Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <20160317152301.48ABE6C0675@smtpvmsrv1.mitre.org>
Date: Thu, 17 Mar 2016 11:23:01 -0400 (EDT)
From: cve-assign@...re.org
To: pere@...a.cat
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, security@...pal.org
Subject: Re: CVE requests for Drupal contributed modules (from 2016-009 to 2016-014)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> Prepopulate - Access Bypass - SA-CONTRIB-2016-009
> https://www.drupal.org/node/2679503

>> The Prepopulate module does not adequately prevent a user from
>> overwriting arbitrary parts of $_REQUEST. It also does not prevent
>> pre-populating certain fields that are not displayed or manipulating
>> markup fields to alter elements of the user interface.

>> Versions affected

>>    Prepopulate 7.x-2.x versions prior to 7.x-2.1.

>>> http://cgit.drupalcode.org/prepopulate/commit/prepopulate.module?id=16cdb63cc3b256dd785e029ec17f92ddf80cc443

Use CVE-2016-3187 for the issue associated with deleting the
"parse_str(base64_decode($_REQUEST['pp']), $_REQUEST);" lines, and use
CVE-2016-3188 for the issue associated with changing the value of
$limited_types. (The 16cdb63cc3b256dd785e029ec17f92ddf80cc443 commit
message does not seem closely related to the
16cdb63cc3b256dd785e029ec17f92ddf80cc443 code changes.)

Our understanding is that the Prepopulate module was packaged in, for
example, Fedora 23. The prepopulate-6.x-2.2.tar.gz file shipped in
drupal6-prepopulate-2.2-4.fc23.src.rpm apparently does not have the
16cdb63cc3b256dd785e029ec17f92ddf80cc443 changes. Thus, we feel that
the best available information is that CVE-2016-3187 and CVE-2016-3188
affects or affected, at least, Fedora 23.

(For example, see the
http://fedora.mirror.lstn.net/releases/23/Everything/source/SRPMS/d/drupal6-prepopulate-2.2-4.fc23.src.rpm
package file.)

(We understand that Drupal 6 end-of-life was last month according to
the https://www.drupal.org/drupal-6-eol post. We also understand that
http://pkgs.fedoraproject.org/cgit/rpms/drupal6-prepopulate.git/commit?id=d77963c300289b6be29b5dc08d0662fc698068f4
exists. However, drupal6-prepopulate-2.2-4.fc23 may still be in use on
many Fedora 23 systems.)

We may be sending a separate reply about the USASearch, Google
Analytics Counter, Hubspot CTA, Node Notify, and Fieldable Panels
Panes issues.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJW6srrAAoJEL54rhJi8gl5J/4P/0g7s1pjL7lsg4sc3vN41r6v
+1i0ucO28tfGhM13QxqNfR1RqUZ3W40dlWz2Lum6NvudbkGZaY+Jzph4BT9RW1n2
80ruiuamYF3escBnWvssSdIjwl2ibwsKFzzjyrvArdcZpnI6pwGFWPKLbN4pGyoz
WSi+Ow067aqeSJVonW98AlxF4udVTrQJQi1wmhiW0jOE+7zk1rAwkVUgLlWCDJLB
dVnopSr/FN2ewTkkJrAfBSfqQBGe7XNrnYCzefdBv7JgAARzkPc1jJzdC8oy3AIL
TiyDVo6O/fi4j4pd01TVUc8Yh7kGilDdk7BPyptH4KPrGG8yS8SmLY2WSoR3gpa8
iBvw6o9X0HuXFo9IGrSBsd6LUt/+dYkqOH4JN2dxj9rxKlqv+4zlGHqM8mP/xGaw
4tCy7ekDTpEEQNSSzZDLtrDtaYbtHztC2EQ+fUp8iTmh1OKayWPGHNj/+unChR+q
0QqQt483QarClETgwUtVQCwqUBT90nS0RFvG5FKCAGRurfWXR0b0jXtQPmECZj6k
wlJinmq4yAPfHVEjm1/5pGANAcihuLUxVdvpw8ZbsAJRSg2wEvxSCILb4Av+OaxF
o5q0Nlekcn3FxKNz4hpr+ra5CWy7i/KDhjAuH6rarNMWA2sDLOM18TjyL9Pax0xy
etw4zEaMsg3o2WgpI6qS
=huG5
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.