Security-news October 2009

security-news@drupal.org

1 participants
20 discussions

SA-CONTRIB-2009-089 - Storm - Access Bypass
by security-news＠drupal.org 28 Oct '09

28 Oct '09

* Advisory ID: DRUPAL-SA-CONTRIB-2009-089 * Project: Storm (third-party module) * Version: 6.x * Date: 2009-October-28 * Security risk: Less Critical * Exploitable from: Remote * Vulnerability: Access Bypass -------- DESCRIPTION --------------------------------------------------------- The Storm module provides a project management application for Drupal. The module suffers a vulnerability whereby nodes of type 'storminvoiceitem' are not respecting the expected access permissions, potentially exposing the node title to unauthorized users. -------- VERSIONS AFFECTED --------------------------------------------------- * Versions of Storm for Drupal 6.x prior to 6.x-1.25 [1] Versions of Storm for Drupal 5.x and 7.x are not affected. Drupal core is not affected. If you do not use the 6.x version of the contributed Storm module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Storm for Drupal 6.x upgrade to Storm 6.x-1.25 [2] Also see the Storm [3] project page. -------- REPORTED BY --------------------------------------------------------- * Fabio Fabbri [4] -------- FIXED BY ------------------------------------------------------------ * Magnity [5], the module maintainer -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/node/617480 [2] http://drupal.org/node/617480 [3] http://drupal.org/project/storm [4] http://drupal.org/user/208703 [5] http://drupal.org/user/267154

1 0

SA-CONTRIB-2009-088 - Workflow Multiple Cross Site Scripting Vulnerabilities
by security-news＠drupal.org 28 Oct '09

28 Oct '09

* Advisory ID: DRUPAL-SA-CONTRIB-2009-088 * Project: Workflow (third-party module) * Version: 6.x, 5.x * Date: 2009-October-28 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Workflow module enables sites to define flexible process management systems. Names of workflows and workflow states are not sanitised to display as plain text, leading to a Cross Site Scripting (XSS [1]) vulnerability. Exploiting this vulnerability would allow a malicious user to gain full administrative access. Mitigating factors: A malicious user would need 'administer workflow' permission to carry out the cross-site-scripting attack. -------- VERSIONS AFFECTED --------------------------------------------------- * Workflow module versions Drupal 6.x prior to Workflow 6.x-1.2 [2] * Workflow module versions Drupal 5.x prior to Workflow 5.x-2.4 [3] Drupal core is not affected. If you do not use the contributed Workflow [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version. * If you use the Workflow module for Drupal 6.x upgrade to Workflow 6.x-1.2 [5] * If you use the Workflow module for Drupal 5.x upgrade to Workflow 5.x-2.4 [6] -------- REPORTED BY --------------------------------------------------------- Justin_KleinKeane [7]. -------- FIXED BY ------------------------------------------------------------ jvandyk [8], the module maintainer. -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/612832 [3] http://drupal.org/node/612834 [4] http://drupal.org/project/workflow [5] http://drupal.org/node/612832 [6] http://drupal.org/node/612834 [7] http://drupal.org/user/302225 [8] http://drupal.org/user/2375

1 0

SA-CONTRIB-2009-087 - FAQ Ask - Multiple Vulnerabilities
by security-news＠drupal.org 28 Oct '09

28 Oct '09

* Advisory ID: DRUPAL-SA-CONTRIB-2009-087 * Project: FAQ Ask (third-party module) * Version: 6.x * Date: 2009 October 28 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Multiple Vulnerabilities (XSS, CSRF, Open Redirect) -------- DESCRIPTION --------------------------------------------------------- The FAQ Ask module enables site users to ask questions for experts to answer. The module suffers multiple vulnerabilities, including Cross Site Request Forgeries (CSRF [1]) and Cross Site Scripting problems (Cross Site Scripting [2]). These vulnerabilities allow an attacker to hijack the account of a logged in user by tricking them into visiting a seemingly innocent page, and gain access to unpublished content on a site. -------- VERSIONS AFFECTED --------------------------------------------------- * FAQ Ask module for Drupal 6.x prior to 6.x-2.0 (including 6.x-1.x) * FAQ Ask module for Drupal 5.x Drupal core is not affected. If you do not use the contributed FAQ Ask module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Upgrade to the latest version or disable the module. * If you use FAQ Ask for Drupal 6.x upgrade to version 6.x-2.0 [3] * If you use FAQ Ask for Drupal 5.x it is no longer supported and you should disable it or upgrade your site to 6.x so you can use FAQ Ask 6.x-2.0. -------- REPORTED BY --------------------------------------------------------- * XSS and CSRF vulnerability reported by Dylan Wilder-Tack [4] See also the FAQ Ask module project page [5]. -------- FIXED BY ------------------------------------------------------------ * Fixed by NancyDru [6]. -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Csrf [2] http://en.wikipedia.org/wiki/XSS [3] http://drupal.org/node/611316 [4] http://drupal.org/user/96647 [5] http://drupal.org/project/faq_ask [6] http://drupal.org/user/101412

1 0

SA-CONTRIB-2009-086 - OpenSocial Shindig-Integrator - Cross Site Scripting
by security-news＠drupal.org 28 Oct '09

28 Oct '09

* Advisory ID: DRUPAL-SA-CONTRIB-2009-086 * Project: OpenSocial Shindig-Integrator (third-party module) * Version: 6.x, 5.x * Date: 2009-October-86 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The OpenSocial Shindig-Integrator module enables sites to host OpenSocial widgets. The module fails to sanitize user input, making it vulnerable to cross site scripting (XSS [1]) attacks. This vulnerability is somewhat limited by the fact that an attacker would need an account with the permissions to "create application" on the site. -------- VERSIONS AFFECTED --------------------------------------------------- * OpenSocial Shindig-Integrator module for Drupal 6.x prior to OpenSocial Shindig-Integrator 6.x-2.1 [2] * OpenSocial Shindig-Integrator module for Drupal 5.x Drupal core is not affected. If you do not use the contributed OpenSocial Shindig-Integrator [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version or disable the module. * If you use the OpenSocial Shindig-Integrator module for Drupal 6.x upgrade to OpenSocial Shindig-Integrator 6.x-2.1 [4] * If you use the OpenSocial Shindig-Integrator module for Drupal 5.x, disable the module and un-install it. The 5.x branch is no longer supported. -------- REPORTED BY --------------------------------------------------------- * Tony Mobily -------- FIXED BY ------------------------------------------------------------ * Astha Bhatnagar [5], module maintainer. -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/en/Cross_Site_Scripting [2] http://drupal.org/node/615584 [3] http://drupal.org/project/shindigintegrator [4] http://drupal.org/node/615584 [5] http://drupal.org/user/375917

1 0

SA-CONTRIB-2009-085 - Insert Node - Cross Site Scripting
by security-news＠drupal.org 28 Oct '09

28 Oct '09

* Advisory ID: DRUPAL-SA-CONTRIB-2009-085 * Project: Insert Node (third-party module) * Version: 5.x * Date: 2009-October-28 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Insert Node module provides an input filter that enables a node to be inserted within the body field of another node. The module fails to sanitize the inserted node, making it vulnerable to a cross site scripting (XSS [1]) attack. -------- VERSIONS AFFECTED --------------------------------------------------- * Insert Node module versions for Drupal 5.x prior to Insert Node 5.x-1.2 [2] Drupal core is not affected. If you do not use the contributed Insert Node [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version. * If you use the Insert Node module for Drupal 6.x there is nothing you need to do. * If you use the Insert Node module for Drupal 5.x upgrade to Insert Node 5.x-1.2 [4] -------- REPORTED BY --------------------------------------------------------- * Konstantin Käfer [5]. -------- FIXED BY ------------------------------------------------------------ * Mark Burton [6] and Alexis Wilke [7], the module maintainers. -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/en/Cross_Site_Scripting [2] http://drupal.org/node/616546 [3] http://drupal.org/project/insertnode [4] http://drupal.org/node/616546 [5] http://drupal.org/user/14572 [6] http://drupal.org/user/114447 [7] http://drupal.org/user/356197

1 0

SA-CONTRIB-2009-084 - LDAP Integration - Multiple Vulnerabilities
by security-news＠drupal.org 28 Oct '09

