Skip to Content

Drupal Remote Information Disclosure - SA-CORE-2014-002

Als Drupal™ ist ein Warenzeichen von Dr. Dries BuytaertDrupal™ ist ein Warenzeichen von Dr. Dries Buytaert nur mäßig gefährlich (3 von 5) stuft das Security Team eine Remote angreifbare Schwachstelle in der Form API von Drupal ein. Der Fehler betrifft alle Versionen bis  6.30 und 7.26  sowie in erster Linie vermutlich anonyme Benutzer mit der Berechtigung zur Erstellung von Inhalten. Die fehlerhafte Caching Funktion von Drupal und externen Systemen ließ es zu, dass insbesondere in mehrstufigem Form Input möglicherweise sensitive Daten zwischen verschiedenen nicht angemeldeten Nutzern geleaked wurde. Weil kleine Änderungen am Application Programming Interface das Problem beheben, sind jetzt eventuell Änderungen am selbstgeschriebenen Code betreffend die Programmierschnittstelle nötig. Als nur "moderately" kritisch wurde der Bug auch deshalb eingestuft, weil Drupal Core Forms by default anonymen Usern gar nicht zur Verfügung stellt - fremde oder eigene Module sind dieser Beschränkung aber vielleicht nicht unterworfen. Siehe auch die Drupal 6.31 release notes sowie die Drupal 7.27 release notes für weitere Infos. Ein CVE Identifier ist angefragt und wird möglicherweise nachgereicht.

SA-CORE-2014-002 - Drupal core - Information Disclosure

   Posted by Drupal Security Team on April 16, 2014 at 7:50pm
     * Advisory ID: DRUPAL-SA-CORE-2014-002
     * Project: Drupal core
     * Version: 6.x, 7.x
     * Date: 2014-April-16
     * Security risk: Moderately critical
     * Exploitable from: Remote
     * Vulnerability: Information Disclosure

Description

   Drupal's form API has built-in support for temporary storage of form
   state, for example user input. This is often used on multi-step forms,
   and is required on Ajax-enabled forms in order to allow the Ajax calls
   to access and update interim user input on the server.

   When pages are cached for anonymous users (either by Drupal or by an
   external system), form state may leak between anonymous users. As a
   consequence there is a chance that interim form input recorded for one
   anonymous user (which may include sensitive or private information,
   depending on the nature of the form) will be disclosed to other users
   interacting with the same form at the same time. This especially
   affects multi-step Ajax forms because the window of opportunity (i.e.
   the time span between user input and final form submission) is
   indeterminable.

   This vulnerability is mitigated by the fact that Drupal core does not
   expose any such forms to anonymous users by default. However,
   contributed modules or individual sites which leverage the Drupal Form
   API under the aforementioned conditions might be vulnerable.

   Note: This security release introduces small API changes which may
   require code updates on sites that expose Ajax or multi-step forms to
   anonymous users, and where the forms are displayed on pages that are
   cached (either by Drupal or by an external system). See the Drupal
   6.31 release notes and Drupal 7.27 release notes for more
   information.

CVE identifier(s) issued

     * A CVE identifier will be requested, and added upon issuance, in
       accordance with Drupal Security Team processes.

Versions affected

     * Drupal core 6.x versions prior to 6.31.
     * Drupal core 7.x versions prior to 7.27.

Solution

   Install the latest version:
     * If you use Drupal 6.x, upgrade to Drupal 6.31
     * If you use Drupal 7.x, upgrade to Drupal 7.27

   Also see the Drupal core project page.

Reported by

     * Daniel F. Kudwien
     * Rodionov Igor
     * Ryan Szrama
     * Roman Zimmermann
     * znerol

Fixed by

     * znerol
     * Roman Zimmermann
     * Ryan Szrama
     * Additional assistance and reviews provided by Daniel F.
       Kudwien, Damien Tournoud of the Drupal Security Team, David
       Rothstein of the Drupal Security Team, and Alex Bronstein

Coordinated by

     * Michael Hess of the Drupal Security Team
     * David Rothstein of the Drupal Security Team
     * Peter Wolanin of the Drupal Security Team

Contact and More Information

   The Drupal security team can be reached at security at drupal.org or
   via the contact form at http://drupal.org/contact.

   Learn more about the Drupal Security team and their policies,
   writing secure code for Drupal, and securing your site.

   Follow the Drupal Security Team on Twitter at
   https://twitter.com/drupalsecurity

Quelle: https://drupal.org/SA-CORE-2014-002

Kommentare

PDOException bei cache_textimage

BTW: Hier fehlte heute morgen beim Update auf 7.26 ein Table: TRUNCATE{cache_textimage} ; Array ( ) in cache_clear_all() (Line 165 of /includes/cache.inc). 

Do you mind if I quote a few

Do you mind if I quote a few of your posts as long as I provide credit and sources back to your weblog? My blog is in the very same niche as yours and my users would truly benefit from a lot of the information you present here. Please let me know if this alright with you. Thank you!

Fair Use is Okay

Copying of brief passages or copying for education is OK as fair use, copying of longer passages and making money is bad ®. Wink

Kommentar hinzufügen

  • Internet- und E-Mail-Adressen werden automatisch umgewandelt.
  • Zulässige HTML-Tags: <a> <p> <span> <div> <h1> <h2> <h3> <h4> <h5> <h6> <img> <map> <area> <hr> <br> <br /> <ul> <ol> <li> <dl> <dt> <dd> <table> <tbody> <th> <tr> <td> <em> <b> <u> <i> <strong> <del> <ins> <sub> <sup> <quote> <blockquote> <pre> <address> <code> <cite> <embed> <object> <param> <strike> <caption> <iframe>
  • Um Code zu schreiben bitte die Tags <code>...</code> (für generischen Code) oder <?php ... ?> (für Syntaxhervorhebung / PHP Code) benutzen.
  • Use [fn]...[/fn] (or <fn>...</fn>) to insert automatically numbered footnotes.
  • Bilder können zu diesem Beitrag hinzugefügt werden.
  • You may use [inline:xx] tags to display uploaded files or images inline.
  • Create a Mobile Code using the following format:
    [mobilecode #preset="preset"]content[/mobilecode]
  • Textual smiley will be replaced with graphical ones.
  • You may use [swf file="song.mp3"] to display Flash files and media.
  • Sie können Videos mit [video:URL] angeben

Weitere Informationen über Formatierungsoptionen

CAPTCHA
Diese Frage dient dazu festzustellen, ob Sie ein Mensch sind und dient dazu Einträge von Maschinen zu verhindern.
Bild-CAPTCHA
Geben Sie die Zeichen ein, die im Bild gezeigt werden.


eilbek
story | about seo