Security-news May 2009

security-news@drupal.org

1 participants
7 discussions

SA-CONTRIB-2009-031 - Ajax Session - Multiple vulnerabilities
by security-news＠drupal.org 27 May '09

27 May '09

* Advisory ID: DRUPAL-SA-CONTRIB-2009-031 * Project: Ajax Session (third-party module) * Version: 5.x * Date: 2009 May 27 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- The Ajax session module allows users to set PHP session variables using AJAX. The module does not make proper use of the Drupal API, leaving it open to multiple vulnerabilities, including Cross Site Request Forgeries (CSRF [1]) and Cross Site Scripting (XSS [2]). -------- VERSIONS AFFECTED --------------------------------------------------- * Ajax Session 5.x-1.0 Drupal core is not affected. If you do not use the contributed Ajax Session module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ There is no solution available. Disable the module and remove it from your site. The module has been removed from Drupal.org. -------- REPORTED BY --------------------------------------------------------- * Reported by Dmitri Gaskin (dmitrig01 [3]). -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Csrf [2] http://en.wikipedia.org/wiki/Cross-site_scripting [3] http://drupal.org/user/47566

1 0

SA-CONTRIB-2009-030 - Email Verification - Information disclosure / Cross Site Scripting
by security-news＠drupal.org 20 May '09

20 May '09

* Advisory ID: DRUPAL-SA-CONTRIB-2009-030 * Project: Email Verification (third-party module) * Version: 5.x, 6.x * Date: 2009-May-20 * Security risk: High * Exploitable from: Remote * Vulnerability: Information disclosure, Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Email Verification module tries to verify user email addresses by talking to the appropriate SMTP host. It also allows the administrator to access a list of not confirmed email addresses. In the Drupal 5 version, this list is only protected by the "access content" permission, hence allowing a wide range of users to access these addresses. In the Drupal 6 version this list is properly protected. In both versions the username and email addresses are not properly escaped allowing Cross Site Scripting (XSS) attacks. To learn more about Cross Site Scripting read this article [1]. -------- VERSIONS AFFECTED --------------------------------------------------- * Email Verification 5.x-1.x prior to 5.x-2.1 * Email Verification 6.x-1.x prior to 6.x-1.2 Drupal core is not affected. If you do not use the contributed Email Verification module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Email Verification 5.x-1.x upgrade to Email Verification 5.x-2.1 [2] * If you use Email Verification 6.x-1.x upgrade to Email Verification 6.x-1.2 [3] See also the Email Verification project page [4]. -------- REPORTED BY --------------------------------------------------------- Gerhard Killesreiter (killes(a)www.drop.org) [5] -------- FIXED BY ------------------------------------------------------------ Gerhard Killesreiter (killes(a)www.drop.org) [6] of the Drupal Security Team. -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/468432 [3] http://drupal.org/node/468436 [4] http://drupal.org/project/email_verify [5] http://drupal.org/user/227 [6] http://drupal.org/user/227

1 0

SA-CONTRIB-2009-029 - Views Bulk Operations - Access Bypass
by security-news＠drupal.org 20 May '09

20 May '09

* Advisory ID: DRUPAL-SA-CONTRIB-2009-029 * Project: Views Bulk Operations (third-party module) * Version: 5.x, 6.x * Date: 2009-May-20 * Security risk: Medium * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- Views Bulk operations allows registered procedures (called actions) to be applied on a result set of Drupal nodes, returned by the Views module. Through the Views Bulk Operations interface, it is possible to let users who are not authorized to update specific nodes or classes of nodes, to still apply actions that modify these nodes, thereby violating user permissions. -------- VERSIONS AFFECTED --------------------------------------------------- * Views Bulk Operations 5.x-1.x prior to 5.x-1.4 * Views Bulk Operations 6.x-1.x prior to 6.x-1.7 Drupal core is not affected. If you do not use the contributed Views Bulk Operations module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Views Bulk Operations 5.x-1.x upgrade to Views Bulk Operations 5.x-1.4 [1] * If you use Views Bulk Operations 6.x-1.x upgrade to Views Bulk Operations 6.x-1.7 [2] See also the Views Bulk Operations project page [3]. -------- REPORTED BY --------------------------------------------------------- Shawn McElroy (bigmack83) [4] -------- FIXED BY ------------------------------------------------------------ Karim Ratib (kratib) [5] -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/node/468374 [2] http://drupal.org/node/468366 [3] http://drupal.org/project/views_bulk_operations [4] http://drupal.org/user/248940 [5] http://drupal.org/user/48424

