[IT-SecNots] [Security-news] Bible - Critical - Multiple Vulnerabilities - SA-CONTRIB-2018-003

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2018-003

Project: Bible [1]
Date: 2018-January-17
Security risk: *Critical* 17∕25
AC:Basic/A:User/CI:Some/II:All/E:Proof/TD:All [2]
Vulnerability: Multiple Vulnerabilities

Description: 
This module enables you to display a Bible on your website. Users can
associate notes with a Bible version.

This module has a vulnerability that would allow an attacker to wipe out,
update or read notes from other users with a carefully crafted title.

A user must have the "Access Bible content" privilege, which is most likely
the default if you have enabled this module.

The code appeared to allow other SQL injection vulnerabilities as well. Many
lines of code were rewritten to make this module more secure. Therefore, even
if you did not give users the "Access Bible content" privilege, there may
have been other SQL vulnerabilities which could have been exploited.

Solution: 
Install the latest version:

  * If you use the Bible module for Drupal 7.x, upgrade to Bible 7.x-1.7 [3]

Reported By: 
  * jfhovinne [4]

Fixed By: 
  * Berend de Boer [5] the module maintainer
  * László Csécsy (Boobaa) [6] the module maintainer

Coordinated By: 
  * Michael Hess [7] of the Drupal Security Team


[1] https://www.drupal.org/project/bible
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/bible/releases/7.x-1.7
[4] https://www.drupal.org/user/77723
[5] https://www.drupal.org/user/143552
[6] https://www.drupal.org/user/199303
[7] https://www.drupal.org/u/mlhess

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news