Bug 1032973 (CVE-2013-6385, CVE-2013-6386, CVE-2013-6387, CVE-2013-6388, CVE-2013-6389)

Summary: CVE-2013-6385 CVE-2013-6386 CVE-2013-6387 CVE-2013-6388 CVE-2013-6389 drupal: multiple vulnerabilities corrected in 6.29 and 7.24 (SA-CORE-2013-003)
Product: [Other] Security Response Reporter: Ratul Gupta <ratulg>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: gwync, peter.borsa, shawn, stickster, sven, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: drupal 6.29, drupal 7.24 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-12-22 15:20:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1032974, 1032975, 1032976, 1032977    
Bug Blocks:    

Description Ratul Gupta 2013-11-21 10:34:59 UTC
Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7.

* Multiple vulnerabilities due to optimistic cross-site request forgery protection (Form API validation - Drupal 6 and 7)

Drupal's form API has built-in cross-site request forgery (CSRF) validation, and also allows any module to perform its own validation on the form.  In certain common cases, form validation functions may execute unsafe operations.  Given that the CSRF protection is an especially important validation, the Drupal core form API has been changed in this release so that it now skips subsequent validation if the CSRF validation fails.

This vulnerability is mitigated by the fact that a form validation callback with potentially unsafe side effects must be active on the site, and none exist in core. However, issues were discovered in several popular contributed modules which allowed remote code execution that made it worthwhile to fix this issue in core. Other similar issues with varying impacts are likely to have existed in other contributed modules and custom modules and therefore will also be fixed by this Drupal core release.

* Multiple vulnerabilities due to weakness in pseudorandom number generation using mt_rand() (Form API, OpenID and random password generation - Drupal 6 and 7)

Drupal core directly used the mt_rand() pseudorandom number generator for generating security related strings used in several core modules. It was found that brute force tools could determine the seeds making these strings predictable under certain circumstances.

This vulnerability has no mitigation; all Drupal sites are affected until the security update has been applied.

* Code execution prevention (Files directory .htaccess for Apache - Drupal 6 and 7)

Drupal core attempts to add a "defense in depth" protection to prevent script execution by placing a .htaccess file into the files directories that stops execution of PHP scripts on the Apache web server. This protection is only necessary if there is a vulnerability on the site or on a server that allows users to upload malicious files. The configuration in the .htaccess file did not prevent code execution on certain Apache web server configurations. This release includes new configuration to prevent PHP execution on several additional common Apache configurations. If you are upgrading a site and the site is run by Apache you must fix the file manually, as described in the "Solution" section below.

This vulnerability is mitigated by the fact it only relates to a defense in depth mechanism, and sites would only be vulnerable if they are hosted on a server which contains code that does not use protections similar to those found in Drupal's file API to manage uploads in a safe manner.

* Access bypass (Security token validation - Drupal 6 and 7)

The function drupal_valid_token() can return TRUE for invalid tokens if the caller does not make sure that the token is a string.

This vulnerability is mitigated by the fact that a contributed or custom module must invoke drupal_validate_token() with an argument that can be manipulated to not be a string by an attacker. There is currently no known core or contributed module that would suffer from this vulnerability.

* Cross-site scripting (Image module - Drupal 7)

Image field descriptions are not properly sanitized before they are printed to HTML, thereby exposing a cross-site scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a permission to administer field descriptions, for example the "administer taxonomy" permission to edit fields on taxonomy terms.

* Cross-site scripting (Color module - Drupal 7)

A cross-site scripting vulnerability was found in the Color module. A malicious attacker could trick an authenticated administrative user intovisiting a page containing specific JavaScript that could lead to a reflected cross-site scripting attack via JavaScript execution in CSS.

This vulnerability is mitigated by the fact that it can only take place in older browsers, and in a restricted set of modern browsers, namely Opera through user interaction, and Internet Explorer under certain conditions.

* Open redirect (Overlay module - Drupal 7)

The Overlay module displays administrative pages as a layer over the current page (using JavaScript), rather than replacing the page in the browser window. The Overlay module did not sufficiently validate URLs prior to displaying their contents, leading to an open redirect vulnerability.

This vulnerability is mitigated by the fact that it can only be used against site users who have the "Access the administrative overlay" permission.

References:
http://seclists.org/fulldisclosure/2013/Nov/160

Comment 1 Ratul Gupta 2013-11-21 10:37:23 UTC
Created drupal7 tracking bugs for this issue:

Affects: fedora-all [bug 1032975]
Affects: epel-all [bug 1032977]

Comment 2 Ratul Gupta 2013-11-21 10:37:40 UTC
Created drupal6 tracking bugs for this issue:

Affects: fedora-all [bug 1032974]
Affects: epel-all [bug 1032976]

Comment 3 Peter Borsa 2013-11-27 17:07:06 UTC
*** Bug 1033758 has been marked as a duplicate of this bug. ***

Comment 4 Vincent Danen 2013-11-27 21:39:37 UTC
CVE assignments:

http://www.openwall.com/lists/oss-security/2013/11/22/4

Multiple vulnerabilities due to optimistic cross-site request forgery
protection (Form API validation
Please use CVE-2013-6385 for this issue.

Multiple vulnerabilities due to weakness in pseudorandom number
generation using mt_rand() (Form API, OpenID and random password
generation - Drupal 6 and 7)
Please use CVE-2013-6386 for this issue.

Code execution prevention (Files directory .htaccess for Apache -
Drupal 6 and 7)
Treating as security hardening

Access bypass (Security token validation - Drupal 6 and 7)
Treating as security hardening

Cross-site scripting (Image module - Drupal 7)
Please use CVE-2013-6387 for this issue.

Cross-site scripting (Color module - Drupal 7)
Please use CVE-2013-6388 for this issue.

Open redirect (Overlay module - Drupal 7)
Please use CVE-2013-6389 for this issue.

Comment 5 Fedora Update System 2013-12-02 09:37:06 UTC
drupal7-7.24-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2013-12-08 18:28:04 UTC
drupal7-7.24-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2013-12-08 18:29:16 UTC
drupal7-7.24-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2013-12-12 02:55:34 UTC
drupal6-6.29-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2013-12-14 03:03:51 UTC
drupal7-7.24-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2013-12-14 03:31:39 UTC
drupal6-6.29-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2013-12-21 18:51:35 UTC
drupal6-6.29-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2013-12-21 18:53:15 UTC
drupal6-6.29-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Martin Prpič 2014-11-07 14:50:28 UTC
External References:

https://drupal.org/SA-CORE-2013-003