Drupal Security Advisories

Description

DrupalChat allows visitors of your Drupal site to chat with each other privately or together in a public chatroom.

The module did not confirm the validity of a chat request, resulting in a Cross Site Request Forgery (CSRF) vulnerability which enables an attacker to trick a user to send arbitrary chat messages to any user. The

The module did not filter administrator provided text, leading to a Cross Site Scripting (XSS) vulnerability.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • DrupalChat 7.x-2.x versions prior to 7.x-2.2.

Drupal core is not affected. If you do not use the contributed DrupalChat module, there is nothing you need to do.

Solution

Install the latest version:

Also see the DrupalChat project page.

Also see the DrupalChat project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Description

This module enables you to protect requests via the OAuth authentication protocol.

The module doesn't sufficiently notify the Cache API to avoid caching responses under the scenario in which an authenticated user requests a resource such as unpublished node.

This vulnerability is mitigated by the fact that an attacker must know the available resources in a Drupal site.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • OAuth 8.x-2.x versions prior to 8.x-2.1.

Drupal core is not affected. If you do not use the contributed OAuth module, there is nothing you need to do.

Solution

In addition to updating the code, you must Clear all caches.

  • If you use the OAuth module for Drupal 8.x, upgrade to OAuth 8.x-2.1

Also see the OAuth project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Description

This SMTP module enables you to send mail using a third party (non-system) mail service instead of the local system mailer included with Drupal. When this module is in debugging mode, it will log privileged information.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • smtp 8.x-1.x versions prior to 8.x-1.0-beta3.
  • smtp 7.x-1.x versions prior to 7.x-1.7.

Drupal core is not affected. If you do not use the contributed SMTP Authentication Support module, there is nothing you need to do.

Solution

Install the latest version:

Also see the SMTP Authentication Support project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Description

This module provides a standardized solution for building API's so that external clients can communicate with Drupal.

The module doesn't sufficiently sanitize column names provided by the client when they are querying for data and trying to sort it.

This vulnerability is mitigated by the fact that a site must have an "Index" resource enabled and the attacker must know the endpoint's URL.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Services 7.x-3.x versions prior to 7.x-3.20

Drupal core is not affected. If you do not use the contributed Services module, there is nothing you need to do.

Solution

Install services version 7.x-3.20 of the module or disable any Index resources within your endpoint(s).

Also see the Services project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal 8.3.4 and Drupal 7.56 are maintenance releases which contain fixes for security vulnerabilities.

Download Drupal 8.3.4 Download Drupal 7.56

Updating your existing Drupal 8 and 7 sites is strongly recommended (see instructions for Drupal 8 and for Drupal 7). This release fixes security issues only; there are no new features nor non-security-related bug fixes in this release. See the 8.3.4 release notes and the 7.56 release notes for details on important changes and known issues affecting this release. Read on for details of the security vulnerabilities that were fixed in this release.

  • Advisory ID: DRUPAL-SA-CORE-2017-003
  • Project: Drupal core
  • Version: 7.x, 8.x
  • Date: 2017-June-21
  • Multiple vulnerabilities
Description PECL YAML parser unsafe object handling - Critical - Drupal 8 - CVE-2017-6920

PECL YAML parser does not handle PHP objects safely during certain operations within Drupal core. This could lead to remote code execution.

File REST resource does not properly validate - Less Critical - Drupal 8 - CVE-2017-6921

The file REST resource does not properly validate some fields when manipulating files. A site is only affected by this if the site has the RESTful Web Services (rest) module enabled, the file REST resource is enabled and allows PATCH requests, and an attacker can get or register a user account on the site with permissions to upload files and to modify the file resource.

Files uploaded by anonymous users into a private file system can be accessed by other anonymous users - Moderately Critical - Drupal 7 and Drupal 8 - CVE-2017-6922

Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core did not previously provide this protection, allowing an access bypass vulnerability to occur. This issue is mitigated by the fact that in order to be affected, the site must allow anonymous users to upload files into a private file system.

The security team has also received reports that this vulnerability is being exploited for spam purposes, similar to the scenario discussed in PSA-2016-003 for the public file system.

Versions affected
  • Drupal core 7.x versions prior to 7.56
  • Drupal core 8.x versions prior to 8.3.4
Solution

Install the latest version:

Also see the Drupal core project page.

Reported by PECL YAML parser unsafe object handling File REST resource does not properly validate Files uploaded by anonymous users into a private file system can be accessed by other anonymous users Fixed by PECL YAML parser unsafe object handling File REST resource does not properly validate Files uploaded by anonymous users into a private file system can be accessed by other anonymous users Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.xDrupal 8.x
Description

The Search 404 module enables you to redirect 404 pages to a search page on the site for the keywords in the url that was not found.

The module did not filter administrator-provided text before displaying it to the user on the 404 page creating a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer search".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Search 404 7.x-2.x versions prior to 7.x-1.5.

Drupal core is not affected. If you do not use the contributed Search 404 module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Search 404 project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Description

The LDAP module does not sanitize user input correctly in several cases, allowing a user to modify parameters without restriction and inject data.

If the site administrator chooses to hide the email or password from the user form (instead of showing or disabling it under "Authorization"), these values can be overwritten.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • LDAP 7.x-2.x versions prior to 7.x-2.2.

Drupal core is not affected. If you do not use the contributed Lightweight Directory Access Protocol (LDAP) module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the LDAP module for Drupal 7.x-2.x, upgrade to LDAP-7.x-2.2

Also see the Lightweight Directory Access Protocol (LDAP) project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

What our clients are saying

...provided us with excellent, expert service in a professional and personable manner.
I realized that I had picked the right company to work with soon after beginning a project with Peerless Design, Inc.
...dedicated, competent and driven to get the job done and done well.
...continued to monitor it closely and is still always available to help me if I have any questions
...your punctuality, your casual and open personalities, and both your hard copy and online portfolios speak very highly of you and your business as well
... incredibly impressed with what you brought to the table
I'm so happy we chose to work with PEERLESS Design.
I would highly recommend her for any position requiring IT design and development
...I have no doubt we will have the best site in the 2010 election of any PA candidate
" PDI provides us prompt, effective and efficient service in maintaining our Drupal based website."
A great experience and a much improved website.
I love directing our customers to our new site knowing that they are going to be able to find exactly what they are looking for...
...a pleasure to work with, combining patience (for my busy schedule and at times overwhelmed brain) with her strong motivation and energy to keep me going
...very responsive to our questions and needs
...we just want you to know that we are appreciative!
...able to translate technical information in an accessible way...
... they also made suggestions which showed me that they fully understood what I wanted to accomplish.
...can do anything any other designer can do and generally quicker, cheaper and better.
...took my less than mediocre site and completely revamped it into a beautiful, professional, and easy-to-navigate site
I had a very tight deadline and budget, and they met it, seemingly with ease.
...able to take my abstract ideas and add their expertise to bring them to life in a way that was better than I could have imagined!
Thanks so much for everything!
...creative, independent, responsive...
I have seen the first layouts and they are awesome...
I would highly recommend her for any position requiring IT design and development