* Advisory ID: DRUPAL-SA-CONTRIB-2010-113
* Project: Image (third-party module)
* Version: 5.x, 6.x
* Date: 2010-December-22
* Security risk: Critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
The Image module project contains supplemental modules, one of which, Image
gallery, allows users to create and maintain galleries of image nodes using
taxonomy terms.
The Image gallery module does not sanitize some user-supplied data before
displaying it, leading to a Cross Site Scripting (XSS [1]) vulnerability
which can be used by a malicious user to gain full administrative access.
*Mitigating factors*: In order to exploit this vulnerability the Image
gallery module must be enabled and the attacker must have the ability to edit
or create image galleries.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Image module for Drupal 6.x prior to 6.x-1.1
* Image module for Drupal 5.x prior to 5.x-2.0
* Image module for Drupal 5.x prior to 5.x-1.10
Drupal core is not affected. If you do not use the contributed Image module
there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use Image for Drupal 6.x upgrade to Image 6.x-1.1 [2].
* If you use Image 5.x-2.0-alpha5 or lower for Drupal 5.x upgrade to Image
5.x-2.0 [3].
* If you use Image 5.x-1.9 or lower for Drupal 5.x upgrade to Image 5.x-1.10
[4].
See also the Image project page [5].
-------- REPORTED BY
---------------------------------------------------------
Justin Klein Keane [6]
-------- FIXED BY
------------------------------------------------------------
* sun [7], module maintainer
* joachim [8], module maintainer
* Justin Klein Keane [9]
-------- CONTACT
-------------------------------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
form at http://drupal.org/contact [10].
Learn more about the team and their policies [11], writing secure code for
Drupal [12], and secure configuration [13] of your site.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/1004800
[3] http://drupal.org/node/1004802
[4] http://drupal.org/node/1004804
[5] http://drupal.org/project/image
[6] http://drupal.org/user/302225
[7] http://drupal.org/user/54136
[8] http://drupal.org/user/107701
[9] http://drupal.org/user/302225
[10] http://drupal.org/contact
[11] http://drupal.org/security-team
[12] http://drupal.org/writing-secure-code
[13] http://drupal.org/security/secure-configuration
* Advisory ID: DRUPAL-SA-CONTRIB-2010-112
* Project: oEmbed (third-party module)
* Version: 6.x
* Date: 2010-December-22
* Security risk: Moderately Critical
* Exploitable from: Remote
* Vulnerability: Access Bypass
-------- DESCRIPTION
---------------------------------------------------------
The oEmbed module allows a Drupal site to embed content from oEmbed-providers
as well as for a site to become an oEmbed-provider itself so that other
oEmbed-enabled websites can embed its content.
If an external site requested to embed a node, the oEmbed provider did not
check node access, resulting in content not otherwise accessable by a user to
be embeddable.
This only affects sites that are using the oEmbed Provider sub-module.
-------- VERSIONS AFFECTED
---------------------------------------------------
* oEmbed module for Drupal 6.x versions prior to 6.x-0.8
Drupal core is not affected. If you do not use the contributed oEmbed [1]
module, together with its oEmbed provider module, there is nothing you need
to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the oEmbed module for Drupal 6.x upgrade to oEmbed 6.x-0.8 [2].
See also the oEmbed project page [3].
-------- REPORTED BY
---------------------------------------------------------
* Benjamin Doherty [4]
-------- FIXED BY
------------------------------------------------------------
* Pelle Wessman [5], module co-maintainer
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
form at http://drupal.org/contact. Learn more about the team and their
policies [6], writing secure code for Drupal [7], and secure configuration
[8] of your site.
[1] http://drupal.org/project/oembed
[2] http://drupal.org/node/998376
[3] http://drupal.org/project/oembed
[4] http://drupal.org/user/100456
[5] http://drupal.org/user/341713
[6] http://drupal.org/security-team
[7] http://drupal.org/writing-secure-code
[8] http://drupal.org/security/secure-configuration
* Advisory ID: DRUPAL-SA-CONTRIB-2010-111
* Project: Views (third-party module)
* Version: 6.x
* Date: 2010-December-15
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Multiple vulnerabilities
-------- DESCRIPTION
---------------------------------------------------------
The Views module provides a flexible method for Drupal site designers to
control how lists and tables of content are presented. Under certain
circumstances, Views could display parts of the page path without escaping,
resulting in a relected Cross Site Scripting (XSS [1]) vulnerability. An
attacker could exploit this to gain full administrative access. *Mitigating
factors:* This vulnerability only occurs with a specific combination of
configuration options for a specific View, but this combination is used in
the default Views provided by some additional modules. A malicious user would
need to get an authenticated administrative user to visit a specially crafted
URL.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Views module for Drupal 6.x versions prior to 6.x-2.12
Drupal core is not affected. If you do not use the contributed Views [2]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Views module for Drupal 6.x upgrade to Views 6.x-2.12 [3]
See also the Views project page [4].
-------- REPORTED BY
---------------------------------------------------------
* Alexander Kirienko [5]
-------- FIXED BY
------------------------------------------------------------
* Earl Miles (merlinofchaos [6]), module maintainer
-------- CONTACT
-------------------------------------------------------------
The Drupal security team [7] can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/project/views
[3] http://drupal.org/node/999386
[4] http://drupal.org/project/views
[5] http://drupal.org/user/1019216
[6] http://drupal.org/user/26979
[7] http://drupal.org/security-team
* Advisory ID: DRUPAL-SA-CONTRIB-2010-110
* Project: Drupal For Firebug (third-party module)
* Version: 5.x, 6.x
* Date: 2010-Dec-15
* Security risk: Critical
* Exploitable from: Remote
* Vulnerability: Cross-site Request Forgery
-------- DESCRIPTION
---------------------------------------------------------
The Drupal For Firebug module allows developers to use Firebug to get
debugging information about their Drupal installation.
The module does not properly protect the form used to submit PHP code against
Cross-site Request Forgeries (CSRF [1]), allowing a malicious user to trick
an authorized user into executing arbitrary PHP code.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Drupal For Firebug 5.x versions prior to 5.x-1.5
* Drupal For Firebug 6.x versions prior to 6.x-1.4
Drupal core is not affected. If you do not use the contributed Drupal For
Firebug [2] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use Drupal For Firebug 5.x, upgrade to Drupal For Firebug 5.x-1.5
[3]
* If you use Drupal For Firebug 6.x, upgrade to Drupal For Firebug 6.x-1.4
[4]
See also the Drupal For Firebug project page [5].
-------- REPORTED BY
---------------------------------------------------------
* mr.baileys [6] of the Drupal security team
-------- FIXED BY
------------------------------------------------------------
* Matt Cheney (populist [7]), module maintainer
-------- CONTACT
-------------------------------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
form at http://drupal.org/contact [8].
[1] http://en.wikipedia.org/wiki/Cross-site_request_forgery
[2] http://drupal.org/project/drupalforfirebug
[3] http://drupal.org/node/998568
[4] http://drupal.org/node/998566
[5] http://drupal.org/project/drupalforfirebug
[6] http://drupal.org/user/383424
[7] http://drupal.org/user/58600
[8] http://drupal.org/contact
* Advisory ID: DRUPAL-SA-CONTRIB-2010-109
* Projects: Embedded Media Field, Media: Video Flotsam, Media: Audio Flotsam
(third-party module)
* Version: 5.x and 6.x
* Date: 2010-December-08
* Security risk: Moderately Critical
* Exploitable from: Remote
* Vulnerability: Multiple vulnerabilities
-------- DESCRIPTION
---------------------------------------------------------
.... 1 - Arbitrary File Upload/Code Execution Vulnerability
The Embedded Thumbnail module (packaged with the project) allows users who
upload videos to upload their own thumbnails to replace The Drupal Embedded
Media Field module. Unfortunately, the Embedded Thumbnail Module contains a
vulnerability that could allow arbitrary file upload, as well as potentially
remote and potentially code execution. Malicious users can upload arbitrary
files with extensions other than .php, .pl, .py, .cgi, .asp, or .js. Many web
servers support legacy PHP extensions not included in this list (such as
.phtml, or .php3) which would allow attackers to upload and execute arbitrary
PHP code. Attackers could also upload malicious documents or other material
with virus payload and use these to attack other users or exploit flaws in
file include vulnerabilities. This exploit is mitigated by the fact that the
site must have a content type with an embedded media field that allows users
to upload custom thumbnails, and the user must have access to create or edit
the content type.
.... 2 - Embed XSS Vulnerability
The 5.x-1.x and 6.x-1.x versions of the Embedded Media Field module comes
packaged with "custom provider files" that allow users to add audio and video
files to their site by posting a link to the direct url of an audio or video
the field emfield provides. Unfortunately the Embedded Media Field module
contains an arbitrary HTML injection vulnerability (also known as cross site
scripting, or XSS) due to the fact that it fails to sanitize user supplied
audio file paths and embed codes before display. *Please note*, recently
these 6.x-2.x branch of the Embedded Media Field module, the custom audio and
video provider files were moved to separate modules: Media: Video Flotsam
6.x-1.2 [1] and Media: Audio Flotsam [2]. This exploit is mitigated by the
fact that the site must have a content type with an embedded media field that
has the custom audio or video provider file enabled, and the user must have
access to create or edit the content type.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Embedded Media Field module for Drupal 6.x versions prior to 6.x-1.26 and
6.x-2.4, and for Drupal 5.x versions prior to 5.x-1.12.
* Media: Video Flotsam module for Drupal 6.x versions prior to 6.x-1.2.
* Media: Audio Flotsam module for Drupal 6.x versions prior to 6.x-1.1.
Drupal core is not affected. If you do not use the contributed Embedded Media
Field [3] module, together with the Embedded Thumbnail Field module or the
custom audio and video provider files included in emfield as well as in
Media: Audio Flotsam [4] and/or Media: Video Flotsam [5], there is nothing
you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Embedded Media Field module for Drupal 6.x upgrade to
either Embedded Media Field 6.x-2.4 [6] or Embedded Media Field 6.x-1.26
[7].
* If you use the Embedded Media Field module for Drupal 5.x upgrade to
Embedded Media Field 5.x-1.12 [8].
* If you use the Media: Video Flotsam module upgrade to Media: Video Flotsam
6.x-1.2 [9]
* If you use the Media: Audio Flotsam module upgrade to Media: Audio Flotsam
6.x-1.1 [10]
-------- REPORTED BY
---------------------------------------------------------
* Stella Power (stella) [11], of the Drupal security team
-------- FIXED BY
------------------------------------------------------------
* Stella Power (stella) [12]
* Matthew Klein (kleinmp) [13], module co-maintainer
-------- CONTACT
-------------------------------------------------------------
The Drupal security team [14] can be reached at security at drupal.org or via
the form at http://drupal.org/contact [15].
[1] http://drupal.org/project/media_video_flotsam
[2] http://drupal.org/project/media_audio_flotsam
[3] http://drupal.org/project/emfield
[4] http://drupal.org/project/media_audio_flotsam
[5] http://drupal.org/project/media_video_flotsam
[6] http://drupal.org/node/992912
[7] http://drupal.org/node/992910
[8] http://drupal.org/node/992906
[9] http://drupal.org/node/992918
[10] http://drupal.org/node/992916
[11] http://drupal.org/user/66894
[12] http://drupal.org/user/66894
[13] http://drupal.org/user/390447
[14] http://drupal.org/security-team
[15] http://drupal.org/contact
* DRUPAL-SA-CONTRIB-2010-108
* Who Bought What|Ubercart (third-party module)
* Version: 6.x
* Date: 2010-Dec-08
* Security risk: Highly Critical
* Exploitable from: Remote
* Vulnerability: Multiple Vulnerabilities
-------- DESCRIPTION
---------------------------------------------------------
The Who Bought What-module collects and displays relevant information about
purchases, including purchaser name, quantity, payment status, and all
attributes. The module does not properly sanitize arguments passed via the
URL when used in SQL queries, leading to a SQL Injection [1] vulnerability.
Additionally, the module neglects to sanitize some of the user-generated
content before displaying it, leading to a Cross-Site Scripting (XSS [2])
vulnerability. Finally, the module allows users with the "view
uc_who_bought_what" permission to view the title of any node in the system,
including unpublished nodes and nodes that user might otherwise not have
access to, which constitutes an Information Disclosure vulnerability.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Who Bought What|Ubercart module for Drupal 6.x versions prior to 6.x-2.11.
Drupal core is not affected. If you do not use the contributed Who Bought
What|Ubercart module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Who Bought What|Ubercart module for Drupal 6.x upgrade to
Who Bought What|Ubercart 6.x-2.11 [3]
See also the Who Bought What|Ubercart project page [4].
-------- REPORTED BY
---------------------------------------------------------
* The SQL Injection vulnerability was reported by Mark Styles (lambic [5])
* The XSS and Information Disclosure vulnerabilities were reported by
mr.baileys [6] of the Drupal.org Security Team
-------- FIXED BY
------------------------------------------------------------
* Michael Moradzadeh (Cayenne [7]), module maintainer
-------- CONTACT
-------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact [8].
[1] http://en.wikipedia.org/wiki/SQL_Injection
[2] http://en.wikipedia.org/wiki/Cross-site_scripting
[3] http://drupal.org/node/991762
[4] http://drupal.org/project/uc_who_bought_what
[5] http://drupal.org/user/58843
[6] http://drupal.org/user/383424
[7] http://drupal.org/user/92993
[8] http://drupal.org/contact
* DRUPAL-SA-CONTRIB-2010-107
* Services (third-party module)
* Version: 6.x
* Date: 2010-Dec-01
* Security risk: Critical
* Exploitable from: Remote
* Vulnerability: Access Bypass
-------- DESCRIPTION
---------------------------------------------------------
The Services module allows users to expose Drupal functionality to remote
users. Services provides the ability for users to update nodes contained in a
drupal install via the services api. When using using the node.save service
it is possible for a user to supply a specifically crafted node or format
type and circumvent access control checks.
This only affects sites that are using the node.save service.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Services module for Drupal 6.x versions prior to 6.x-2.3.
* Drupal core is not affected. If you do not use the contributed Services
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Services module for Drupal 6.x upgrade to Services 6.x-2.3
[1]
-------- REPORTED BY
---------------------------------------------------------
* Yonathan Offek [2]
-------- FIXED BY
------------------------------------------------------------
* Marc Ingram [3], module co-maintainer
-------- CONTACT
-------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact [4].
[1] http://drupal.org/node/986550
[2] http://drupal.org/user/194009
[3] http://drupal.org/user/77320
[4] http://drupal.org/contact
* Advisory ID: DRUPAL-SA-CONTRIB-2010-106
* Project: Comment Edited (third-party module)
* Version: 6.x
* Date: 2010-Dec-01
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
The Comment Edited module displays a customizable message at the bottom of a
comment when it has been edited. The module does not sanitize some of the
user-supplied data before displaying it, leading to a Cross Site Scripting
(XSS [1]) vulnerability that may lead to a malicious user gaining full
administrative access. This vulnerability is mitigated by the fact that the
attacker must have a role with the 'administer comments' permission which
should generally only be granted to trusted roles.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Comment Edited module for Drupal 6.x versions prior to 6.x-1.4
Drupal core is not affected. If you do not use the contributed Comment Edited
[2] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Comment Edited module for Drupal 6.x upgrade to Comment
Edited 6.x-1.4 [3]
See also the Comment Edited project page [4].
-------- REPORTED BY
---------------------------------------------------------
* Balazs Dianiska (snufkin) [5], module maintainer
-------- FIXED BY
------------------------------------------------------------
* Balazs Dianiska (snufkin) [6], module maintainer
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
form at http://drupal.org/contact. Learn more about the team and their
policies [7], writing secure code for Drupal [8], and Secure Configuration
[9] of your site.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/project/comment_edited
[3] http://drupal.org/node/986524
[4] http://drupal.org/project/comment_edited
[5] http://drupal.org/user/58645
[6] http://drupal.org/user/58645
[7] http://drupal.org/security-team
[8] http://drupal.org/writing-secure-code
[9] http://drupal.org/security/secure-configuration
* Advisory ID: DRUPAL-SA-CONTRIB-2010-105
* Project: Outline Designer (third-party module)
* Version: 6.x
* Date: 2010-December-01
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Cross-site Request Forgery
-------- DESCRIPTION
---------------------------------------------------------
Outline Designer allows for easier creation and management of items in a
Book. The Outline Designer modules does not properly protect some of its
paths against Cross Site Request Forgeries (CSRF), allowing an attacker to
get a user with the permission to administer site configuration to change any
book nodes.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Outline Designer for Drupal 6.x prior to Outline Designer 6.x-1.2
Drupal core is not affected. If you do not use the contributed module Outline
Designer there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use Outline Designer for Drupal 6.x upgrade to Outline Designer
6.x-1.2 [1]
See also the Outline Designer [2] project page.
-------- REPORTED BY
---------------------------------------------------------
* Bryan Ollendyke (btopro [3]), module maintainer
-------- FIXED BY
------------------------------------------------------------
* Bryan Ollendyke (btopro [4]), module maintainer
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
form at http://drupal.org/contact. Learn more about the team and their
policies [5], writing secure code for Drupal [6], and secure configuration
[7] of your site.
[1] http://drupal.org/node/954666
[2] http://drupal.org/project/outline_designer
[3] http://drupal.org/user/24286
[4] http://drupal.org/user/24286
[5] http://drupal.org/security-team
[6] http://drupal.org/writing-secure-code
[7] http://drupal.org/security/secure-configuration