* Advisory ID: DRUPAL-SA-CONTRIB-2009-054
* Project: Go - url redirects (third-party module)
* Versions: 5.x, 6.x
* Date: 2009 August 26
* Security risk: Highly Critical
* Exploitable from: Remote
* Vulnerability: Multiple vulnerabilities
-------- DESCRIPTION
---------------------------------------------------------
The Go - url redirects (gotwo) module adds the option to add redirected URLs.
This module was found to have multiple vulnerabilities.
.... Arbitrary PHP code execution
Due to improper use of the PCRE regular expression engine, users with
permission to use the input filter provided by the module are able to execute
arbitrary PHP code on the server.
.... Cross-site scripting (XSS)
User-supplied text is displayed in several places without being properly
filtered, allowing malicious users to inject arbitrary HTML and script code.
Such a cross site scripting [1] (XSS) attack may lead to a malicious user
gaining full administrative access.
.... Access bypass and cross-site request forgery
Due to coding errors, users may be able to add redirects or reset redirect
counters without having permission to do so.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Versions of "Go - url redirects" for Drupal 5.x prior to 5.x-1.4
* Versions of "Go - url redirects" for Drupal 6.x prior to 6.x-1.1
Drupal core is not affected. If you do not use the contributed "Go - url
redirects" module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use "Go - url redirects" for Drupal 5.x upgrade to Go - url
redirects 5.x-1.4 [2]
* If you use "Go - url redirects" for Drupal 6.x upgrade to Go - url
redirects 6.x-1.1 [3]
See also the Go - url redirects project page [4].
-------- REPORTED BY
---------------------------------------------------------
John Morahan [5] of the Drupal security team Alexander Hass [6],
co-maintainer of the gotwo module
-------- FIXED BY
------------------------------------------------------------
Alexander Hass [7]
-------- CONTACT
-------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/560336
[3] http://drupal.org/node/560332
[4] http://drupal.org/project/gotwo
[5] http://drupal.org/user/58170
[6] http://drupal.org/user/85918
[7] http://drupal.org/user/85918
* Advisory ID: DRUPAL-SA-CONTRIB-2009-053
* Project: Ajax Table (third-party module)
* Version: 5.x
* Date: 2009-Aug-26
* Security risk: Critical
* Exploitable from: Remote
* Vulnerability: Multiple vulnerabilities
-------- DESCRIPTION
---------------------------------------------------------
The Ajax Table module allows one to create AJAX-refreshable tables by
supplying a few parameters.
.... Access bypass
The module lacks access checks, which makes it possible for any user to
delete arbitrary users and nodes. The module contains a number of security
issues.
.... Cross site scripting
The module doesn't escape certain user supplied values. Malicious users can
use this to insert arbitrary HTML and script content into pages. Such a cross
site scripting [1] attack may even lead to the malicious user gaining
administrator access.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Ajax Table for Drupal 5.x
Drupal core is not affected. If you do not use the contributed Ajax Table
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
There is no solution available. Please disable the module and remove it from
your server.
-------- REPORTED BY
---------------------------------------------------------
Franz Heinzmann [2]
-------- CONTACT
-------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/user/21850
* Advisory ID: DRUPAL-SA-CONTRIB-2009-052
* Project: Printer, e-mail and PDF versions (Print) (third-party modules)
* Version: 5.x, 6.x
* Date: 2009-August-19
* Security risk: Less critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
The Printer, e-mail and PDF versions ("Print") module provides
printer-friendly versions of content. The module doesn't properly escape a
number of user-supplied variables before output. A user who has the
permission to add content could attempt a cross site scripting [1] (XSS)
attack which may in some cases lead to the user gaining full administrative
access.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Print versions 6.x prior to 6.x-1.8
* Print versions 5.x prior to 5.x-4.8
Drupal core is not affected. If you do not use the contributed Print module,
there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Print module on Drupal 6.x upgrade to 6.x-1.8 [2]
* If you use the Print module on Drupal 5.x upgrade to 5.x-4.8 [3]
See also the Print module project page [4].
-------- REPORTED BY
---------------------------------------------------------
Justin Klein Keane [5].
-------- FIXED BY
------------------------------------------------------------
João Ventura [6], the "Printer, e-mail and PDF versions" project maintainer,
with assistance from Ben Jeavons [7] of the Drupal Security Team [8]
-------- CONTACT
-------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/554328
[3] http://drupal.org/node/554326
[4] http://drupal.org/project/print
[5] http://drupal.org/user/302225
[6] http://drupal.org/user/122464
[7] http://drupal.org/user/91990
[8] http://drupal.org/security-team
* Advisory ID: DRUPAL-SA-CONTRIB-2009-051
* Project: ImageCache (third-party modules)
* Version: 5.x, 6.x
* Date: 2009-August-19
* Security risk: Less critical
* Exploitable from: Remote
* Vulnerability: Multiple vulnerabilities
-------- DESCRIPTION ---------------------------------------------------------
ImageCache allows one to setup presets for image processing to create
derivatives. ImageCache will dynamically generate a derivative on access if
it doesn't exist.
.... Cross site scripting
Users with the "administer imagecache" permission are able to execute cross
site scripting [1] attacks because the ImageCache module doesn't properly
escape a number of user-supplied preset variables before output.
.... Access bypass
ImageCache doesn't properly check access to originals when generating
derivative images. When the private filesystem is enabled, and access to
images is restricted, unprivileged users may still access an image if they
know the image's filename.
-------- VERSIONS AFFECTED ---------------------------------------------------
* ImageCache versions for Drupal 5.x prior to 5.x-2.5
* ImageCache versions for Drupal 6.x prior to 6.x-2.0-beta10
Drupal core is not affected. If you do not use the contributed ImageCache
module, there is nothing you need to do.
-------- SOLUTION ------------------------------------------------------------
Install the latest version:
* If you use ImageCache on Drupal 5.x upgrade to 5.x-2.5 [2]
* If you use ImageCache on Drupal 6.x upgrade to 6.x-2.0-beta10 [3]
Beta software is not recommended for use on production sites. Such releases
are not supported by the security team. Nevertheless, the maintainer elected
to release 6.x-2.0-beta10 fixing the issues described in this announcement.
See also the ImageCache project page [4].
-------- REPORTED BY ---------------------------------------------------------
* The cross site scripting was reported by Justin Klein Keane [5].
* The access bypass was reported by Karl Scheirer [6].
-------- FIXED BY ------------------------------------------------------------
Andrew Morton [7] (the module maintainer).
-------- CONTACT -------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/554086
[3] http://drupal.org/node/554090
[4] http://drupal.org/project/imagecache
[5] http://drupal.org/user/302225
[6] http://drupal.org/user/128191
[7] http://drupal.org/user/34869
* Advisory ID: DRUPAL-SA-CONTRIB-2009-050
* Project: Webform report (third-party module)
* Version: All
* Date: 2009-Aug-5
* Security risk: Less critical
* Exploitable from: Remote
* Vulnerability: Cross site scripting
-------- DESCRIPTION
---------------------------------------------------------
Webform report [1] allows users to create simple, dynamic reports based on
data collected by the webform module. When displaying the results of Webform
submissions, the module does not properly escape user entered data, leading
to a cross-site scripting [2] (XSS) vulnerability.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Webform for Drupal 5.x
* Webform for Drupal 6.x
Drupal core is not affected. If you do not use the contributed webform report
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
There is no solution available. Please disable the module and remove it from
your server.
-------- REPORTED BY
---------------------------------------------------------
Stéphane Corlosquet [3]
-------- CONTACT
-------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.
[1] http://drupal.org/project/webform_report
[2] http://en.wikipedia.org/wiki/Cross-site_scripting
[3] http://drupal.org/user/52142