Security-news December 2009

security-news@drupal.org

1 participants
7 discussions

SA-CONTRIB-2009-115 - Autocomplete Widgets for CCK Text and Number - Information Disclosure
by security-news＠drupal.org 30 Dec '09

30 Dec '09

* Advisory ID: DRUPAL-SA-CONTRIB-2009-115 * Project: Autocomplete Widgets for CCK Text and Number (third-party module) * Version: 6.x * Date: 2009-December-30 * Security risk: Less Critical * Exploitable from: Remote * Vulnerability: Information Disclosure -------- DESCRIPTION --------------------------------------------------------- Autocomplete Widgets module adds 2 autocomplete widgets for CCK fields of type Text and Number. The autocomplete callback implemented by this module does not honor permissions to access CCK fields, allowing users to see field values even though they are not authorized to access that information. -------- VERSIONS AFFECTED --------------------------------------------------- * Autocomplete Widgets module 6.x-1.2 and prior versions on the 6.x-1.x branch Drupal core is not affected. If you do not use the contributed Autocomplete Widgets [1] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Autocomplete Widgets module for Drupal 6.x, upgrade to Autocomplete Widgets 6.x-1.3 [2] See also the Autocomplete Widgets module project page [3]. -------- REPORTED BY --------------------------------------------------------- mr.baileys [4] -------- FIXED BY ------------------------------------------------------------ markus_petrux [5], the Autocomplete Widgets module maintainer -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/project/autocomplete_widgets [2] http://drupal.org/node/670928 [3] http://drupal.org/project/autocomplete_widgets [4] http://drupal.org/user/383424 [5] http://drupal.org/user/39593

1 0

SA-CONTRIB-2009-114 - Automated Logout - Cross Site Scripting
by security-news＠drupal.org 24 Dec '09

24 Dec '09

* Advisory ID: DRUPAL-SA-CONTRIB-2009-114 * Project: Automated Logout (third-party module) * Version: 6.x * Date: 2009-December-23 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- This module provides a site administrator the ability to log users out after a specified time of inactivity. The module does not sanitize some of the user-supplied data before displaying it, leading to a cross-site scripting (XSS [1]) vulnerability. Users who can take advantage of this vulnerability could gain administrator access to a site. This vulnerability is mitigated by the fact that the attacker must have a role with the 'administer autologout' permission. -------- VERSIONS AFFECTED --------------------------------------------------- * Automated Logout module 6.x-1.6 and prior versions on the 6.x-1.x branch * Automated Logout module 6.x-2.2 and prior versions on the 6.x-2.x branch Note that the Drupal 5 version of the Automated Logout module is also affected, but the attacker must have a role with the 'administer site configuration' permission. The 'administer site configuration' permission is inherently unsafe and should only be granted to trusted users; therefore, this issue is not considered a security vulnerability for Drupal 5 (see http://drupal.org/node/475848). Drupal core is not affected. If you do not use the contributed Automated Logout [2] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Automated Logout module for Drupal 6.x, upgrade to either Automated Logout 6.x-1.7 [3] or Automated Logout 6.x-2.3 [4] See also the Automated Logout module project page [5]. -------- REPORTED BY --------------------------------------------------------- mr.baileys [6] -------- FIXED BY ------------------------------------------------------------ jvandervort [7], one of the Automated Logout module maintainers -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/project/autologout [3] http://drupal.org/node/667084 [4] http://drupal.org/node/667086 [5] http://drupal.org/project/autologout [6] http://drupal.org/user/383424 [7] http://drupal.org/user/35604

1 0

SA-CONTRIB-2009-113 - FAQ - Cross Site Scripting
by security-news＠drupal.org 23 Dec '09

