SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Drupal Vendors:   drupal.org
Drupal Multiple Flaws Let Remote Users Conduct Cross-Site Scripting and Cross-Site Request Forgery Attacks and Remote Authenticated Users Inject SQL Commands and Obtain Potentially Sensitive Information
SecurityTracker Alert ID:  1033358
SecurityTracker URL:  http://securitytracker.com/id/1033358
CVE Reference:   CVE-2015-6658, CVE-2015-6659, CVE-2015-6660, CVE-2015-6661, CVE-2015-6665   (Links to External Site)
Updated:  Sep 4 2015
Original Entry Date:  Aug 21 2015
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 6.x, 7.x
Description:   Several vulnerabilities were reported in Drupal. A remote user can conduct cross-site request forgery attacks. A remote authenticated user can obtain potentially sensitive information on the target system. A remote authenticated user can inject SQL commands. A remote user can conduct cross-site scripting attacks.

The software does not properly filter HTML code from user-supplied input before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Drupal software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

The Drupal.ajax() function is affected when processing a whitelisted HTML element [CVE-2015-6665]. Version 7.x is affected.

The form autocomplete function is affected [CVE-2015-6658].

The SQL comment filtering system does not properly validate user-supplied input [CVE-2015-6659]. A remote authenticated user can supply a specially crafted parameter value to execute SQL commands on the underlying database. Version 7.x is affected.

A remote user can create a specially crafted HTML page or URL that, when loaded by the target authenticated user, will exploit a flaw in the Form API to take actions on the target interface (i.e., upload files) acting as the target user [CVE-2015-6660].

A remote authenticated user that does not have the "access content" permission can view node titles on a menu on the target system [CVE-2015-6661].

Regis Leroy, Kay Leung (Drupal core JavaScript maintainer), Samuel Mortenson, Pere Orga of the Drupal Security Team, Alex Bronstein of the Drupal Security Team, Carl Sabottke, Abdullah Hussam, and David_Rothstein of the Drupal Security Team reported these vulnerabilities.

Impact:   A remote user can take actions on the target system acting as the target authenticated user.

A remote authenticated user can obtain potentially sensitive information on the target system.

A remote authenticated user can execute SQL commands on the underlying database.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Drupal software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Solution:   The vendor has issued a fix (6.37, 7.39).

The vendor's advisory is available at:

https://www.drupal.org/SA-CORE-2015-003

Vendor URL:  www.drupal.org/SA-CORE-2015-003 (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC