Tag Archives: Drupal

Notepad++ Update Results from Bug Bounty / 7-Zip Updates

Updated: 11th March 2019
Notepad++ 7.6.4 was released on the 6th of March resolving 8 security issues. If you use Notepad++, please update to the newest version to benefit from these security fixes.

Thank you.

Original Post:
On Sunday, 27th January; a new version of Notepad++ was released to address 7 vulnerabilities found by the EU-Free and Open Source Software Auditing (EU-FOSSA). Given that one of the vulnerabilities is potentially remotely exploitable and that Notepad++ is in such wide use both across the world and within the EU; we should update to version 7.6.3 to benefit from the remediation of these vulnerabilities.

TL DR: If you use Notepad++ or 7-Zip, please consider updating them (even if exploits for these vulnerabilities are rare or do not exist):

Other widely used software participating this bug bounty program are listed here (highlights include VLC, Putty, Apache Kafka, KeePass, Drupal, glibc and FileZilla). As I have previously discussed on this blog; if you use a 64 bit version of Windows, please consider using the 64 bit version of Notepad++; here’s why:

Please note, the 64 bit version of Notepad++ became available in September 2016. It allows the opening of larger files and includes High Entropy ASLR (Address Space Layout Randomization (defined)) on a 64 bit version of Windows. I have discussed HEASLR on this blog before and it’s an excellent security measure/control/mitigation (defined). Further information on HEASLR can be found on Alex Ionescu’s blog.

7-Zip Ranked as Number 5 in outdated software present on systems
On a separate but related note, earlier this month Avast made available a report that listed the most out of date software typically installed on systems. It was found that 7-Zip ranked number 5 with 92% of installs being out of date:

If you use 7-Zip, please consider upgrading it to version 18.06. I have previously provided descriptions of the vulnerabilities found in 7-Zip in 2018 and 2016 below. In addition; there have been several performance improvements in recent versions making the tool faster than before:

Updating 7-Zip is very easy. You should only download it from its official website. Installing the new version over an existing version takes only seconds.

Thank you.

Blog Post Shout Out: Cisco IOS XE and Drupal Security Updates

I wish to provide a respectful shout to the following security advisories and news articles for their coverage of critical security vulnerabilities within Cisco IOS XE and the Drupal CMS (defined) released on the 28th and 29th of March respectively.

The backdoor (defined) account being remediated within the Cisco IOS XE update could have allowed an unauthenticated attack to remotely access the Cisco router or an affected switch and carry out any action allowed by privilege level 15

Meanwhile the Drupal vulnerability (dubbed “Drupalgeddon2”) is rated as highly critical since the vulnerability is both remotely exploitable and easy for an attacker to leverage allowing the attacker to carry out any action they choose.

Please follow the advice within the below linked to advisories and update any affected installations of these products that your organisation may have:

March 2018 Semi-annual Cisco IOS and IOS XE Software Security Advisory Bundled Publication

Cisco Removes Backdoor Account from IOS XE Software (includes mitigations if patching is not possible) by Catalin Cimpanu (Bleeping Computer)

Drupal core – Highly critical – Remote Code Execution – SA-CORE-2018-002

Drupal Issues Highly Critical Patch: Over 1m Sites Vulnerable by Tom Spring (Kaspersky ThreatPost)

Thank you.

Drupal Releases Security Updates (Feb 2016)

The widely used website Content Management System (CMS)(defined) Drupal in late February released security updates for versions 6, 7 and 8.

10 security issues were addressed (of the severities listed below) by the released security updates:

  • 1x critical
  • 6x moderately critical
  • 3x less critical

Drupal users should upgrade to versions 6.38, 7.43 or 8.0.4 as appropriate. Further information and steps to install the updates are available in Drupal’s Security Advisory.

As noted by Drupal version 6 has reached its end of life (EOL) and will no longer receive security updates going forward. Further information is provided in this dedicated page.

Moreover, in early January an IOACtive senior security consultant Fernando Arnaboldi disclosed 3 security issues in a blog post. While these issues were responsibly disclosed to Drupal at the time of writing they have not addressed them. As advised within that blog post for those who administer Drupal installations they may wish to manually download updates for Drupal and its add-ons in order to work around these issues until they are addressed.

Thank you.

Security Updates Released for 3rd Party Drupal Modules

Security updates for Drupal (the popular Content Management System (CMS)) modules have been available earlier this week.

Security advisories were published addressing 2 moderately critical issues found within these modules.

For the Twitter module, an issue was discovered that allowed any authenticated account to post tweets rather than just the Twitter account belonging to the owner of the installed module. This issue would also allow any other account to delete the attached Twitter account. A partial mitigation is that an attacker would need to already have an account with a role allowing them to post to Twitter.

The second advisory concerns the user of the RESTful API (Application Programming Interface). Authenticated users could inadvertently have their pages cached as anonymous users which potentially could allow anonymous page requests to access pages that would otherwise be denied to them.

How Can I Protect Myself From These Issues?
If you make use of either of the above mentioned modules in conjunction with Drupal, please follow the steps/links within the advisories listed below to resolve these issues:

Twitter – Moderately Critical – Access bypass – SA-CONTRIB-2015-146
RESTful – Moderately Critical – Access bypass – SA-CONTRIB-2015-147

Thank you.

Drupal Releases Security Updates (August 2015)

Drupal the very popular website Content Management System (CMS) released security updates earlier this month to resolve 5 security issues within versions 6 and 7 of their product.

Cross site scripting (defined) issues were found in the Drupal.ajax() function (a set of instructions that carries out a specific action within a program) and within the autocomplete functionality of forms.

An SQL injection (defined) vulnerability was found in the SQL comment filtering system which could allow a user (once tricked/coerced by an attacker) with elevated privileges to inject malicious code in SQL comments. Such SQL code injection usually results in a user seeing information that would usually be forbidden/denied to them.

A Cross-site Request Forgery (CSRF)(defined) issue within Drupal’s form API was found to allow the upload of a file by an attacker. However this file would only have been available for 6 hours. Finally an information disclosure issue was found where the titles of nodes (add-ons which are placed within the page viewed by the user) would be visible to a user (which they would not usually have access to). The titles of the nodes would be visible on a page of the site that the user does have access to (namely that a page would contain additional information not normally visible).

Drupal users should upgrade to versions 6.37 or 7.39 (as appropriate) to resolve to these issues. Further information and steps to install the updates are available in this Drupal Security Advisory.

Thank you.

Drupal Releases Security Updates for Open Semantic Framework (OSF)

The very popular website Content Management System (CMS) Drupal has released security updates to resolve 3 security issues within version 7 of their product when the Open Semantic Framework (OSF) module is installed.

One issue involves a Cross-site Scripting (XSS) that can be exploited by visiting a specifically crafted URL (a website link) but only when the OSF Ontology module is installed and enabled within your website.

The second issue can be exploited using a Cross Site Request Forgery (CSRF) attack that would allow the attack to obtain the privileges of the logged in Drupal user (which could be a Drupal administrator) to create new OSF datasets (most likely to contain false or misleading data). Only websites that have the OSF Import module installed and enabled could be vulnerable to this issue.

The final issue is present in both the OSF Import and Ontology modules mentioned above and could allow an attacker to delete any file of their choice from your Content Management System (CMS).

All 3 issues involve a user or an administrator of the Content Management System visiting a specifically crafted URL (a website link) to exploit these vulnerabilities. In order to reduce the risk of these issues being exploited (this should be used in conjunction with installing the necessary updates mentioned in the Drupal advisory) I would suggest using caution when clicking on any links in emails, instant messages or social networking posts when the links were received unexpectedly or the wording of such messages is suspicious. For shortened links, consider using a preview service to check the destination of the full link before visiting it. Links to preview services are available within the “Protecting Your PC” page of this blog.

Drupal users should upgrade to version 7.x-3.1 of the OSF module to resolve to these issues. Further information and steps to install the updates are available in the Drupal Security Advisory.

Thank you.

Drupal Releases Security Updates

The very popular website Content Management System Drupal has released security updates to resolve 4 CVEs within versions 6 and 7 of their product. Their pervasiveness of Drupal and thus the huge scale of the risks posed by these issues is detailed in this blog post.

For a definition of the term CVE, please see the first short aside within this blog post for an explanation.

The first security flaw relating to the impersonation of legitimate users (of the Content Management System) is the only flaw to be rated critical by Drupal and should be patched/updated immediately. This flaw could allow a malicious user to log in as an authenticated user (i.e. users who are legitimately accessing the Content Management System) and could be especially severe if that authorized user has high privileges.

A further 2 less critical flaws could cause authenticated users to be re-directed to 3rd party websites of the attacker’s choice without the user’s consent/permission and could place your users in danger of being exploited by other unpatched vulnerabilities on their devices. The final flaw is an information disclosure issue that could allow malicious users to view the content that was previously cached (when they legitimately viewed it) by authenticated users.

Drupal users should upgrade to versions 6.36 or 7.38 to resolve to these issues. Further information and steps to install the updates are available in the Drupal Security Advisory.

Thank you.