23 Dec '09

* Advisory ID: DRUPAL-SA-CONTRIB-2009-113 * Project: FAQ (third-party module) * Version: 5.x, 6.x * Date: 2009-December-23 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Frequently Asked Questions (faq) module allows users, with the appropriate permissions, to create question and answer pairs which are displayed on the 'faq' page, and in the random and recent FAQ blocks. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting (XSS [1]) vulnerability. This vulnerability is mitigated by the fact that the attacker must have a role with the 'administer faq', 'create faq' or 'edit faq' permissions. If using the FAQ module with the FAQ Ask module, the attacker may also exploit the vulnerability if they have the 'ask question' permission. -------- VERSIONS AFFECTED --------------------------------------------------- * FAQ module 5.x-2.13 and prior versions * FAQ module 6.x-1.10 and prior versions Drupal core is not affected. If you do not use the contributed FAQ [2] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the FAQ module for Drupal 5.x upgrade to FAQ 5.x-2.14 * If you use the FAQ module for Drupal 6.x upgrade to FAQ 6.x-1.11 See also the FAQ module project page [3]. -------- REPORTED BY --------------------------------------------------------- * stella [4] (the module maintainer) -------- FIXED BY ------------------------------------------------------------ * stella [5] (the module maintainer) -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/project/faq [3] http://drupal.org/project/faq [4] http://drupal.org/user/66894 [5] http://drupal.org/user/66894

1 0

SA-CORE-2009-009 - Drupal Core - Cross site scripting
by security-news＠drupal.org 16 Dec '09

16 Dec '09

* Advisory ID: DRUPAL-SA-CORE-2009-009 * Project: Drupal core * Version: 5.x, 6.x * Date: 2009-December-16 * Security risk: Not critical * Exploitable from: Remote * Vulnerability: Cross site scripting -------- DESCRIPTION --------------------------------------------------------- Multiple vulnerabilities were discovered in Drupal. .... Contact category name cross-site scripting The Contact module does not correctly handle certain user input when displaying category information. Users privileged to create contact categories can insert arbitrary HTML and script code into the contact module administration page. Such a cross-site scripting attack may lead to the malicious user gaining administrative access. Wikipedia has more information about cross-site scripting [1] (XSS). This issue affects Drupal 6.x and Drupal 5.x. .... Menu description cross-site scripting The Menu module does not correctly handle certain user input when displaying the menu administration overview. Users privileged to create new menus can insert arbitrary HTML and script code into the menu module administration page. Such a cross-site scripting attack may lead to the malicious user gaining administrative access. Wikipedia has more information about cross-site scripting [2] (XSS). This issue affects Drupal 6.x only. -------- VERSIONS AFFECTED --------------------------------------------------- * Drupal 5.x before version 5.21. * Drupal 6.x before version 6.15. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you are running Drupal 6.x then upgrade to Drupal 6.15 [3]. * If you are running Drupal 5.x then upgrade to Drupal 5.21 [4]. If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. Theses patches fix the security vulnerability, but do not contain other fixes which were released in Drupal 5.21 or Drupal 6.15. * To patch Drupal 6.14 use SA-CORE-2009-009-6.14.patch [5]. * To patch Drupal 5.20 use SA-CORE-2009-009-5.20.patch [6]. -------- REPORTED BY --------------------------------------------------------- The contact category XSS issue was independently reported by mr.baileys and Justin Klein Keane [7]. The menu description XSS issue was reported by mr.baileys [8]. -------- FIXED BY ------------------------------------------------------------ The contact category XSS issue was fixed by Justin Klein Keane [9] and Dave Reid [10]. The menu description XSS issue was fixed by Gábor Hojtsy [11] and Heine Deelstra [12]. -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://en.wikipedia.org/wiki/Cross-site_scripting [3] http://ftp.drupal.org/files/projects/drupal-6.15.tar.gz [4] http://ftp.drupal.org/files/projects/drupal-5.21.tar.gz [5] http://drupal.org/files/sa-core-2009-009/SA-CORE-2009-009-6.14.patch [6] http://drupal.org/files/sa-core-2009-009/SA-CORE-2009-009-5.20.patch [7] http://drupal.org/user/302225 [8] http://drupal.org/user/383424 [9] http://drupal.org/user/302225 [10] http://drupal.org/user/53892 [11] http://drupal.org/user/4166 [12] http://drupal.org/user/17943

1 0

SA-CONTRIB-2009-112 - Sections - Cross Site Scripting
by security-news＠drupal.org 16 Dec '09

16 Dec '09

* Advisory ID: DRUPAL-SA-CONTRIB-2009-112 * Project: Sections (third-party module) * Version: 5.x, 6.x * Date: 2009-December-16 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Sections module allows the creation of sections within a site. Each section has an installed template, theme or style attached to it. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting (XSS [1]) vulnerability. Users who can take advantage of this vulnerability could gain administrator access to a site. This vulnerability is mitigated by the fact that the attacker must have a role with the 'administer sections' permission. -------- VERSIONS AFFECTED --------------------------------------------------- * Sections module 5.x-1.2 and prior versions * Sections module 6.x-1.2 and prior versions Drupal core is not affected. If you do not use the contributed Sections [2] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Sections module for Drupal 5.x upgrade to Sections 5.x-1.3 [3] * If you use the Sections module for Drupal 6.x upgrade to Sections 6.x-1.3 [4] See also the Sections module project page [5] -------- REPORTED BY --------------------------------------------------------- Justin C. Klein Keane [6] -------- FIXED BY ------------------------------------------------------------ Alexander Hass [7] the module maintainer. -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/project/sections [3] http://drupal.org/node/660794 [4] http://drupal.org/node/660796 [5] http://drupal.org/project/sections [6] http://drupal.org/user/302225 [7] http://drupal.org/user/85918

1 0

SA-CONTRIB-2009-111 - Randomizer - Cross Site Scripting
by security-news＠drupal.org 09 Dec '09

09 Dec '09

* Advisory ID: DRUPAL-SA-CONTRIB-2009-111 * Project: Randomizer (third-party module) * Version: 5.x, 6.x * Date: 2009-December-09 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Randomizer module assists researchers and students who want an easy way to perform random sampling or assign participants to experimental conditions. It accepts form input as parameters for generating a pseudo-random list of numbers. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting (XSS [1]) vulnerability. -------- VERSIONS AFFECTED --------------------------------------------------- * Randomizer module 5.x-1.0 and prior versions * Randomizer module 6.x-1.0 and prior versions Drupal core is not affected. If you do not use the contributed Randomizer [2] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ The Randomizer module is not maintained and there is no direct solution. Disable the module. -------- REPORTED BY --------------------------------------------------------- * grendzy [3] -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/project/randomizer [3] http://drupal.org/user/96647

1 0

SA-CONTRIB-2009-110 - Taxonomy Timer - SQL Injection
by security-news＠drupal.org 02 Dec '09

02 Dec '09

* Advisory ID: DRUPAL-SA-CONTRIB-2009-110 * Project: Taxonomy Timer (third-party module) * Version: 5.x, 6.x * Date: 2009-November-25 * Security risk: Critical * Exploitable from: Remote * Vulnerability: SQL Injection -------- DESCRIPTION --------------------------------------------------------- The Taxonomy Timer module enables users to set expiration dates for Taxonomy Terms. At the time of expiration other terms can be assigned, or nodes can be unpublished. In some cases the module does not properly sanitize user input, leading to a SQL Injection [1] vulnerability. Such an attack may lead to a malicious user gaining full administrative access. -------- VERSIONS AFFECTED --------------------------------------------------- * Taxonomy Timer module 5.x-1.8 and prior versions * Taxonomy Timer module 6.x-alpha1 and prior versions Drupal core is not affected. If you do not use the contributed Taxonomy Timer module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Taxonomy Timer module for Drupal 5.x upgrade to Taxonomy Timer module 5.x-1.9 [2] * If you use the Taxonomy Timer module for Drupal 6.x upgrade to Taxonomy Timer module 6.x-1.0-rc1 [3] See also the Taxonomy Timer [4] project page. -------- REPORTED BY --------------------------------------------------------- * Dylan Wilder-Tack [5] -------- FIXED BY ------------------------------------------------------------ * Suydam [6], the module maintainer. -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/SQL_Injection [2] http://drupal.org/node/641050 [3] http://drupal.org/node/641064 [4] http://drupal.org/project/taxonomy_timer [5] http://drupal.org/user/96647 [6] http://drupal.org/user/50195

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news December 2009