Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 491858 - <www-apps/drupal-{7.24,6.29} : multiple vulnerabilities (CVE-2013-{6385,6386,6387,6388,6389})
Summary: <www-apps/drupal-{7.24,6.29} : multiple vulnerabilities (CVE-2013-{6385,6386,...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: ~2 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-11-21 11:58 UTC by Agostino Sarubbo
Modified: 2014-01-05 02:43 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-11-21 11:58:47 UTC
From ${URL} :

Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7.

* Multiple vulnerabilities due to optimistic cross-site request forgery protection (Form API validation - 
Drupal 6 and 7)

Drupal's form API has built-in cross-site request forgery (CSRF) validation, and also allows any module to 
perform its own validation on the form.  In certain common cases, form validation functions may execute 
unsafe operations.  Given that the CSRF protection is an especially important validation, the Drupal core 
form API has been changed in this release so that it now skips subsequent validation if the CSRF 
validation fails.

This vulnerability is mitigated by the fact that a form validation callback with potentially unsafe side 
effects must be active on the site, and none exist in core. However, issues were discovered in several 
popular contributed modules which allowed remote code execution that made it worthwhile to fix this issue 
in core. Other similar issues with varying impacts are likely to have existed in other contributed modules 
and custom modules and therefore will also be fixed by this Drupal core release.

* Multiple vulnerabilities due to weakness in pseudorandom number generation using mt_rand() (Form API, 
OpenID and random password generation - Drupal 6 and 7)

Drupal core directly used the mt_rand() pseudorandom number generator for generating security related 
strings used in several core modules. It was found that brute force tools could determine the seeds making 
these strings predictable under certain circumstances.

This vulnerability has no mitigation; all Drupal sites are affected until the security update has been 
applied.

* Code execution prevention (Files directory .htaccess for Apache - Drupal 6 and 7)

Drupal core attempts to add a "defense in depth" protection to prevent script execution by placing a 
.htaccess file into the files directories that stops execution of PHP scripts on the Apache web server. 
This protection is only necessary if there is a vulnerability on the site or on a server that allows users 
to upload malicious files. The configuration in the .htaccess file did not prevent code execution on 
certain Apache web server configurations. This release includes new configuration to prevent PHP execution 
on several additional common Apache configurations. If you are upgrading a site and the site is run by 
Apache you must fix the file manually, as described in the "Solution" section below.

This vulnerability is mitigated by the fact it only relates to a defense in depth mechanism, and sites 
would only be vulnerable if they are hosted on a server which contains code that does not use protections 
similar to those found in Drupal's file API to manage uploads in a safe manner.

* Access bypass (Security token validation - Drupal 6 and 7)

The function drupal_valid_token() can return TRUE for invalid tokens if the caller does not make sure that 
the token is a string.

This vulnerability is mitigated by the fact that a contributed or custom module must invoke 
drupal_validate_token() with an argument that can be manipulated to not be a string by an attacker. There 
is currently no known core or contributed module that would suffer from this vulnerability.

* Cross-site scripting (Image module - Drupal 7)

Image field descriptions are not properly sanitized before they are printed to HTML, thereby exposing a 
cross-site scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a permission to administer field 
descriptions, for example the "administer taxonomy" permission to edit fields on taxonomy terms.

* Cross-site scripting (Color module - Drupal 7)

A cross-site scripting vulnerability was found in the Color module. A malicious attacker could trick an 
authenticated administrative user intovisiting a page containing specific JavaScript that could lead to a 
reflected cross-site scripting attack via JavaScript execution in CSS.

This vulnerability is mitigated by the fact that it can only take place in older browsers, and in a 
restricted set of modern browsers, namely Opera through user interaction, and Internet Explorer under 
certain conditions.

* Open redirect (Overlay module - Drupal 7)

The Overlay module displays administrative pages as a layer over the current page (using JavaScript), 
rather than replacing the page in the browser window. The Overlay module did not sufficiently validate 
URLs prior to displaying their contents, leading to an open redirect vulnerability.

This vulnerability is mitigated by the fact that it can only be used against site users who have the 
"Access the administrative overlay" permission.

References:
http://seclists.org/fulldisclosure/2013/Nov/160


@maintainer(s): since the package has never been marked as stable, we don't need to stabilize it. Please remove the affected versions from the tree.
Comment 1 Pavel 2013-11-23 00:30:15 UTC
Please version bump drupal to 7.24 ASAP.
Comment 2 Jorge Manuel B. S. Vicetto Gentoo Infrastructure gentoo-dev 2013-11-30 05:31:08 UTC
drupal 7.24 version bump done.
Comment 3 MickKi 2013-11-30 15:46:22 UTC
(In reply to Jorge Manuel B. S. Vicetto from comment #2)
> drupal 7.24 version bump done.

Guys, thank you for this.

Are you also going to bump 6.28 to 6.29?  There are many websites out there that are still running on drupal 6 (and so was drupal.org until a month ago).
-- 
Regards,
Mick
Comment 4 Jorge Manuel B. S. Vicetto Gentoo Infrastructure gentoo-dev 2013-12-01 23:08:42 UTC
(In reply to MickKi from comment #3)
> 
> Are you also going to bump 6.28 to 6.29?  There are many websites out there
> that are still running on drupal 6 (and so was drupal.org until a month ago).
> -- 
> Regards,
> Mick

Bump to 6.29 done. I don't have an install with drupal-6 to test, but given the diff to 6.28 was small and was only related to the bump and security fixing, I've committed it to the tree.
Please test it and report back if you get any errors.
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2013-12-04 04:47:51 UTC
Thank you for your work, and cleanup.

Since there are no stable packages, No GLSA is required.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2013-12-12 17:38:00 UTC
CVE-2013-6389 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6389):
  Open redirect vulnerability in the Overlay module in Drupal 7.x before 7.24
  allows remote attackers to redirect users to arbitrary web sites and conduct
  phishing attacks via unspecified vectors.

CVE-2013-6386 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6386):
  Drupal 6.x before 6.29 and 7.x before 7.24 uses the PHP mt_rand function to
  generate random numbers, which uses predictable seeds and allows remote
  attackers to predict security strings and bypass intended restrictions via a
  brute force attack.

CVE-2013-6385 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6385):
  The form API in Drupal 6.x before 6.29 and 7.x before 7.24, when used with
  unspecified third-party modules, performs form validation even when CSRF
  validation has failed, which might allow remote attackers to trigger
  application-specific impacts such as arbitrary code execution via
  application-specific vectors.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2014-01-05 02:43:32 UTC
CVE-2013-6388 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6388):
  Cross-site scripting (XSS) vulnerability in the Color module in Drupal 7.x
  before 7.24 allows remote attackers to inject arbitrary web script or HTML
  via vectors related to CSS.

CVE-2013-6387 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6387):
  Cross-site scripting (XSS) vulnerability in the Image module in Drupal 7.x
  before 7.24 allows remote authenticated users with certain permissions to
  inject arbitrary web script or HTML via the description field.