Bug 1054134 (CVE-2014-1475, CVE-2014-1476) - CVE-2014-1475 CVE-2014-1476 drupal: multiple vulnerabilities corrected in 6.30 and 7.26 (SA-CORE-2014-001)
Summary: CVE-2014-1475 CVE-2014-1476 drupal: multiple vulnerabilities corrected in 6.3...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-1475, CVE-2014-1476
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1054135 1054136
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-01-16 10:18 UTC by Ratul Gupta
Modified: 2019-09-29 13:12 UTC (History)
7 users (show)

Fixed In Version: drupal 6.30, drupal 7.26
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-02-04 06:11:39 UTC


Attachments (Terms of Use)

Description Ratul Gupta 2014-01-16 10:18:37 UTC
Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7.

1) Impersonation (OpenID module - Drupal 6 and 7 - Highly critical)

A vulnerability was found in the OpenID module that allows a malicious user to log in as other users on the site, including administrators, and hijack their accounts.
This vulnerability is mitigated by the fact that the malicious user must have an account on the site (or be able to create one), and the victim must have an account with one or more associated OpenID identities.

2) Access bypass (Taxonomy module - Drupal 7 - Moderately critical)

The Taxonomy module provides various listing pages which display content tagged with a particular taxonomy term. Custom or contributed modules may also provide similar lists. Under certain circumstances, unpublished content can appear on these pages and will be visible to users who should not have permission to see it.
This vulnerability is mitigated by the fact that it only occurs on Drupal 7 sites which upgraded from Drupal 6 or earlier.

3) Security hardening (Form API - Drupal 7 - Not critical)

The form API provides a method for developers to submit forms programmatically using the function drupal_form_submit(). During programmatic form submissions, all access checks are deliberately bypassed, and any form element may be submitted regardless of the current user's access level.
This is normal and expected behavior for most uses of programmatic form submissions; however, there are cases where custom or contributed code may need to send data provided by the current (untrusted) user to drupal_form_submit() and therefore need to respect access control on the form.
To facilitate this, a new, optional $form_state['programmed_bypass_access_check'] element has been added to the Drupal 7 form API. If this is provided and set to FALSE, drupal_form_submit() will perform the normal form access checks against the current user while submitting the form, rather than bypassing them.
This change does not fix a security issue in Drupal core itself, but rather provides a method for custom or contributed code to fix security issues that would be difficult or impossible to fix otherwise.

References:
http://seclists.org/fulldisclosure/2014/Jan/76

Upstream advisory:
https://drupal.org/SA-CORE-2014-001

Comment 1 Ratul Gupta 2014-01-16 10:19:47 UTC
Created drupal6 tracking bugs for this issue:

Affects: fedora-all [bug 1054135]
Affects: epel-all [bug 1054136]

Comment 2 Ratul Gupta 2014-01-16 10:25:29 UTC
* This issue was addressed for drupal7 in Fedora-19 via the following security advisory:
https://admin.fedoraproject.org/updates/drupal7-7.26-1.fc19

* This issue was addressed for drupal7 in Fedora-20 via the following security advisory:
https://admin.fedoraproject.org/updates/drupal7-7.26-1.fc20

* This issue was addressed for drupal7 in epel-5 via the following security advisory:
https://admin.fedoraproject.org/updates/drupal7-7.26-1.el5

* This issue was addressed for drupal7 in epel-6 via the following security advisory:
https://admin.fedoraproject.org/updates/drupal7-7.26-1.el6

Comment 3 Ratul Gupta 2014-01-16 11:06:03 UTC
CVE Request:
http://seclists.org/oss-sec/2014/q1/94


Note You need to log in before you can comment on or make changes to this bug.