==================================================================== CERT-Renater Note d'Information No. 2017/VULN207 _____________________________________________________________________ DATE : 07/07/2017 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running DrupalChat versions prior to 7.x-2.6, OAuth for Drupal versions prior to 8.x-2.1, SMTP for Drupal versions prior to 8.x-1.0-beta3, 7.x-1.7, Services for Drupal versions prior to 7.x-3.20. ===================================================================== https://www.drupal.org/node/2892404 https://www.drupal.org/node/2892400 https://www.drupal.org/node/2890357 https://www.drupal.org/node/2890353 ____________________________________________________________________ DrupalChat - Critical - Multiple vulnerabilities - SA-CONTRIB-2017-057 Posted by Drupal Security Team on 5 Jul 2017 at 16:40 UTC Advisory ID: DRUPAL-SA-CONTRIB-2017-057 Project: DrupalChat (third-party module) Version: 7.x Date: 2017-July-05 Security risk: 16/25 ( Critical) AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All Vulnerability: Cross Site Scripting, Cross Site Request Forgery Description DrupalChat allows visitors of your Drupal site to chat with each other privately or together in a public chatroom. The module did not confirm the validity of a chat request, resulting in a Cross Site Request Forgery (CSRF) vulnerability which enables an attacker to trick a user to send arbitrary chat messages to any user. The The module did not filter administrator provided text, leading to a Cross Site Scripting (XSS) vulnerability. CVE identifier(s) issued A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes. Versions affected DrupalChat 7.x-2.x versions prior to 7.x-2.6. Drupal core is not affected. If you do not use the contributed DrupalChat module, there is nothing you need to do. Solution Install the latest version: If you use the DrupalChat module for Drupal 7.x, upgrade to DrupalChat 7.x-2.6 Also see the DrupalChat project page. Also see the DrupalChat project page. Reported by Elin Yordanov Fixed by Shashwat Srivastava the module maintainer Coordinated by Michael Hess of the Drupal Security Team Greg Knaddison of the Drupal Security Team Contact and More Information The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact. Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity ⋅ Categories: Drupal 7.x ____________________________________________________________________ OAuth - Critical - Access Bypass - SA-CONTRIB-2017-056 Posted by Drupal Security Team on 5 Jul 2017 at 16:17 UTC Advisory ID: DRUPAL-SA-CONTRIB-2017-056 Project: OAuth (third-party module) Version: 8.x Date: 2017-July-05 Security risk: 15/25 ( Critical) AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All Vulnerability: Access bypass Description This module enables you to protect requests via the OAuth authentication protocol. The module doesn't sufficiently notify the Cache API to avoid caching responses under the scenario in which an authenticated user requests a resource such as unpublished node. This vulnerability is mitigated by the fact that an attacker must know the available resources in a Drupal site. CVE identifier(s) issued A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes. Versions affected OAuth 8.x-2.x versions prior to 8.x-2.1. Drupal core is not affected. If you do not use the contributed OAuth module, there is nothing you need to do. Solution In addition to updating the code, you must Clear all caches. If you use the OAuth module for Drupal 8.x, upgrade to OAuth 8.x-2.1 Also see the OAuth project page. Reported by Kevin Dutra. Fixed by Kevin Dutra Juampy NR the module maintainer Coordinated by Michael Hess of the Drupal Security Team Greg Knaddison of the Drupal Security Team Contact and More Information The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact. Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity ⋅ Categories: Drupal 7.x ____________________________________________________________________ SMTP - Moderately Critical - Information Disclosure - SA-CONTRIB-2017-055 Posted by Drupal Security Team on 28 Jun 2017 at 13:43 UTC Advisory ID: DRUPAL-SA-CONTRIB-2017-055 Project: SMTP Authentication Support (third-party module) Version: 7.x, 8.x Date: 2017-June-28 Security risk: 10/25 ( Moderately Critical) AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon Vulnerability: Information Disclosure Description This SMTP module enables you to send mail using a third party (non-system) mail service instead of the local system mailer included with Drupal. When this module is in debugging mode, it will log privileged information. CVE identifier(s) issued A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes. Versions affected smtp 8.x-1.x versions prior to 8.x-1.0-beta3. smtp 7.x-1.x versions prior to 7.x-1.7. Drupal core is not affected. If you do not use the contributed SMTP Authentication Support module, there is nothing you need to do. Solution Install the latest version: If you use the smtp module for Drupal 8.x, upgrade to smtp 8.x-1.0-beta3 If you use the smtp module for Drupal 7.x, upgrade to smtp 7.x-1.7 Also see the SMTP Authentication Support project page. Reported by Baysaa of the Drupal Security Team Fixed by Fabiano Sant'Ana the module maintainer José San Martin the module maintainer David Snopek of the Drupal Security Team Cash Williams of the Drupal Security Team Michael Hess of the Drupal Security Team Coordinated by Michael Hess of the Drupal Security Team Contact and More Information The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact. Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity ____________________________________________________________________ Services - Critical - SQL Injection - SA-CONTRIB-2017-054 Posted by Drupal Security Team on 28 Jun 2017 at 13:36 UTC Advisory ID: DRUPAL-SA-CONTRIB-2017-054 Project: Services (third-party module) Version: 7.x Date: 2017-June-28 Security risk: 19/25 ( Critical) AC:None/A:User/CI:All/II:All/E:Theoretical/TD:Default Vulnerability: SQL Injection Description This module provides a standardized solution for building API's so that external clients can communicate with Drupal. The module doesn't sufficiently sanitize column names provided by the client when they are querying for data and trying to sort it. This vulnerability is mitigated by the fact that a site must have an "Index" resource enabled and the attacker must know the endpoint's URL. CVE identifier(s) issued A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes. Versions affected Services 7.x-3.x versions prior to 7.x-3.20 Drupal core is not affected. If you do not use the contributed Services module, there is nothing you need to do. Solution Install services version 7.x-3.20 of the module or disable any Index resources within your endpoint(s). Also see the Services project page. Reported by John Morahan Fixed by Tyler Frankenstein, a module maintainer John Morahan Coordinated by Michael Hess of the Drupal Security Team Contact and More Information The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact. Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================