Security-news October 2009

security-news@drupal.org

1 participants
20 discussions

SA-CONTRIB-2009-079 - vCard - Cross Site Scripting
by security-news＠drupal.org 21 Oct '09

21 Oct '09

* Advisory ID: DRUPAL-SA-CONTRIB-2009-079 * Project: vCard module (third-party module) * Version: 6.x, 5.x * Date: 2009-October-21 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The vCard module adds a vCard download link to every user's profile. This link makes it easy to add users from a Drupal site to a local address book. When the theme_vcard() function is added to a theme and default content from the vCard module is output, the site will be vulnerable to Cross Site Scripting attack (XSS [1]) vulnerability. Such an attack may lead to a malicious user gaining full administrative access. -------- VERSIONS AFFECTED --------------------------------------------------- * vCard module versions 6.x prior to 6.x-1.3 * vCard module versions 5.x prior to 5.x-1.4 Drupal core is not affected. If you do not use the contributed vCard module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the vCard module for Drupal 6.x upgrade to vCard module 6.x-1.3 [2] * If you use the vCard module for Drupal 5.x upgrade to vCard module 5.x-1.4 [3] See also the vCard module project page [4]. -------- REPORTED BY --------------------------------------------------------- John Morahan [5] -------- FIXED BY ------------------------------------------------------------ sanduhrs [6], the module maintainer. -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross_Site_Scripting [2] http://drupal.org/node/610420 [3] http://drupal.org/node/610416 [4] http://drupal.org/project/vCard [5] http://drupal.org/user/58170 [6] http://drupal.org/user/28074

1 0

SA-CONTRIB-2009-078 - Moodle Course List - SQL Injection
by security-news＠drupal.org 21 Oct '09

21 Oct '09

* Advisory ID: DRUPAL-SA-CONTRIB-2009-078 * Project: Moodle Course List module (third-party module) * Version: 6.x * Date: 2009-October-21 * Security risk: Critical * Exploitable from: Remote * Vulnerability: SQL Injection -------- DESCRIPTION --------------------------------------------------------- The Moodle Course List module provides a block which displays links to a user's Moodle courses. In some cases the module does not properly sanitize user input, leading to a SQL Injection (SQL Injection [1]) vulnerability. Such an attack may lead to a malicious user gaining full administrative access. -------- VERSIONS AFFECTED --------------------------------------------------- * Moodle Course List module versions 6.x prior to 6.x-1.2 Drupal core is not affected. If you do not use the contributed Moodle Course List module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Moodle Course List module for Drupal 6.x upgrade to Moodle Course List module 6.x-1.2 [2] See also the Moodle Course List module project page [3]. -------- REPORTED BY --------------------------------------------------------- Charlie Gordon [4] -------- FIXED BY ------------------------------------------------------------ Adam Gerson [5], the module maintainer. -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/SQL_Injection [2] http://drupal.org/node/569734 [3] http://drupal.org/project/moodle_courselist [4] http://drupal.org/user/157412 [5] http://drupal.org/user/293615

1 0

DRUPAL-SA-CONTRIB-2009-077 - Userpoints - Information disclosure
by security-news＠drupal.org 21 Oct '09

21 Oct '09

* Advisory ID: DRUPAL-SA-CONTRIB-2009-077 * Project: Userpoints (third party module) * Version: 6.x * Date: 2009-October-21 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Information disclosure -------- DESCRIPTION --------------------------------------------------------- The Userpoints module enables the users of a site to gain or lose points based on their activity. There is a vulnerability in the module which allows any user with the "View own userpoints" permission to view the userpoints data of any user, not just their own. -------- VERSIONS AFFECTED --------------------------------------------------- * Userponts module versions 6.x prior to 6.x-1.1 Drupal core is not affected. If you do not use the contributed Userpoints module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version. * If you use the Userpoints module for Drupal 6.x upgrade to Userpoints module 6.x-1.1 [1] See also the Userpoints module project page [2]. -------- REPORTED BY --------------------------------------------------------- mr.baileys [3]. -------- FIXED BY ------------------------------------------------------------ kbahey [4] the module maintainer. -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/node/610828 [2] http://drupal.org/project/userpoints [3] http://drupal.org/user/383424 [4] http://drupal.org/user/4063

1 0

DRUPAL-SA-CONTRIB-2009-076 - Flag Content Cross Site Scripting
by security-news＠drupal.org 21 Oct '09

21 Oct '09

* Advisory ID: DRUPAL-SA-CONTRIB-2009-076 * Project: Flag Content (third-party module) * Version: 5.x * Date: 2009-October-21 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Flag Content module enables users to flag nodes and users for the attention of a site maintainer (e.g. for abuse, spam, trolling, ...etc.). In some specific cases, the module does not sanitize before outputting the Reason field, resulting in a cross-site scripting (XSS [1]) vulnerability. Such an attack may lead to a malicious user gaining full administrative access. -------- VERSIONS AFFECTED --------------------------------------------------- * Flag Content 5.x-2.x prior to 5.x-2.10 Drupal core is not affected. If you do not use the contributed Flag Content module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Flag Content module for Drupal 5.x upgrade to Flag Content 5.x-2.10 [2] -------- REPORTED BY --------------------------------------------------------- patPrzybilla [3]. -------- FIXED BY ------------------------------------------------------------ kbahey [4], the module maintainer. -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/610870 [3] http://drupal.org/user/151965 [4] http://drupal.org/user/4063

1 0

SA-CONTRIB-2009-075 - OG Vocabulary 5.x
by security-news＠drupal.org 21 Oct '09

21 Oct '09

* Advisory ID: DRUPAL-SA-CONTRIB-2009-075 * Project: Organic Groups Vocabulary (third-party module) * Version: 5.x * Date: 2009-October-21 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Organic Groups Vocabulary module enables an organic group to have a group specific vocabulary. In some specific cases, the module does not sanitize before outputting the group title, resulting in a cross-site scripting (XSS [1]) vulnerability. Such an attack may lead to a malicious user gaining full administrative access. -------- VERSIONS AFFECTED --------------------------------------------------- * Organic Groups Vocabulary versions for Drupal 5.x before Organic Groups Vocabulary 5.x-1.1 [2] Drupal core is not affected. If you do not use the contributed Organic Groups Vocabulary module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Upgrade to the latest version: * If you use Organic Groups Vocabulary for Drupal 5.x upgrade to version 5.x-1.1 [3] See also the Organic Groups Vocabulary module project page [4]. -------- REPORTED BY --------------------------------------------------------- Stéphane Corlosquet [5] of the Drupal Security Team. -------- FIXED BY ------------------------------------------------------------ Amitaibu [6], the module maintainer. -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/605094 [3] http://drupal.org/node/605094 [4] http://drupal.org/project/og_vocab [5] http://drupal.org/user/52142 [6] http://drupal.org/user/57511

1 0

SA-CONTRIB-2009-074- Webform - Multiple vulnerabilities
by security-news＠drupal.org 15 Oct '09

15 Oct '09

* Advisory ID: DRUPAL-SA-CONTRIB-2009-074 * Project: Webform (third-party module) * Version: 5.x, 6.x * Date: 2009-October-14 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- .... Cross-site scripting The Webform module enables the creation of custom forms for collecting data from users. The Webform module does not properly escape field labels in certain situations. A malicious user with permission to create webforms could attempt a cross-site scripting (XSS [1]) attack when viewing the result, leading to the user gaining full administrative access. .... Session data disclosure The Webform module fails to prevent the page from being cached when a default value uses token placeholders. This leads to disclosure of session variables to anonymous users when caching is enabled. -------- VERSIONS AFFECTED --------------------------------------------------- * Webform for Drupal 6.x prior to 6.x-2.8 * Webform for Drupal 5.x prior to 5.x-2.8 Drupal core is not affected. If you do not use the contributed Webform module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Upgrade to the latest version: * If you use Webform for Drupal 6.x upgrade to Webform 6.x-2.8 [2] * If you use Webform for Drupal 5.x upgrade to Webform 5.x-2.8 [3] See also the Webform project page [4]. -------- REPORTED BY --------------------------------------------------------- The XSS issue was reported by Justine Klein Keane [5]. The session disclosure issue was reported by seattlehimay [6]. -------- FIXED BY ------------------------------------------------------------ The XSS issue was fixed by Greg Knaddison [7] of the Drupal Security Team. The session disclosure issue was fixed by Nathan Haug [8], the module maintainer. -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/604920 [3] http://drupal.org/node/604922 [4] http://drupal.org/project/webform [5] http://drupal.org/user/302225 [6] http://druFpal.org/user/348366 [7] http://drupal.org/user/36762 [8] http://drupal.org/user/35821

1 0

DRUPAL-SA-CONTRIB-2009-073 - Printer, e-mail and PDF versions multiple vulnerabilities
by security-news＠drupal.org 14 Oct '09

14 Oct '09

* Advisory ID: DRUPAL-SA-CONTRIB-2009-073 * Project: Printer, e-mail and PDF versions (third-party module) * Version: 5.x, 6.x * Date: 2009-October-14 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- The Printer, e-mail and PDF versions [1] ("print") module provides printer-friendly versions of content. When displaying the list of links in a page, the module does not properly escape this data, leading to a cross site scripting [2] (XSS) vulnerability. In addition, the "Send by e-mail" sub-module does not properly check for access permissions before displaying the "Send to friend" form, and may display the page title for pages to which the user does not have access (usually as they are unpublished or unauthorized for his role), even though the user is not actually allowed to send them by e-mail. -------- VERSIONS AFFECTED --------------------------------------------------- * Printer, e-mail and PDF versions 6.x prior to 6.x-1.9 * Printer, e-mail and PDF versions 5.x prior to 5.x-4.9 Drupal core is not affected. If you do not use the contributed Printer, e-mail and PDF versions module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Printer, e-mail and PDF versions for Drupal 6.x upgrade to Printer, e-mail and PDF versions 6.x-1.9 [3] * If you use Printer, e-mail and PDF versions for Drupal 5.x upgrade to Printer, e-mail and PDF versions 5.x-4.9 [4] Or Alternatively: Disable the "Printer-friendly URLs list" in 'admin/settings/print/common' and disable the "Send by e-mail" ("print_mail") module. See also the Printer, e-mail and PDF versions project page [5]. -------- REPORTED BY: -------------------------------------------------------- mcarbone [6] -------- FIXED BY ------------------------------------------------------------ jcnventura [7], the module maintainer -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. -------- DESCRIPTION --------------------------------------------------------- The Printer, e-mail and PDF versions [8] ("print") module provides printer-friendly versions of content. When displaying the list of links in a page, the module does not properly escape this data, leading to a cross site scripting [9] (XSS) vulnerability. In addition, the "Send by e-mail" sub-module does not properly check for access permissions before displaying the "Send to friend" form, and may display the page title for pages to which the user does not have access (usually as they are unpublished or unauthorized for his role), even though the user is not actually allowed to send them by e-mail. -------- VERSIONS AFFECTED --------------------------------------------------- * Printer, e-mail and PDF versions 6.x prior to 6.x-1.9 * Printer, e-mail and PDF versions 5.x prior to 5.x-4.9 Drupal core is not affected. If you do not use the contributed Printer, e-mail and PDF versions module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Printer, e-mail and PDF versions for Drupal 6.x upgrade to Printer, e-mail and PDF versions 6.x-1.9 [10] * If you use Printer, e-mail and PDF versions for Drupal 5.x upgrade to Printer, e-mail and PDF versions 5.x-4.9 [11] Or Alternatively: Disable the "Printer-friendly URLs list" in 'admin/settings/print/common' and disable the "Send by e-mail" ("print_mail") module. See also the Printer, e-mail and PDF versions project page [12]. -------- REPORTED BY: -------------------------------------------------------- mcarbone [13] -------- FIXED BY ------------------------------------------------------------ jcnventura [14], the module maintainer -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/project/print [2] http://en.wikipedia.org/wiki/Cross-site_scripting [3] http://drupal.org/node/604806 [4] http://drupal.org/node/604804 [5] http://drupal.org/project/print [6] http://drupal.org/user/68488 [7] http://drupal.org/user/122464 [8] [9] http://en.wikipedia.org/wiki/Cross-site_scripting [10] http://drupal.org/node/604806 [11] http://drupal.org/node/604804 [12] http://drupal.org/project/print [13] http://drupal.org/user/68488 [14] http://drupal.org/user/122464

1 0

SA-CONTRIB-2009-072 - RealName - Cross Site Scripting
by security-news＠drupal.org 14 Oct '09