1 0

SA-CORE-2009-006 - Drupal core - Cross site scripting
by security-news＠drupal.org 13 May '09

13 May '09

* Advisory ID: DRUPAL-SA-CORE-2009-006 * Project: Drupal core * Version: 5.x, 6.x * Date: 2009-May-13 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- When outputting user-supplied data Drupal strips potentially dangerous HTML attributes and tags or escapes characters which have a special meaning in HTML. This output filtering secures the site against cross site scripting attacks via user input. Certain byte sequences that are valid in the UTF-8 specification are potentially dangerous when interpreted as UTF-7. Internet Explorer 6 and 7 may decode these characters as UTF-7 if they appear before the <meta http-equiv="Content-Type" /> tag that specifies the page content as UTF-8, despite the fact that Drupal also sends a real HTTP header specifying the content as UTF-8. This enables attackers to execute cross site scripting attacks with UTF-7. SA-CORE-2009-005 - Drupal core - Cross site scripting [1] contained an incomplete fix for the issue. HTML exports of books are still vulnerable, which means that anyone with edit permissions for pages in outlines is able to insert arbitrary HTML and script code in these exports. Additionally, the taxonomy module allows users with the /'administer taxonomy'/ permission to inject arbitrary HTML and script code in the help text of any vocabulary. Wikipedia has more information about cross site scripting [2] (XSS). -------- VERSIONS AFFECTED --------------------------------------------------- * Drupal 5.x before version 5.18. * Drupal 6.x before version 6.12. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you are running Drupal 6.x then upgrade to Drupal 6.12 [3]. * If you are running Drupal 5.x then upgrade to Drupal 5.18 [4]. If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. Theses patches fix the security vulnerability, but does not contain other fixes which were released in Drupal 5.18 or Drupal 6.12. * To patch Drupal 6.11 use SA-CORE-2009-006-6.11.patch [5]. * To patch Drupal 5.17 use SA-CORE-2009-006-5.17.patch [6]. -------- REPORTED BY --------------------------------------------------------- The UTF-7 XSS issue in book-export-html.tpl.php was reported by Markus Petrux. The XSS issue in taxonomy module was publicly disclosed. -------- FIXED BY ------------------------------------------------------------ Both issues were fixed by Heine Deelstra, Peter Wolanin and Derek Wright of the Drupal Security Team. -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/node/449078 [2] http://en.wikipedia.org/wiki/Cross-site_scripting [3] http://ftp.drupal.org/files/projects/drupal-6.12.tar.gz [4] http://ftp.drupal.org/files/projects/drupal-5.18.tar.gz [5] http://drupal.org/files/sa-core-2009-006/SA-CORE-2009-006-6.11.patch [6] http://drupal.org/files/sa-core-2009-006/SA-CORE-2009-006-5.17.patch

1 0

SA-CONTRIB-2009-028 - Feed Block - Cross Site Scripting
by security-news＠drupal.org 13 May '09

13 May '09

* Advisory ID: DRUPAL-SA-CONTRIB-2009-028 * Project: Feed Block (third-party module) * Version: 6.x * Date: 2009-May-13 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Feed Block module creates a block with one external(syndicated) article for each feed source from selected feed category. Feed block doesn't properly escapes aggregator items allowing users with administer news feeds permission to inject arbitrary code into the site. Such a cross site scripting (XSS) attack may lead to a malicious user gaining full administrative access. -------- VERSIONS AFFECTED --------------------------------------------------- * Feed Block 6.x-1.x prior to 6.x-1.1 Drupal core is not affected. If you do not use the contributed Feed Block module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Upgrade to the latest version: * If you use Feed Block 6.x-1.x upgrade to Feed Block 6.x-1.1 [1] See also the Feed Block project page [2]. -------- REPORTED BY --------------------------------------------------------- Jakub Suchy [3] of the Drupal Security Team [4]. -------- FIXED BY ------------------------------------------------------------ Ivan Jaros [5]. -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/node/453098 [2] http://drupal.org/project/feed_block [3] http://drupal.org/user/31977 [4] http://drupal.org/security-team [5] http://drupal.org/user/135190

