OSF for Drupal - Critical - Multiple vulnerabilities - SA-CONTRIB-2015-134

The Open Semantic Framework (OSF) for Drupal is a middleware layer that allows structured data (RDF) and associated vocabularies (ontologies) to “drive” tailored tools and data displays within Drupal.

The module is vulnerable to reflected Cross Site Scripting (XSS) because it did not sufficiently filter user input values in some administration pages. An attacker could exploit this vulnerability by making other users visit a specially-crafted URL. Only sites with OSF Ontology module enabled are affected.

Additionally, the module is vulnerable to Arbitrary file deletion. A malicious user can cause an administrator to delete files by getting their browser to make a request to a specially-crafted URL. Only sites with OSF Ontology and OSF Import modules enabled are affected.

Also, some forms were vulnerable to Cross Site Request Forgery (CSRF). An attacker could create new OSF datasets by getting an administrator’s browser to make a request to a specially-crafted URL. Only sites with OSF Import module enabled are affected.

CVE identifier(s) issued

• Cross Site Scripting: CVE-2015-7232 * Cross Site Request Forgery:CVE-2015-7233 * Access bypass:CVE-2015-7234

Versions affected

• OSF 7.x-3.x versions prior to 7.x-3.1.

Drupal core is not affected. If you do not use the contributed OSF for Drupal module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the OSF for Drupal module for Drupal 7.x, upgrade to OSF 7.x-3.1

Also see the OSF for Drupal project page.

Reported by

• Pere Orga of the Drupal Security Team

Fixed by

• Frederick Giasson, the module maintainer

Coordinated by

• Pere Orga of the Drupal Security Team