14 Oct '09

* Advisory ID: DRUPAL-SA-CONTRIB-2009-072 * Project: RealName (third-party module) * Version: 6.x * Date: 2009-October-14 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The RealName module allows the administrator to choose fields from the user profile that will be used to add a "real name" element (method) to a user object. In some specific cases, the module does not sanitize before outputting the realname, resulting in a cross-site scripting (XSS [1]) vulnerability. Such an attack may lead to a malicious user gaining full administrative access. -------- VERSIONS AFFECTED --------------------------------------------------- * RealName 6.x-1.x prior to 6.x-1.3 Drupal core is not affected. If you do not use the contributed RealName module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the RealName for Drupal 6.x-1.x upgrade to RealName 6.x-1.3 [2] See also the RealName module project page . -------- REPORTED BY --------------------------------------------------------- mr.baileys [3] -------- FIXED BY ------------------------------------------------------------ NancyDru [4], the module maintainer -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/603512 [3] http://drupal.org/user/383424 [4] http://drupal.org/user/101412

1 0

SA-CONTRIB-2009-071 - Organic Groups Vocabulary Access Bypass
by security-news＠drupal.org 14 Oct '09

14 Oct '09

* Advisory ID: DRUPAL-SA-CONTRIB-2009-071 * Project: OG Vocabulary (third party module) * Version: 6.x * Date: 2009-October-14 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Access bypass .... Description The Organic Groups Vocabulary module enables an organic group to have a group specific vocabulary. A vulnerability in this module allows any group member, even if they are not a group admin, to view, edit, and create vocabularies and terms for all groups. .... Versions affected * Organic Groups Vocabulary module versions 6.x prior to 6.x-1.0 Drupal core is not affected. If you do not use the contributed Organic Groups Vocabulary module, there is nothing you need to do. .... Solution Install the latest version. * Organic Groups Vocabulary module for Drupal 6.x upgrade to Organic Groups Vocabulary module 6.x-1.0 [1] .... Reported by FGM [2] and Ki [3] .... Fixed by mrag_28 [4] and Amitaibu [5], the module maintainer. -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/node/604354 [2] http://drupal.org/user/27985 [3] http://drupal.org/user/292047 [4] http://drupal.org/user/206162 [5] http://drupal.org/user/57511

1 0

SA-CONTRIB-2009-070 - Shibboleth authentication - Impersonation, privilege escalation
by security-news＠drupal.org 14 Oct '09

14 Oct '09

* Advisory ID: DRUPAL-SA-CONTRIB-2009-070 * Project: Shibboleth authentication (third-party module) * Version: 6.x, 5.x * Date: 2009-October-14 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Impersonation, privilege escalation -------- DESCRIPTION --------------------------------------------------------- The Shibboleth authentication module provides user authentication and authorisation based on the Shibboleth Web Single Sign-on system. The module does not properly handle the changes of the underlying Shibboleth session. This can result in impersonation and possible privilege escalation if a user leaves the browser unattended (ie. after SAML2 Single Logout). A person using the same browser session but re-authenticated at their IdP might become logged in as the original user (even accidentally). Dynamic roles which are provided by the module are based on the attributes of the new user, however any permissions statically granted to the victim would still be in effect. -------- VERSIONS AFFECTED --------------------------------------------------- * Shibboleth authentication versions for Drupal 6.x prior to 6.x-3.2 * Shibboleth authentication versions for Drupal 5.x prior to 5.x-3.4 Drupal core is not affected. If you do not use the contributed Shibboleth authentication module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Upgrade to the latest version: * If you use Shibboleth authentication for Drupal 6.x upgrade to version 6.x-3.2 [1] * If you use Shibboleth authentication for Drupal 5.x upgrade to version 5.x-3.4 [2] See also the Shibboleth authentication [3] project page. -------- REPORTED BY --------------------------------------------------------- Kristof Bajnok [4], Shibboleth authentication module maintainer. -------- FIXED BY ------------------------------------------------------------ Kristof Bajnok [5], Shibboleth authentication module maintainer. -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/node/593210 [2] http://drupal.org/node/593212 [3] http://drupal.org/project/shib_auth [4] http://drupal.org/user/250470 [5] http://drupal.org/user/250470

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news October 2009