Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
SA-CONTRIB-2014-061 , CVE-2014-2715 issue was addressed in commit:
https://www.drupal.org/commitlog/commit/42082/cd56eb5fbc0bc23ae79149c8c4...
http://cgit.drupalcode.org/videowhisper/diff/vwrooms/vwrooms.module?id=c...
Other issues were also addressed in later commits and more updates will follow.
Comment | File | Size | Author |
---|---|---|---|
#12 | Commits for VideoWhisper Webcam Plugins - Drupal.org_.png | 48.42 KB | rooby |
#3 | security-patch-2382229-9391981.patch | 167.31 KB | videowhisper |
#1 | 0001-XSS-fixes.patch | 7.64 KB | videowhisper |
Comments
Comment #1
videowhisper CreditAttribution: videowhisper commentedComment #2
gregglesThis function looks to me like it contains access bypass, xss and CSRF. It's not changed by your proposed patch.
As I said on the private security issue, the whole module needs to be thoroughly reviewed and fixed up.
Comment #3
videowhisper CreditAttribution: videowhisper commentedReviewed all modules, especially page callbacks and updated security as necessary.
As modules are reviewed and updated further, latest commit contains more updates than the patch.
Here's current version of that function:
Comment #5
gregglesI believe there is still a CSRF vulnerability.
The sql injection issue is improved, but it would be even better if you used the database api instead of casting arguments to an int.
Comment #6
videowhisper CreditAttribution: videowhisper commentedPlease elaborate on the CSRF vulnerability you mentioned and fix you require.
An extra dialog/confirmation step so trigger by link is not possible?
Comment #7
gregglesWhat elaboration do you desire? It's CSRF. The fixes are the standard fixes for CSRF. There are dozens of resources about fixing csrf in Drupal.
Comment #8
rooby CreditAttribution: rooby commentedCheck out the confirm_form() function for a simple solution.
Comment #9
videowhisper CreditAttribution: videowhisper commentedAdded an extra form to fix CSRF, as suggested :
Then used confirm_form() :
Update was pushed to repository so module users can secure their sites as soon as the project is restored.
Comment #10
gregglesHere's another example of a csrf vulnerability: http://cgit.drupalcode.org/videowhisper/tree/vconsult/vconsult/delete_al...
The code is just a bunch of security bugs. Saying that it's all been fixed is not accurate. You fixed the few things that were pointed out, but have not revisited the entire codebase to truly audit and fix it all. Until that is done the module should not be reinstated.
Comment #11
videowhisper CreditAttribution: videowhisper commentedThat script tool and all other similar were removed and latest version tagged as 7.x-1.8.
The script tool above was used to clean folder "uploads" containing chat logs and was provided as sample cleanup tool with original editions.
Was not affecting other files or data, just the application logs folder, so it's not a security issue for Drupal setup or a reason to close project.
The affirmation "The code is just a bunch of security bugs. " referring to contributed modules is not accurate, at least. All bugs reported until now were fixed and these contributed integration modules provide a lot of functionality as documented on project home page http://www.videowhisper.com/?p=Drupal-Pay-Per-View-Streaming .
Developers addressed all reported security issue and more that were identified. We did not state project is perfect. If anybody finds any issue, our developers will check and try to fix as they did before.
Finding a new flaw does not mean entire project is flawed and should be closed.
With that logic any project including Drupal should be closed when a flaw is found because developers "not revisited the entire codebase to truly audit and fix it all".
Comment #12
rooby CreditAttribution: rooby commentedThis is unrelated but for the sake of yourself and others it's good to use more descriptive commit messages.
If in future you come back to investigate commits and see something like this screenshot you may find it harder to audit things than it needs to be.
Comment #13
greggles@videowhisper First, I apologize to you for my comment. It was inappropriate, unprofessional, rude to your contributions and unfair. I am sorry and I hope you will accept my apology. You are right that the presence of some number of bugs does not necessarily indicate that the whole of the software is bad.
Refocusing back on the issues at hand:
One general note - many of these issues and many other issues could be cleaned up by making the module follow the Drupal coding standards. I've run those guidelines on the project and the results are at http://pareview.sh/pareview/httpgitdrupalorgprojectvideowhispergit-7x-1x