Security-news June 2009

security-news@drupal.org

1 participants
8 discussions

SA-CONTRIB-2009-039 - Links Package - Cross Site Scripting
by security-news＠drupal.org 25 Jun '09

25 Jun '09

* Advisory ID: DRUPAL-SA-CONTRIB-2009-039 * Project: Links Package (third-party module) * Version: 5.x, 6.x * Date: 2009-June-25 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Links Package is a multi-module set for managing URL links in a master directory, and attaching them in various ways to your content pages. The Links Related module of the Links Package does not properly escape user input used as the title on certain pages. A user with privileges to create content could attempt a cross site scripting [1] (XSS) attack which may lead to the user gaining full administrative access. -------- VERSIONS AFFECTED --------------------------------------------------- * Links Package for Drupal 5.x prior to Links Package 5.x-1.13 * Links Package for Drupal 6.x prior to Links Package 6.x-1.2 Drupal core is not affected. If you do not use the contributed Links Package, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Upgrade to the latest version: * If you use Links Package for Drupal 5.x upgrade to Links Package 5.x-1.13 [2] * If you use Links Packsge for Drupal 6.x upgrade to Links Package 6.x-1.2 [3] See also the Links Package project page [4]. -------- REPORTED BY --------------------------------------------------------- Stéphane Corlosquet [5] of the Drupal Security Team [6]. -------- FIXED BY ------------------------------------------------------------ Scott Courtney [7], the project maintainer. -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/501356 [3] http://drupal.org/node/501360 [4] http://drupal.org/project/links [5] http://drupal.org/user/52142 [6] http://drupal.org/security-team [7] http://drupal.org/user/9184

1 0

SA-CONTRIB-2009-038 - Nodequeue - Multiple vulnerabilities
by security-news＠drupal.org 10 Jun '09

10 Jun '09

* Advisory ID: DRUPAL-SA-CONTRIB-2009-038 * Project: Nodequeue (third-party module) * Version: 5.x, 6.x * Date: 2009-June-10 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- The Nodequeue module enables an administrator to arbitrarily put nodes in a group for some purpose, such as providing a listing of nodes or featuring a particular node. It suffers from a cross-site scripting [1] (XSS) vulnerability due to not properly sanitizing vocabulary names before they are displayed. Additionally, the module does not respect node access restrictions when displaying node titles. -------- VERSIONS AFFECTED --------------------------------------------------- * Nodequeue for Drupal 5.x prior to Nodequeue 5.x-2.7 * Nodequeue for Drupal 6.x prior to Nodequeue 6.x-2.2 Drupal core is not affected. If you do not use the contributed Nodequeue module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Upgrade to the latest version: * If you use Nodequeue for Drupal 5.x upgrade to Nodequeue 5.x-2.7 [2] * If you use Nodequeue for Drupal 6.x upgrade to Nodequeue 6.x-2.2 [3] See also the Nodequeue project page [4]. -------- REPORTED BY --------------------------------------------------------- * The XSS issue was reported by Justin C. Klein Keane [5]. * The access bypass issue was reported by Ezra Barnett Gildesgame [6]. -------- FIXED BY ------------------------------------------------------------ * The XSS issue was fixed by Justin C. Klein Keane [7]. * The access bypass issue was fixed by Ezra Barnett Gildesgame [8] and Earl Miles [9]. -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/488104 [3] http://drupal.org/node/488102 [4] http://drupal.org/project/nodequeue [5] http://drupal.org/user/302225 [6] http://drupal.org/user/69959 [7] http://drupal.org/user/302225 [8] http://drupal.org/user/69959 [9] http://drupal.org/user/26979

1 0

SA-CONTRIB-2009-037 - Views - Multiple vulnerabilities
by security-news＠drupal.org 10 Jun '09

