- Advisory ID: DRUPAL-SA-CORE-2015-003
- Project: Drupal core
- Version: 6.x, 7.x
- Date: 2015-August-19
- Security risk: 18/25 ( Critical) AC:Complex/A:User/CI:All/II:All/E:Proof/TD:All
- Vulnerability: Cross Site Scripting, Access bypass, SQL Injection, Open Redirect, Multiple vulnerabilities
This security advisory fixes multiple vulnerabilities. See below for a list.
Cross-site Scripting - Ajax system - Drupal 7
A vulnerability was found that allows a malicious user to perform a cross-site scripting attack by invoking Drupal.ajax() on a whitelisted HTML element.
This vulnerability is mitigated on sites that do not allow untrusted users to enter HTML.
Drupal 6 core is not affected, but see the similar advisory for the Drupal 6 contributed Ctools module: SA-CONTRIB-2015-141.
Cross-site Scripting - Autocomplete system - Drupal 6 and 7
A cross-site scripting vulnerability was found in the autocomplete functionality of forms. The requested URL is not sufficiently sanitized.
This vulnerability is mitigated by the fact that the malicious user must be allowed to upload files.
SQL Injection - Database API - Drupal 7
A vulnerability was found in the SQL comment filtering system which could allow a user with elevated permissions to inject malicious code in SQL comments.
This vulnerability is mitigated by the fact that only one contributed module that the security team found uses the comment filtering system in a way that would trigger the vulnerability. That module requires you to have a very high level of access in order to perform the attack.
Cross-site Request Forgery - Form API - Drupal 6 and 7
A vulnerability was discovered in Drupal's form API that could allow file upload value callbacks to run with untrusted input, due to form token validation not being performed early enough. This vulnerability could allow a malicious user to upload files to the site under another user's account.
This vulnerability is mitigated by the fact that the uploaded files would be temporary, and Drupal normally deletes temporary files automatically after 6 hours.
Information Disclosure in Menu Links - Access system - Drupal 6 and 7
Users without the "access content" permission can see the titles of nodes that they do not have access to, if the nodes are added to a menu on the site that the users have access to.
CVE identifier(s) issued
- Cross-site Scripting (Ajax system - Drupal 7): CVE-2015-6665
- Cross-site Scripting (Autocomplete system - Drupal 6 and 7): CVE-2015-6658
- SQL Injection (Database API - Drupal 7): CVE-2015-6659
- Cross-site Request Forgery (Form API - Drupal 6 and 7): CVE-2015-6660
- Information Disclosure in Menu Links (Access system - Drupal 6 and 7): CVE-2015-6661
Versions affected
- Drupal core 6.x versions prior to 6.37
- Drupal core 7.x versions prior to 7.39
Solution
Install the latest version:
- If you use Drupal 6.x, upgrade to Drupal core 6.37
- If you use Drupal 7.x, upgrade to Drupal core 7.39
Also see the Drupal core project page.
Credits
Cross-site Scripting - Ajax system - Drupal 7
Reported by
- Régis Leroy
- Kay Leung, Drupal core JavaScript maintainer
- Samuel Mortenson
- Pere Orga of the Drupal Security Team
Fixed by
- Théodore Biadala, Drupal core JavaScript maintainer
- Alex Bronstein of the Drupal Security Team
- Ben Dougherty of the Drupal Security Team
- Gábor Hojtsy of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- Kay Leung, Drupal core JavaScript maintainer
- Wim Leers
- Samuel Mortenson
- Pere Orga of the Drupal Security Team
- Tim Plunkett
- David Rothstein of the Drupal Security Team
- Lee Rowlands of the Drupal Security Team
- Peter Wolanin of the Drupal Security Team
- znerol, maintainer of Authcache module
Cross-site Scripting - Autocomplete system - Drupal 6 and 7
Reported by
- Alex Bronstein of the Drupal Security Team
- Pere Orga of the Drupal Security Team
Fixed by
- Alex Bronstein of the Drupal Security Team
- Ben Dougherty of the Drupal Security Team
- Tim Plunkett
- Lee Rowlands of the Drupal Security Team
- Peter Wolanin of the Drupal Security Team
- David Rothstein of the Drupal Security Team
SQL Injection - Database API - Drupal 7
Reported by
Fixed by
- Anthony Ferrara
- Larry Garfield
- Greg Knaddison of the Drupal Security Team
- Cathy Theys provisional member of the Drupal Security Team
- Peter Wolanin of the Drupal Security Team
Cross-site Request Forgery - Form API - Drupal 6 and 7
Reported by
Fixed by
- Greg Knaddison of the Drupal Security Team
- Wim Leers
- David Rothstein of the Drupal Security Team
- Lee Rowlands of the Drupal Security Team
- Peter Wolanin of the Drupal Security Team
Information Disclosure in Menu Links - Access system - Drupal 6 and 7
Reported by
- David_Rothstein of the Drupal Security Team
Fixed by
- Matt Chapman of the Drupal Security Team
- Stéphane Corlosquet of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- Christian Meilinger
- David_Rothstein of the Drupal Security Team
- Lee Rowlands of the Drupal Security Team
Coordinated by
- Alex Bronstein, Angie Byron, Michael Hess, Pere Orga, David Rothstein and Peter Wolanin of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity