* Advisory ID: DRUPAL-SA-CONTRIB-2010-101
* Project: Watcher
* Version: 5.x, 6.x
* Date: 2010-October-27
* Security risk: Critical
* Exploitable from: Remote
* Vulnerability: Cross-site Scripting and Cross-site Request Forgery
-------- DESCRIPTION
---------------------------------------------------------
The Watcher module lets users subscribe to nodes so they receive email
notifications when comments are posted or nodes are changed. The Watcher
module did not sanitize some of the user supplied data before displaying it,
leading to a Cross Site Scripting (XSS [1]) vulnerability which can be used
by a malicious user to gain full administrative access. The Watcher module
did not protect the subscribe and unsubscribe links against Cross-site
Request Forgeries (CSRF [2]).
-------- VERSIONS AFFECTED
---------------------------------------------------
* Watcher for Drupal 5.x prior to Watcher 5.x-1.7
* Watcher for Drupal 6.x prior to Watcher 6.x-1.4
Drupal core is not affected. If you do not use the contributed Watcher [3],
there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use Watcher for Drupal 5.x upgrade to Watcher 5.x-1.7 [4]
* If you use Watcher for Drupal 6.x upgrade to Watcher 6.x-1.4 [5]
See also the Watcher [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Ivo Van Geertruyen (mr.baileys [7]) of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Jakob Persson (solipsist [8]), module maintainer
-------- CONTACT
-------------------------------------------------------------
The security team for Drupal [9] can be reached at security at drupal.org or
via the form at http://drupal.org/contact [10].
Read more about the Security Team and Security Advisories at
http://drupal.org/security [11].
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://en.wikipedia.org/wiki/Csrf
[3] http://drupal.org/project/watcher
[4] http://drupal.org/node/953740
[5] http://drupal.org/node/953738
[6] http://drupal.org/project/watcher
[7] http://drupal.org/user/383424
[8] http://drupal.org/user/37564
[9] http://drupal.org/security-team
[10] http://drupal.org/contact
[11] http://drupal.org/security
* Advisory ID: DRUPAL-SA-CONTRIB-2010-100
* Projects: Ubuntu Drupal Theme - Brown
* Version: 5.x, 6.x
* Date: 2010-October-20
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Directory traversal and information disclosure
-------- DESCRIPTION ---------------------------------------------------------
This Ubuntu Drupal Theme - Brown is designed to mimic the old ubuntu.com. The
theme used a PHP file to generate a gradient image on the fly. User input
from the URL is not properly validated in this PHP code, leading to a
directory traversal vulnerability where the contents of any file readable by
the webserver may be displayed to the remote user, potentially revealing
sensitive information.
-------- VERSIONS AFFECTED ---------------------------------------------------
* Ubuntu Drupal Theme - Brown all versions on all branches prior to 6.x-8.1
* Ubuntu Drupal Theme - Brown for Drupal 5.x
Drupal core is not affected. If you do not use the contributed Ubuntu Drupal
Theme - Brown [1], there is nothing you need to do.
-------- SOLUTION ------------------------------------------------------------
Install the latest version:
* If you use the Ubuntu Drupal Theme - Brown for Drupal 6.x (any prior
version on any branch), upgrade to Ubuntu Drupal Theme - Brown 6.x-8.1 [2]
* If you use the Ubuntu Drupal Theme - Brown for Drupal 5.x, it is no longer
supported and should be disabled or the 6.x fix applied
See also the Ubuntu Drupal Theme - Brown project page [3].
-------- REPORTED BY ---------------------------------------------------------
* Steve Foris
-------- FIXED BY ------------------------------------------------------------
* MTecknology [4], the Ubuntu Drupal theme maintainer
-------- CONTACT -------------------------------------------------------------
The security team for Drupal [5] can be reached at security at drupal.org or
via the form at http://drupal.org/contact [6].
Read more about the Security Team and Security Advisories at
http://drupal.org/security [7].
[1] http://drupal.org/project/udtheme
[2] http://drupal.org/node/947670
[3] http://drupal.org/project/udtheme
[4] http://drupal.org/user/302171
[5] http://drupal.org/security-team
[6] http://drupal.org/contact
[7] http://drupal.org/security
* Advisory ID: DRUPAL-SA-CONTRIB-2010-099
* Project: Views Bulk Operations (third-party module)
* Version: 6.x
* Date: 2010-October-6
* Security risk: Not critical
* Exploitable from: Remote
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
Views Bulk Operations augments Views by allowing bulk operations to be
executed on the nodes and users displayed by a view. It does so by showing a
checkbox in front of each item, and adding a select box containing operations
that can be applied on the selected items. In some circumstances, a malicious
user could use Views Bulk Operation to cause user 0 (the anonymous user) to
be deleted. The effects of deleting user 0 vary depending on the system
configuration and the use of other contributed modules, ranging from trivial
errors to significant loss of functionality. The risk is mitigated by the
fact that a malicious user would need permission to a view that lets him/her
manage users through Views Bulk Operations in order to exploit this
vulnerability.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Views Bulk Operations for Drupal 6 prior to 6.x-1.10
Drupal core is not affected. If you do not use the contributed Views Bulk
Operations [1] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Views Bulk Operations module for Drupal 6.x upgrade to
Views Bulk Operations 6.x-1.10 [2]
See also the Views Bulk Operations [3] project page.
-------- REPORTED BY
---------------------------------------------------------
* Joonas Kiminki (onaz [4])
* Teemu Merikoski (tcmug [5])
-------- FIXED BY
------------------------------------------------------------
* Joonas Kiminki (onaz [6])
* Teemu Merikoski (tcmug [7])
-------- CONTACT
-------------------------------------------------------------
The Drupal security team [8] can be reached at security at drupal.org or via
the form at http://drupal.org/contact [9].
[1] http://drupal.org/project/views_bulk_operations
[2] http://drupal.org/node/933596
[3] http://drupal.org/project/views_bulk_operations
[4] http://drupal.org/user/158968
[5] http://drupal.org/user/515884
[6] http://drupal.org/user/158968
[7] http://drupal.org/user/515884
[8] http://drupal.org/security-team
[9] http://drupal.org/contact