1 0

SA-CONTRIB-2009-027 - Printer, e-mail and PDF versions - Cross-site scripting
by security-news＠drupal.org 13 May '09

13 May '09

* Advisory ID: DRUPAL-SA-CONTRIB-2009-027 * Project: Printer, e-mail and PDF versions (third-party module) * Versions: 5.x, 6.x * Date: 2009-May-13 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- When outputting user-supplied data Drupal strips potentially dangerous HTML attributes and tags or escapes characters which have a special meaning in HTML. This output filtering secures the site against cross site scripting attacks via user input. Certain byte sequences that are valid in the UTF-8 specification are potentially dangerous when interpreted as UTF-7. Internet Explorer 6 and 7 may decode these characters as UTF-7 if they appear before the <meta http-equiv="Content-Type" /> tag that specifies the page content as UTF-8, despite the fact that Drupal also sends a real HTTP header specifying the content as UTF-8. This behaviour enables malicious users to insert and execute Javascript in the context of the website if site visitors are allowed to post content. Note, this vulnerability is identical to that fixed for Drupal core by DRUPAL-SA-CORE-2009-005 [1] Such a cross site scripting [2] (XSS) attack may lead to a malicious user gaining full administrative access. -------- VERSIONS AFFECTED --------------------------------------------------- * Versions of "Printer, e-mail and PDF versions" for Drupal 5.x prior to 5.x-4.7 * Versions of "Printer, e-mail and PDF versions" for Drupal 6.x prior to 6.x-1.7 Drupal core is not affected. If you do not use the contributed "Printer, e-mail and PDF versions" module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use "Printer, e-mail and PDF versions" for Drupal 5.x upgrade to Printer, e-mail and PDF versions 5.x-4.7 [3] * If you use "Printer, e-mail and PDF versions" for Drupal 6.x upgrade to Printer, e-mail and PDF versions 6.x-1.7 [4] -------- REPORTED BY --------------------------------------------------------- Daniel F. Kudwien [5] -------- FIXED BY ------------------------------------------------------------ João Ventura [6] -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/node/449078 [2] http://en.wikipedia.org/wiki/Cross-site_scripting [3] http://drupal.org/node/461634 [4] http://drupal.org/node/461642 [5] http://drupal.org/user/54136 [6] http://drupal.org/user/122464

1 0

SA-CONTRIB-2009-026 - LoginToboggan - Access bypass
by security-news＠drupal.org 13 May '09

13 May '09

* Advisory ID: DRUPAL-SA-CONTRIB-2009-026 * Project: LoginToboggan (third-party module) * Version: 6.x * Date: 2009-May-13 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- LoginToboggan includes a setting which, if enabled, allows users to log in using either their username or e-mail address. In some circumstances, previously blocked users may still be able to access the site if this setting is enabled. -------- VERSIONS AFFECTED --------------------------------------------------- * LoginToboggan 6.x-1.x prior to 6.x-1.5 LoginToboggan for Drupal 5.x is not affected by this vulnerability. Drupal core is not affected. If you do not use the contributed LoginToboggan module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Upgrade to the latest version: * If you use LoginToboggan 6.x-1.x upgrade to LoginToboggan 6.x-1.5 [1] As a temporary workaround, you may also disable the 'Allow users to login using their e-mail address' setting at Administer -> User management -> LoginToboggan. See also the LoginToboggan project page [2]. -------- REPORTED BY --------------------------------------------------------- Chad Phillips [3] of the Drupal Security Team [4]. -------- FIXED BY ------------------------------------------------------------ Chad Phillips [5] of the Drupal Security Team [6]. -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org//drupal.org/node/461682 [2] http://drupal.org/project/logintoboggan [3] http://drupal.org/user/22079 [4] http://drupal.org/security-team [5] http://drupal.org/user/22079 [6] http://drupal.org/security-team

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news May 2009