28 Oct '09

* Advisory ID: DRUPAL-SA-CONTRIB-2009-084 * Project: LDAP Integration (third-party module) * Version: 6.x, 5.x * Date: 2009-October-28 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- The LDAP Integration module enables users to authenticate against LDAP servers. The module does not properly implement confirmation pages for the LDAP server activation/deactivation which could lead to a Cross Site Request Forgery (CSRF [1]) attack. The user defined server name is not properly escaped on the administration pages making it vulnerable to a cross site scripting (XSS [2]) attack. User LDAP data can be viewed by un-authorized users, as it is not properly access controlled before being displayed on user profile pages. Additionally some user management access rules were ignored during the authentication process. -------- VERSIONS AFFECTED --------------------------------------------------- * LDAP Integration module versions for Drupal 6.x prior to LDAP Integration 6.x-1.0-beta2 [3] * LDAP Integration module versions for Drupal 5.x prior to LDAP Integration 5.x-1.5 [4] * LDAP Integration module versions for Drupal 4.7.x are now unsupported. Drupal core is not affected. If you do not use the contributed LDAP Integration [5] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version. * If you use the LDAP Integration module for Drupal 6.x upgrade to LDAP Integration 6.x-1.0-beta2 [6] * If you use the LDAP Integration module for Drupal 5.x upgrade to LDAP Integration 5.x-1.5 [7] * If you use the LDAP Integration module for Drupal 4.7.x, disable the module. -------- REPORTED BY --------------------------------------------------------- * The XSS vulnerability was reported by Jakub Suchy [8] of the Drupal Security Team. * The CSRF vulnerability was reported by Stéphane Corlosquet [9] of the Drupal Security Team. * The Access Bypass vulnerabilities were reported by Christian A. Reiter [10] and Matt Vance [11]. * The User management access rules vulnerability was reported by Kevin Murphy [12]. -------- FIXED BY ------------------------------------------------------------ * Miglius Alaburda [13], the module maintainer -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/en/Cross_Site_Request_Forgery [2] http://en.wikipedia.org/en/Cross_Site_Scripting [3] http://drupal.org/node/615898 [4] http://drupal.org/node/615900 [5] http://drupal.org/project/ldap_integration [6] http://drupal.org/node/615898 [7] http://drupal.org/node/615900 [8] http://drupal.org/user/31977 [9] http://drupal.org/user/52142 [10] http://drupal.org/user/116783 [11] http://drupal.org/user/88338 [12] http://drupal.org/user/60619 [13] http://drupal.org/user/18741

1 0

SA-CONTRIB-2009-083 - CCK Comment Reference - Access Bypass
by security-news＠drupal.org 28 Oct '09

28 Oct '09

* Advisory ID: DRUPAL-SA-CONTRIB-2009-083 * Project: CCK Comment Reference (third-party module) * Version: 6.x * Date: 2009-October-28 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Access Bypass -------- DESCRIPTION --------------------------------------------------------- The CCK Comment Reference module enables administrators to define node fields that are references to comments. Users can access comments through the autocomplete path that the module provides even if they don't have access to read comments. -------- VERSIONS AFFECTED --------------------------------------------------- * CCK Comment Reference module versions Drupal 6.x prior to CCK Comment Reference 6.x-1.3 [1] * Comment reference module versions Drupal 5.x prior to CCK Comment Reference 5.x-1.2 [2] Drupal core is not affected. If you do not use the contributed CCK Comment Reference [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version. * If you use the CCK Comment Reference module for Drupal 6.x upgrade to CCK Comment Reference 6.x-1.3 [4] * If you use the CCK Comment Reference module for Drupal 6.x upgrade to CCK Comment Reference 5.x-1.2 [5] -------- REPORTED BY --------------------------------------------------------- * Ben Jeavons [6] of Drupal Security Team. -------- FIXED BY ------------------------------------------------------------ * Kristof De Jaeger [7], the module maintainer. -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/node/615988 [2] http://drupal.org/node/616824 [3] http://drupal.org/project/commentreference [4] http://drupal.org/node/615988 [5] http://drupal.org/node/616824 [6] http://drupal.org/user/91990 [7] http://drupal.org/user/107403

