Security-news October 2010

security-news@drupal.org

1 participants
3 discussions

SA-CONTRIB-2010-101 - Watcher - Multiple Vulnerabilities
by security-news＠drupal.org 28 Oct '10

28 Oct '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-101 * Project: Watcher * Version: 5.x, 6.x * Date: 2010-October-27 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Cross-site Scripting and Cross-site Request Forgery -------- DESCRIPTION --------------------------------------------------------- The Watcher module lets users subscribe to nodes so they receive email notifications when comments are posted or nodes are changed. The Watcher module did not sanitize some of the user supplied data before displaying it, leading to a Cross Site Scripting (XSS [1]) vulnerability which can be used by a malicious user to gain full administrative access. The Watcher module did not protect the subscribe and unsubscribe links against Cross-site Request Forgeries (CSRF [2]). -------- VERSIONS AFFECTED --------------------------------------------------- * Watcher for Drupal 5.x prior to Watcher 5.x-1.7 * Watcher for Drupal 6.x prior to Watcher 6.x-1.4 Drupal core is not affected. If you do not use the contributed Watcher [3], there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Watcher for Drupal 5.x upgrade to Watcher 5.x-1.7 [4] * If you use Watcher for Drupal 6.x upgrade to Watcher 6.x-1.4 [5] See also the Watcher [6] project page. -------- REPORTED BY --------------------------------------------------------- * Ivo Van Geertruyen (mr.baileys [7]) of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Jakob Persson (solipsist [8]), module maintainer -------- CONTACT ------------------------------------------------------------- The security team for Drupal [9] can be reached at security at drupal.org or via the form at http://drupal.org/contact [10]. Read more about the Security Team and Security Advisories at http://drupal.org/security [11]. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://en.wikipedia.org/wiki/Csrf [3] http://drupal.org/project/watcher [4] http://drupal.org/node/953740 [5] http://drupal.org/node/953738 [6] http://drupal.org/project/watcher [7] http://drupal.org/user/383424 [8] http://drupal.org/user/37564 [9] http://drupal.org/security-team [10] http://drupal.org/contact [11] http://drupal.org/security

1 0

SA-CONTRIB-2010-100 - Ubuntu Drupal Theme - Directory traversal and information disclosure
by security-news＠drupal.org 20 Oct '10

20 Oct '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-100 * Projects: Ubuntu Drupal Theme - Brown * Version: 5.x, 6.x * Date: 2010-October-20 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Directory traversal and information disclosure -------- DESCRIPTION --------------------------------------------------------- This Ubuntu Drupal Theme - Brown is designed to mimic the old ubuntu.com. The theme used a PHP file to generate a gradient image on the fly. User input from the URL is not properly validated in this PHP code, leading to a directory traversal vulnerability where the contents of any file readable by the webserver may be displayed to the remote user, potentially revealing sensitive information. -------- VERSIONS AFFECTED --------------------------------------------------- * Ubuntu Drupal Theme - Brown all versions on all branches prior to 6.x-8.1 * Ubuntu Drupal Theme - Brown for Drupal 5.x Drupal core is not affected. If you do not use the contributed Ubuntu Drupal Theme - Brown [1], there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Ubuntu Drupal Theme - Brown for Drupal 6.x (any prior version on any branch), upgrade to Ubuntu Drupal Theme - Brown 6.x-8.1 [2] * If you use the Ubuntu Drupal Theme - Brown for Drupal 5.x, it is no longer supported and should be disabled or the 6.x fix applied See also the Ubuntu Drupal Theme - Brown project page [3]. -------- REPORTED BY --------------------------------------------------------- * Steve Foris -------- FIXED BY ------------------------------------------------------------ * MTecknology [4], the Ubuntu Drupal theme maintainer -------- CONTACT ------------------------------------------------------------- The security team for Drupal [5] can be reached at security at drupal.org or via the form at http://drupal.org/contact [6]. Read more about the Security Team and Security Advisories at http://drupal.org/security [7]. [1] http://drupal.org/project/udtheme [2] http://drupal.org/node/947670 [3] http://drupal.org/project/udtheme [4] http://drupal.org/user/302171 [5] http://drupal.org/security-team [6] http://drupal.org/contact [7] http://drupal.org/security

1 0

SA-CONTRIB-2010-099 - Views Bulk Operations - Access Bypass
by security-news＠drupal.org 06 Oct '10

06 Oct '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-099 * Project: Views Bulk Operations (third-party module) * Version: 6.x * Date: 2010-October-6 * Security risk: Not critical * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- Views Bulk Operations augments Views by allowing bulk operations to be executed on the nodes and users displayed by a view. It does so by showing a checkbox in front of each item, and adding a select box containing operations that can be applied on the selected items. In some circumstances, a malicious user could use Views Bulk Operation to cause user 0 (the anonymous user) to be deleted. The effects of deleting user 0 vary depending on the system configuration and the use of other contributed modules, ranging from trivial errors to significant loss of functionality. The risk is mitigated by the fact that a malicious user would need permission to a view that lets him/her manage users through Views Bulk Operations in order to exploit this vulnerability. -------- VERSIONS AFFECTED --------------------------------------------------- * Views Bulk Operations for Drupal 6 prior to 6.x-1.10 Drupal core is not affected. If you do not use the contributed Views Bulk Operations [1] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Views Bulk Operations module for Drupal 6.x upgrade to Views Bulk Operations 6.x-1.10 [2] See also the Views Bulk Operations [3] project page. -------- REPORTED BY --------------------------------------------------------- * Joonas Kiminki (onaz [4]) * Teemu Merikoski (tcmug [5]) -------- FIXED BY ------------------------------------------------------------ * Joonas Kiminki (onaz [6]) * Teemu Merikoski (tcmug [7]) -------- CONTACT ------------------------------------------------------------- The Drupal security team [8] can be reached at security at drupal.org or via the form at http://drupal.org/contact [9]. [1] http://drupal.org/project/views_bulk_operations [2] http://drupal.org/node/933596 [3] http://drupal.org/project/views_bulk_operations [4] http://drupal.org/user/158968 [5] http://drupal.org/user/515884 [6] http://drupal.org/user/158968 [7] http://drupal.org/user/515884 [8] http://drupal.org/security-team [9] http://drupal.org/contact

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news October 2010