Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] SA-CONTRIB-2014-075 - Biblio Autocomplete - SQL injection and Access Bypass

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] SA-CONTRIB-2014-075 - Biblio Autocomplete - SQL injection and Access Bypass


Chronologisch Thread 
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] SA-CONTRIB-2014-075 - Biblio Autocomplete - SQL injection and Access Bypass
  • Date: Wed, 6 Aug 2014 20:09:51 +0000 (UTC)
  • List-archive: <https://service.piratenpartei.de/pipermail/it-securitynotifies>
  • List-id: Sicherheitsankündigungen <it-securitynotifies.lists.piratenpartei.de>

View online: https://www.drupal.org/node/2316717

* Advisory ID: DRUPAL-SA-CONTRIB-2014-075
* Project: Biblio Autocomplete [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2014-08-06
* Security risk: 23/25 ( Highly Critical)
AC:Basic/A:None/CI:All/II:All/E:Exploit/TD:100 [2]
* Vulnerability: Access bypass, SQL Injection

-------- DESCRIPTION
---------------------------------------------------------

This module provides functionality for AJAX based auto-completion of fields
in the Biblio node type (provided by the Biblio module) using previously
entered values and third party services.

The submodule "Biblio self autocomplete" for previously entered values
doesn't sufficiently sanitize user input as it is used in a database query.

Additionally, the AJAX autocompletion callback itself was not properly
secured, thus potentially allowing any visitor access to the data, including
the anonymous user.


-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------

* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance
with Drupal Security Team processes./

-------- VERSIONS AFFECTED
---------------------------------------------------

Drupal core is not affected. If you do not use the contributed Biblio
Autocomplete [4] module,
there is nothing you need to do.

-------- SOLUTION
------------------------------------------------------------

Install the latest version:

* If you use the Biblio Autocomplete module for Drupal 6.x, upgrade to
Biblio Autocomplete 6.x-1.1 [5].
* If you use the Biblio Autocomplete module for Drupal 7.x, upgrade to
Biblio Autocomplete 7.x-1.5 [6].

Additionally there is a new permission "access biblio autocomplete" for
accessing the search. You need to give this permission to users with write
permissions on Biblio nodes.

Also see the Biblio Autocomplete [7] project page.

-------- REPORTED BY
---------------------------------------------------------

* Carsten Logemann [8]

-------- FIXED BY
------------------------------------------------------------

* Carsten Logemann [9]
* Damien McKenna [10] provisional member of the Drupal Security Team

-------- COORDINATED BY
------------------------------------------------------

* David Stoline [11] of the Drupal Security Team

-------- CONTACT AND MORE INFORMATION
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [12].

Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].


[1] https://www.drupal.org/project/biblio_autocomplete
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/biblio_autocomplete
[5] https://www.drupal.org/node/2316023
[6] https://www.drupal.org/node/2316025
[7] https://www.drupal.org/project/biblio_autocomplete
[8] https://drupal.org/user/218368
[9] https://drupal.org/user/218368
[10] https://www.drupal.org/u/damienmckenna
[11] https://www.drupal.org/u/dstol
[12] http://drupal.org/contact
[13] http://drupal.org/security-team
[14] http://drupal.org/writing-secure-code
[15] http://drupal.org/security/secure-configuration

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news



  • [IT-SecNots] [Security-news] SA-CONTRIB-2014-075 - Biblio Autocomplete - SQL injection and Access Bypass, security-news, 06.08.2014

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang