https://www.drupal.org/u/znerol
[26] https://www.drupal.org/user/78040
[27] https://www.drupal.org/user/2301194
[28] https://www.drupal.org/u/effulgentsia
[29] https://www.drupal.org/u/benjy
[30] https://www.drupal.org/u/tim.plunkett
[31] https://www.drupal.org/u/larowlan
[32] https://www.drupal.org/user/49851
[33] https://www.drupal.org/u/david_rothstein
[34] https://www.drupal.org/u/csabot3
[35] https://www.drupal.org/u/ircmaxell
[36] https://www.drupal.org/u/crell
[37] https://www.drupal.org/u/greggles
[38] https://www.drupal.org/u/yesct
[39] https://www.drupal.org/u/pwolanin
[40] https://www.drupal.org/u/abdullah-hussam
[41] https://www.drupal.org/u/greggles
[42] https://www.drupal.org/u/wim-leers
[43] https://www.drupal.org/u/david_rothstein
[44] https://www.drupal.org/u/larowlan
[45] https://www.drupal.org/u/pwolanin
[46] https://www.drupal.org/u/David_Rothstein
[47] https://www.drupal.org/u/matt2000
[48] https://www.drupal.org/u/scor
[49] https://www.drupal.org/u/greggles
[50] https://www.drupal.org/u/meichr
[51] https://www.drupal.org/u/David_Rothstein
[52] https://www.drupal.org/u/larowlan
[53] https://www.drupal.org/security-team
[54] https://www.drupal.org/contact
[55] https://www.drupal.org/security-team
[56] https://www.drupal.org/writing-secure-code
[57] https://www.drupal.org/security/secure-configuration
[58] https://twitter.com/drupalsecurity

=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================