CERT-In Vulnerability Note
CIVN-2014-0287
Multiple Vulnerabilities in various modules for Drupal
Original Issue Date:December 19, 2014
Severity Rating: MEDIUM
Systems Affected
Component Affected
- Organic Groups Menu (OG Menu) 6.x-2.x versions prior to 6.x-2.6
- Organic Groups Menu (OG Menu) 7.x-2.x versions prior to 7.x-2.4
- School Administration 7.x-1.x versions prior to 7.x-1.8
- Open Atrium 7.x-2.x versions prior to 7.x-2.26
Overview
Multiple vulnerabilities have been reported in various modules of Drupal which could be exploited by a remote attacker to conduct attacks like Cross Site Request Forgery (CSRF), Cross Site Scripting (XSS) or bypass certain security restrictions.
Description
1. Access Bypass Vulnerability in Organic Groups Menu Module
This vulnerability exists due to failure of this module to check the menu parameters passed in the path, thereby allowing an attacker to edit or delete any menu link on the site. An attacker could exploit this issue to bypass security restrictions in context of the affected module. Successful exploitation of this vulnerability requires that the attacker must possess a role with the permission "administer og menu".
Note: An information disclosure vulnerability also exists in the menu info in this module.
2. Cross Site Scripting (XSS) Vulnerability in School Administration Module
The vulnerability exists due to failure of this module to properly sanitize the node titles in messages. An attacker may leverage this issue to conduct Cross Site Scripting attack.
Note: Successful exploitation of this vulnerability requires that the attacker must possess a user with the permission to create or edit a class node.
3. Multiple vulnerabilities in Open Atrium Module
The vulnerability exists due to the incapability of the module to exit correctly after validating access on a several ajax callbacks, allowed users with "access content" to update and delete nodes. Attackers could leverage this vulnerability to bypass security restrictions in context of the affected module. Many of the other sub modules of the Open Atrium module failed to prevent Cross Site Request Forgery (CSRF) vulnerability on several menu callbacks. Also there exists an inherent vulnerability present in (alpha) module OG Subgroups which allowed access to child groups even after disabling membership inheritance.
Note: Successful exploitation of these vulnerabilities requires the sub modules to be "enabled" i.e. Open Atrium Sitemap, Open Atrium Discussion, Open Atrium Admin Role and OA Teams, modules bundled with of Open Atrium Core.
Solution
Apply appropriate updates as mentioned in Drupal Security Advisories
https://www.drupal.org/node/2395049
https://www.drupal.org/node/2395015
https://www.drupal.org/node/2394979
Vendor Information
Drupal
https://drupal.org/security/contrib
https://www.drupal.org/node/2395049
https://www.drupal.org/node/2395015
https://www.drupal.org/node/2394979
References
Drupal
https://drupal.org/security/contrib
https://www.drupal.org/node/2395049
https://www.drupal.org/node/2395015
https://www.drupal.org/node/2394979
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India
|