Drupal Quick Tabs 6.x / 7.x Access Bypass
日期: 2013/10/30 | 标签:drupal | 游览:686
- Drupal Quick Tabs third party module versions 6.x and 7.x suffer from an access bypass vulnerability.
- View online: https://drupal.org/node/2103187
- * Advisory ID: DRUPAL-SA-CONTRIB-2013-078
- * Project: Quick Tabs [1] (third-party module)
- * Version: 6.x, 7.x
- * Date: 2013-October-02
- * Security risk: Moderately critical [2]
- * Exploitable from: Remote
- * Vulnerability: Access bypass
- ——– DESCRIPTION
- ———————————————————
- The Quick Tabs module allows you to create blocks of tabbed content,
- specifically views, blocks, nodes and other quicktabs. You can create a block
- on your site containing multiple tabs with corresponding content.
- The module does not sufficiently check block permissions before rendering a
- Quick Tab. Before this vulnerability was addressed, if a block had been
- restricted to only appear for certain roles, that access was not checked
- before rending it within a Quick Tab – leaving the contents of that block
- visible to the world.
- This vulnerability is mitigated by the fact that node and view permissions
- are respected, meaning the vulnerability primarily exists for custom blocks
- created for specific roles.
- ——– CVE IDENTIFIER(S) ISSUED
- ——————————————–
- * /A CVE identifier [3] will be requested, and added upon issuance, in
- accordance with Drupal Security Team processes./
- ——– VERSIONS AFFECTED
- —————————————————
- * Quick Tabs 7.x-3.x versions prior to 7.x-3.6.
- * Quick Tabs 6.x-3.x versions prior to 6.x-3.2.
- * Quick Tabs 6.x-2.x versions prior to 6.x-2.2.
- Drupal core is not affected. If you do not use the contributed Quick Tabs [4]
- module, there is nothing you need to do.
- ——– SOLUTION
- ————————————————————
- Install the latest version:
- * If you use the Quick Tabs 3.x module for Drupal 7.x, upgrade to Quick Tabs
- 7.x-3.6 [5]
- * If you use the Quick Tabs 3.x module for Drupal 6.x, upgrade to Quick Tabs
- 6.x-3.2 [6]
- * If you use the Quick Tabs 2.x module for Drupal 6.x, upgrade to Quick Tabs
- 6.x-2.2 [7]
- Also see the Quick Tabs [8] project page.
- ——– REPORTED BY
- ———————————————————
- * Steven Wiliam [9]
- ——– FIXED BY
- ————————————————————
- * Fengtan [10]
- * Matt Tucker [11] (one of) the module maintainers
- ——– COORDINATED BY
- ——————————————————
- * Lee Rowlands [12] of the Drupal Security Team
- ——– CONTACT AND MORE INFORMATION
- —————————————-
- The Drupal security team can be reached at security at drupal.org or via the
- contact form at http://drupal.org/contact [13].
- Learn more about the Drupal Security team and their policies [14], writing
- secure code for Drupal [15], and securing your site [16].
- [1] http://drupal.org/project/quicktabs
- [2] http://drupal.org/security-team/risk-levels
- [3] http://cve.mitre.org/
- [4] http://drupal.org/project/quicktabs
- [5] https://drupal.org/node/2103113
- [6] https://drupal.org/node/2103121
- [7] https://drupal.org/node/2103127
- [8] http://drupal.org/project/quicktabs
- [9] http://drupal.org/user/299097
- [10] http://drupal.org/user/847318
- [11] http://drupal.org/user/153963
- [12] http://drupal.org/user/395439
- [13] http://drupal.org/contact
- [14] http://drupal.org/security-team
- [15] http://drupal.org/writing-secure-code
- [16] http://drupal.org/security/secure-configuration
评论关闭。