Professional in Drupal web development, theme designing, consultation and training

Security Update: Contrib 2012 152-158

11 Oct 2012 - 09:23 am

Feeds - Access bypass

The feeds module enables you to import or aggregate data as nodes, users, taxonomy terms or simple database records. The module doesn't sufficiently check permissions when creating nodes on
behalf of a user. This vulnerability is mitigated by the fact that an attacker must have control over the source feed, and the Feeds importer must have a field from that feed mapped to the node's author.

Note: the Feeds module doesn't have a stable release and therefore a Security Advisory would not normally be issued, per the Drupal Security Team policy. However, this issue affects the Mailhandler module, which does have a stable release. For modules with dependencies, maintainers are encouraged to create stable releases only for those modules dependent on stable releases.

Mandrill - Information Disclosure

This module enables you to send emails using an external gateway and by default logs the contents of the messages. An attacker who gains access to the Mandrill dashboard can trigger password reset emails from the Drupal site, get the reset links from the Mandrill logs, and take over an account.

Basic webmail - Multiple vulnerabilities

This module allows site users to read and write e-mail through an IMAP mail server.

There are four issues being addressed by this security advisory:

  • The module doesn't sufficiently sanitize data when setting page title.
  • The module may store Drupal login IDs and passwords in plain text in the data column of the users table.
  • The module doesn't sufficiently sanitize data displayed from email messages.
  • The module allows users who have the 'access basic_webmail' permission to view the e-mail addressof other site users.

ShareThis - Cross Site Scripting (XSS)

This module enables integration with the ShareThis [3] web service to allow social bookmarking amongst your users.

The module doesn't sufficiently filter JavaScript settings before outputting them.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer sharethis".

security fix