[IT-SecNots] [Security-news] Dropbox client - Multiple Vulnerabilities - SA-CONTRIB-2016-027

[security-news AT drupal.org]

View online: https://www.drupal.org/node/2728693

  * Advisory ID: DRUPAL-SA-CONTRIB-2016-027
  * Project: Dropbox Client [1]     (third-party module)
  * Version: 7.x
  * Date: 2016-May-18
  * Security risk: 15/25 ( Critical)
    AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]
  * Vulnerability: Cross Site Scripting, Access bypass, Cross Site Request
    Forgery, Information Disclosure, Multiple vulnerabilities

-------- DESCRIPTION
---------------------------------------------------------

This module enables you to view dropbox files in your Drupal site.

The module doesn't sufficiently sanitize filenames when displaying them to
users or administrators leading to a Cross Site Scripting (XSS)
vulnerability. This vulnerability is mitigated by the fact that an attacker
must be able to upload files to the dropbox folder that the victim later
views through the Drupal site.

Additionally, the module shipped with hardcoded and exposed Oauth
credentials, making known users of the module exposed to phishing and/or
access bypass.

The app secret has been made invalid, making the exposed secrets unusable for
the attacker. This also makes the module unusable without upgrading and
taking necessary steps to register a new Dropbox app.


-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------

  * /A CVE identifier [3] will be requested, and added upon issuance, in
    accordance with Drupal Security Team processes./

-------- VERSIONS AFFECTED
---------------------------------------------------

  * All dropbox_client 7.x-3.x versions.

Drupal core is not affected. If you do not use the contributed Dropbox Client
[4] module, there is nothing you need to do.

-------- SOLUTION
------------------------------------------------------------

Install the latest version:

  * If you use the dropbox_client module for Drupal 7.x, upgrade to
    dropbox_client 7.x-4.0 [5]
  * Versions 3.x is no longer supported

Also see the Dropbox Client [6] project page.

-------- REPORTED BY
---------------------------------------------------------

  * Eirik Morland [7]

-------- FIXED BY
------------------------------------------------------------

  * Eirik Morland [8]

-------- COORDINATED BY
------------------------------------------------------

  * Pere Orga [9] of the Drupal Security Team

-------- CONTACT AND MORE INFORMATION
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [10].

Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and  securing your site [13].

Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [14]


[1] https://www.drupal.org/project/dropbox_client
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/dropbox_client
[5] https://www.drupal.org/node/2728687
[6] https://www.drupal.org/project/dropbox_client
[7] https://www.drupal.org/user/1014468
[8] https://www.drupal.org/user/1014468
[9] https://www.drupal.org/user/2301194
[10] https://www.drupal.org/contact
[11] https://www.drupal.org/security-team
[12] https://www.drupal.org/writing-secure-code
[13] https://www.drupal.org/security/secure-configuration
[14] https://twitter.com/drupalsecurity

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news