Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] SA-CONTRIB-2014-108 - Webform Component Roles - Access Bypass

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] SA-CONTRIB-2014-108 - Webform Component Roles - Access Bypass


Chronologisch Thread 
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] SA-CONTRIB-2014-108 - Webform Component Roles - Access Bypass
  • Date: Wed, 12 Nov 2014 19:46:06 +0000 (UTC)
  • List-archive: <https://service.piratenpartei.de/pipermail/it-securitynotifies>
  • List-id: Sicherheitsankündigungen <it-securitynotifies.lists.piratenpartei.de>

View online: https://www.drupal.org/node/2373973

* Advisory ID: DRUPAL-SA-CONTRIB-2014-108
* Project: Webform Component Roles [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2014-November-12
* Security risk: 13/25 ( Moderately Critical)
AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All [2]
* Vulnerability: Access bypass

-------- DESCRIPTION
---------------------------------------------------------

The Webform component module enables site admins to limit visibility or
editability of webform components based on user roles.

The module doesn't sufficiently check that disabled component values are not
modified upon submission of the form.


-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------

* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance
with Drupal Security Team processes./

-------- VERSIONS AFFECTED
---------------------------------------------------

* Webform Component Roles 6.x-1.x versions prior to 6.x-1.8.
* Webform Component Roles 7.x-1.x versions prior to 7.x-1.8.

Drupal core is not affected. If you do not use the contributed Webform
Component Roles [4] module,
there is nothing you need to do.

-------- SOLUTION
------------------------------------------------------------

Install the latest version:

* If you use the Webform Component Roles module for Drupal 6.x, upgrade to
Webform Component Roles 6.x-1.8 [5]
* If you use the Webform Component Roles module for Drupal 7.x, upgrade to
Webform Component Roles 7.x-1.8 [6]

Also see the Webform Component Roles [7] project page.

-------- REPORTED BY
---------------------------------------------------------

* Colleen Blaho [8]

-------- FIXED BY
------------------------------------------------------------

* Shawn Sheridan [9] the module maintainer

-------- COORDINATED BY
------------------------------------------------------

* David Rothstein [10] of the Drupal Security Team
* Greg Knaddison [11] of the Drupal Security Team

-------- CONTACT AND MORE INFORMATION
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [12].

Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].


[1] https://www.drupal.org/project/webform_component_roles
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/webform_component_roles
[5] https://www.drupal.org/node/2373471
[6] https://www.drupal.org/node/2373473
[7] https://www.drupal.org/project/webform_component_roles
[8] https://www.drupal.org/user/3042419
[9] https://www.drupal.org/user/138669
[10] https://www.drupal.org/user/124982
[11] https://www.drupal.org/user/36762
[12] https://www.drupal.org/contact
[13] https://www.drupal.org/security-team
[14] https://www.drupal.org/writing-secure-code
[15] https://www.drupal.org/security/secure-configuration

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news



  • [IT-SecNots] [Security-news] SA-CONTRIB-2014-108 - Webform Component Roles - Access Bypass, security-news, 12.11.2014

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang