[IT-SecNots] [Security-news] Drupal Core - Overlay - Less Critical - Open Redirect - SA-CORE-2015-004

[security-news AT drupal.org]

View online: https://www.drupal.org/SA-CORE-2015-004

   * Advisory ID: DRUPAL-SA-CORE-2015-004
   * Project: Drupal core [1]
   * Version: 7.x
   * Date: 2015-October-21
   * Security risk: 9/25 ( Less Critical)
     AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:Default [2]
   * Vulnerability: Open Redirect

-------- DESCRIPTION
---------------------------------------------------------

The Overlay module in Drupal core displays administrative pages as a layer
over the current page (using JavaScript), rather than replacing the page in
the browser window. The Overlay module does not sufficiently validate URLs
prior to displaying their contents, leading to an open redirect
vulnerability.

This vulnerability is mitigated by the fact that it can only be used against
site users who have the "Access the administrative overlay" permission, and
that the Overlay module must be enabled.

An incomplete fix for this issue was released as part of SA-CORE-2015-002
[3].


-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------

   * /A CVE identifier [4] will be requested, and added upon issuance, in
     accordance with Drupal Security Team processes./

-------- VERSIONS AFFECTED
---------------------------------------------------

   * Drupal core 7.x versions prior to 7.41.

-------- SOLUTION
------------------------------------------------------------

Install the latest version:

   * If you use Drupal 7.x, upgrade to Drupal 7.41 [5]

Also see the Drupal core [6] project page.

-------- REPORTED BY
---------------------------------------------------------

   * Samuel Mortenson [7]
   * Pere Orga [8] of the Drupal Security Team

-------- FIXED BY
------------------------------------------------------------

   * Pere Orga [9] of the Drupal Security Team
   * David Rothstein [10] of the Drupal Security Team

-------- COORDINATED BY
------------------------------------------------------

   * The Drupal Security Team [11]

-------- CONTACT AND MORE INFORMATION
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [12].

Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and  securing your site [15].

Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [16]


[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/SA-CORE-2015-002
[4] http://cve.mitre.org/
[5] https://www.drupal.org/drupal-7.41-release-notes
[6] https://www.drupal.org/project/drupal
[7] https://www.drupal.org/u/samuel.mortenson
[8] https://www.drupal.org/u/pere-orga
[9] https://www.drupal.org/u/pere-orga
[10] https://www.drupal.org/u/david_rothstein
[11] https://www.drupal.org/security-team
[12] https://www.drupal.org/contact
[13] https://www.drupal.org/security-team
[14] https://www.drupal.org/writing-secure-code
[15] https://www.drupal.org/security/secure-configuration
[16] https://twitter.com/drupalsecurity

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news