10 Jun '09

* Advisory ID: DRUPAL-SA-CONTRIB-2009-037 * Project: Views * Versions: 6.x-2.x * Date: 2009-June-10 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting (XSS), Access Bypass -------- DESCRIPTION --------------------------------------------------------- The Views module provides a flexible method for Drupal site designers to control how lists of content are presented. In the Views UI administrative interface when configuring exposed filters, user input presented as possible exposed filters is not correctly filtered, potentially allowing malicious users to insert arbitrary HTML and script code into these pages. In addition, content entered by users with 'administer views' permission into the View name when defining custom views is subsequently displayed without being filtered. Such cross site scripting [1] (XSS) attacks may lead to a malicious user gaining full administrative access. An access bypass may exist where unpublished content owned by the anonymous user (e.g. content created by a user whose account was later deleted) is visible to any anonymous user there is a view already configured to show it incorrectly. An additional access bypass may occur because Views may generate queries which disrespect node access control. Users may be able to access private content if they have permission to see the resulting View. -------- VERSIONS AFFECTED --------------------------------------------------- * Versions of Views for Drupal 6.x prior to 6.x-2.6 Drupal core is not affected. If you do not use the Views module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version. * If you use Views for Drupal 6.x upgrade to 6.x-2.6 [2] In addition, preventing the node access bypass may require adding *node: access filters* to the View manually if using relationships to nodes that might be restricted. Also see the Views project page [3]. -------- REPORTED BY --------------------------------------------------------- * The exposed filters XSS was reported by Derek Wright (dww [4]) of the Drupal Security Team [5] * The XSS from the view name was reported by Justin Klein Keane (Justin_KleinKeane [6]) * The unpublished content access bypass was reported by Brandon Bergren (bdragon [7]) * The node access query bypass was reported by Moshe Weitzman (moshe weitzman [8]) of the Drupal Security Team [9] -------- FIXED BY ------------------------------------------------------------ Earl Miles (merlinofchaos [10]) Views project maintainer. -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact and by selecting the security issues category. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/488082 [3] http://drupal.org/project/views [4] http://drupal.org/user/46549 [5] http://drupal.org/security-team [6] http://drupal.org/user/302225 [7] http://drupal.org/user/53081 [8] http://drupal.org/user/23 [9] http://drupal.org/security-team [10] http://drupal.org/user/26979

1 0

SA-CONTRIB-2009-036 - Services - Impersonation
by security-news＠drupal.org 10 Jun '09

10 Jun '09

* Advisory ID: SA-CONTRIB-2009-036 * Project: Services (third-party module) * Version: 6.x * Date: 2009 June 10 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Impersonation -------- DESCRIPTION --------------------------------------------------------- The Services module provides integration of external applications with Drupal. Service callbacks may be used with multiple interfaces like XMLRPC, SOAP, REST, AMF. When key based access is enabled any user may view or add keys, allowing a third party to access services they would not otherwise be able to access. The services that can be exploited depend on the access control checks that are in place on a given client site. -------- VERSIONS AFFECTED --------------------------------------------------- Services for 6.x before version 6.x-0.14. Drupal core is not affected. If you do not use the contributed Services module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Upgrade to the latest version: If you are running Services 6.x then upgrade to Services 6.x-0.14 [1]. If you are running a development version of Services module please upgrade to a version dated later than 9th June 2009. See also the Services [2] project page. -------- REPORTED BY --------------------------------------------------------- Gerhard Killesreiter [3] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ Marc Ingram [4]. -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/node/487784 [2] http://drupal.org/project/services [3] http://drupal.org/user/227 [4] http://drupal.org/user/77320

1 0

SA-CONTRIB-2009-035 - Booktree - Cross site scripting
by security-news＠drupal.org 10 Jun '09

10 Jun '09

* Advisory ID: DRUPAL-SA-CONTRIB-2009-035 * Project: Booktree (third-party module) * Version: 5.x, 6.x * Date: 2009-June-10 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Booktree takes as input a series of Book nodes and create a tree-like structure using Book node relationships.The Booktree module does not properly escape node title and node body on tree root pages. A user with privileges to create book pages could attempt a cross site scripting [1] (XSS) attack which may lead to the user gaining full administrative access. -------- VERSIONS AFFECTED --------------------------------------------------- * Booktree for Drupal 5.x prior to Booktree 5.x-7.3 * Booktree for Drupal 6.x prior to Booktree 6.x-1.1 Drupal core is not affected. If you do not use the contributed Booktree module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Upgrade to the latest version: * If you use Booktree for Drupal 5.x upgrade to Booktree 5.x-7.3 [2] * If you use Booktree for Drupal 6.x upgrade to Booktree 6.x-1.1 [3] See also the Booktree project page [4]. -------- REPORTED BY --------------------------------------------------------- Stéphane Corlosquet [5] of the Drupal Security Team [6]. -------- FIXED BY ------------------------------------------------------------ Uccio [7]. -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/487812 [3] http://drupal.org/node/487810 [4] http://drupal.org/project/booktree [5] http://drupal.org/user/52142 [6] http://drupal.org/security-team [7] http://drupal.org/user/32370

1 0

SA-CONTRIB-2009-034 - Taxonomy manager - Cross site scripting
by security-news＠drupal.org 10 Jun '09

10 Jun '09

* Advisory ID: DRUPAL-SA-CONTRIB-2009-034 * Project: Taxonomy manager (third-party module) * Version: 5.x, 6.x * Date: 2009-June-10 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Taxonomy manager module provides additional tools for administering taxonomy through Drupal. A vocabulary gets displayed in a dynamic tree view, where parent terms can be expanded to list their nested child terms or can be collapsed. The module does not properly escape some user-supplied data, allowing malicious users to insert arbitrary HTML and script code into the administrative pages provided by this module. A user who has the 'administer taxonomy' permission, and (depending on configuration) a user able to add taxonomy terms via free tagging, could attempt a cross site scripting [1] (XSS) attack which may lead to the user gaining full administrative access. -------- VERSIONS AFFECTED --------------------------------------------------- * Taxonomy manager 6.x prior to 6.x-1.1 * Taxonomy manager 5.x prior to 5.x-1.2 Drupal core is not affected. If you do not use the contributed Taxonomy manager module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Taxonomy manager 6.x upgrade to Taxonomy manager 6.x-1.1 [2] * If you use Taxonomy manager 5.x upgrade to Taxonomy manager 5.x-1.2 [3] See also the Taxonomy manager [4] project page. -------- REPORTED BY --------------------------------------------------------- Justin Klein Keane (Justin_KleinKeane [5]) -------- FIXED BY ------------------------------------------------------------ Matthias Hutterer (mh86 [6] the maintainer) and Justin Klein Keane (Justin_KleinKeane [7]) -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/487602 [3] http://drupal.org/node/487620 [4] http://drupal.org/project/taxonomy_manager [5] http://drupal.org/user/302225 [6] http://drupal.org/user/59747 [7] http://drupal.org/user/302225

1 0

SA-CONTRIB-2009-033 - Quiz - Cross site scripting
by security-news＠drupal.org 03 Jun '09

03 Jun '09

* Advisory ID: DRUPAL-SA-CONTRIB-2009-033 * Project: Quiz (third-party module) * Version: 5.x, 6.x * Date: 2009-June-03 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Quiz module provides tools for authoring and administering quizzes through Drupal. A quiz is given as a series of questions, with only one question appearing per page. Scores are then stored in the database. The module does not properly escape user-supplied data on some pages, allowing malicious users to insert arbitrary HTML and script code into these pages. A user who has access to create quizzes or quiz questions could attempt a cross site scripting [1] (XSS) attack which may lead to the user gaining full administrative access. -------- VERSIONS AFFECTED --------------------------------------------------- * All versions of Quiz for Drupal 5.x * Quiz 6.x-2.x prior to 6.x-2.2 * Quiz 6.x-3.x prior to 6.x-3.0 Drupal core is not affected. If you do not use the contributed Quiz module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ If you use Drupal 5.x, uninstall the Quiz module which has been marked unmaintained for six months or upgrade to Quiz for Drupal 6.x. If you use Drupal 6.x, install the latest version: * If you use Email Verification 6.x-2.x upgrade to Quiz 6.x-2.2 [2] * If you use Email Verification 6.x-3.x upgrade to Quiz 6.x-3.0 [3] See also the Quiz [4] project page. -------- REPORTED BY --------------------------------------------------------- Matt Butcher [5] and Stéphane Corlosquet [6] of the Drupal Security Team. -------- FIXED BY ------------------------------------------------------------ Matt Butcher [7], sivaji [8] and Stéphane Corlosquet [9] of the Drupal Security Team. -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/481270 [3] http://drupal.org/node/481274 [4] http://drupal.org/project/quiz [5] http://drupal.org/user/201798 [6] http://drupal.org/user/52142 [7] http://drupal.org/user/201798 [8] http://drupal.org/user/328724 [9] http://drupal.org/user/52142

1 0

SA-CONTRIB-2009-032 - Webform - Cross-site scripting
by security-news＠drupal.org 03 Jun '09

03 Jun '09

* Advisory ID: DRUPAL-SA-CONTRIB-2009-032 * Project: Webform (third-party module) * Versions: 5.x, 6.x * Date: 2009-June-03 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross-site scripting -------- DESCRIPTION --------------------------------------------------------- The Webform module provides a node type which is typically used to enable site visitors to fill in questionnaires, contact or request/registration forms, surveys, polls, or other forms on a Drupal site. When displaying the results of Webform submissions, the module does not properly filter user entered data, leading to a cross-site scripting [1] (XSS) vulnerability on sites with a specific configuration of input formats that would normally be safe. Such an attack carried out against a sufficiently privileged user may lead a malicious user to gain administrator access to the site. -------- VERSIONS AFFECTED --------------------------------------------------- * Versions of Webform for Drupal 5.x prior to 5.x-2.7 * Versions of Webform for Drupal 6.x prior to 6.x-2.7 Drupal core is not affected. If you do not use the contributed Webform module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Webform for Drupal 5.x, upgrade to Webform 5.x-2.7 [2]. * If you use Webform for Drupal 6.x, upgrade to Webform 6.x-2.7 [3]. See also the Webform project page [4]. -------- REPORTED BY --------------------------------------------------------- David Rothstein [5] -------- FIXED BY ------------------------------------------------------------ Nathan Haug (quicksketch [6]), and David Rothstein [7] of the Drupal Security Team [8] -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/481260 [3] http://drupal.org/node/481258 [4] http://drupal.org/project/webform [5] http://drupal.org/user/124982 [6] http://drupal.org/user/35821 [7] http://drupal.org/user/124982 [8] http://drupal.org/security-team

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news June 2009