1 0

SA-CONTRIB-2009-082 - Filefield module access bypass
by security-news＠drupal.org 21 Oct '09

21 Oct '09

* Advisory ID: DRUPAL-SA-CONTRIB-2009-082 * Project: FileField (third-party module) * Version: 6.x * Date: 2009-October-20 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Access bypass .... Description The FileField module allows users to upload files through an AJAX-upload widget that can be added to content types through CCK. In the 3.1 version of FileField, the module would not restrict access to files based on node-access permissions when using Drupal core's private file system. .... Versions affected * FileField module 6.x-3.1 only Drupal core is not affected. If you do not use the contributed FileField module, there is nothing you need to do. .... Solution Install the latest version. * If you use the FileField module for Drupal 6.x upgrade to FileField module 6.x-3.2 [1] See also the FileField module project page [2]. .... Reported by isaac77 [3]. .... Fixed by isaac77 [4] and quicksketch [5] the module maintainer. .... Contact The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/node/609874 [2] http://drupal.org/project/filefield [3] http://drupal.org/user/49318 [4] http://drupal.org/user/49318 [5] http://drupal.org/user/35821

1 0

SA-CONTRIB-2009-081 - Abuse - Cross Site Scripting
by security-news＠drupal.org 21 Oct '09

21 Oct '09

* Advisory ID: DRUPAL-SA-CONTRIB-2009-081 * Project: Abuse (third-party module) * Version: 5.x, 6.x * Date: 2009 October 21 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Abuse module enables users to flag nodes and comments as offensive, bringing them to the attention of the site maintainer for review. The module suffers from a Cross Site Scripting (Cross Site Scripting [1]) vulnerability. Such an attack may lead to a malicious user gaining full administrative access. -------- VERSIONS AFFECTED --------------------------------------------------- * Abuse 6.x prior to 6.x-1.1-alpha1 * Abuse 5.x prior to 5.x-2.1 Drupal core is not affected. If you do not use the contributed Abuse module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Upgrade to the latest version: * If you use Abuse for Drupal 6.x upgrade to version 6.x-1.1-alpha1 [2] * If you use Abuse for Drupal 5.x upgrade to version 5.x-2.1 [3] -------- REPORTED BY --------------------------------------------------------- * Reported by Mustafa ULU [4]. -------- FIXED BY ------------------------------------------------------------ * Fixed by Ashok Modi [5]. -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/XSS [2] http://drupal.org/node/610900 [3] http://drupal.org/node/610784 [4] http://drupal.org/user/207559 [5] http://drupal.org/user/60422

1 0

SA-CONTRIB-2009-080 - Simplenews Statistics - Multiple vulnerabilities
by security-news＠drupal.org 21 Oct '09

21 Oct '09

* Advisory ID: DRUPAL-SA-CONTRIB-2009-080 * Project: Simplenews Statistics (third-party module) * Version: 6.x * Date: 2009 October 21 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Multiple vulnerabilities (XSS, CSRF, Open Redirect) -------- DESCRIPTION --------------------------------------------------------- The Simplenews Statistics module provides newsletter statistics such as the open rate and CTR (click-through rate). The module suffers multiple vulnerabilities, including Cross Site Request Forgeries (CSRF [1]), Cross Site Scripting problem (Cross Site Scripting [2]) and Open Redirect. This problem allows an attacker to hijack the account of a logged in user by tricking them into visiting a seemingly innocent page. -------- VERSIONS AFFECTED --------------------------------------------------- * Simplenews Statistics 6.x prior to 6.x-2.0 Drupal core is not affected. If you do not use the contributed Simplenews Statistics module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Upgrade to the latest version: * If you use Simplenews Statistics for Drupal 6.x upgrade to version 6.x-2.0 [3] -------- REPORTED BY --------------------------------------------------------- * Open redirect vulnerability reported by John Pettitt * XSS and CSRF vulnerability reported by Dylan Wilder-Tack [4] -------- FIXED BY ------------------------------------------------------------ * Fixed by Sjoerd Arendsen [5]. -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Csrf [2] http://en.wikipedia.org/wiki/XSS [3] http://drupal.org/node/590098 [4] http://drupal.org/user/96647 [5] http://drupal.org/user/310132

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news October 2009