Security-news December 2010

security-news@drupal.org

1 participants
9 discussions

SA-CONTRIB-2010-113 - Image - Cross Site Scripting
by security-news＠drupal.org 22 Dec '10

22 Dec '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-113 * Project: Image (third-party module) * Version: 5.x, 6.x * Date: 2010-December-22 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Image module project contains supplemental modules, one of which, Image gallery, allows users to create and maintain galleries of image nodes using taxonomy terms. The Image gallery module does not sanitize some user-supplied data before displaying it, leading to a Cross Site Scripting (XSS [1]) vulnerability which can be used by a malicious user to gain full administrative access. *Mitigating factors*: In order to exploit this vulnerability the Image gallery module must be enabled and the attacker must have the ability to edit or create image galleries. -------- VERSIONS AFFECTED --------------------------------------------------- * Image module for Drupal 6.x prior to 6.x-1.1 * Image module for Drupal 5.x prior to 5.x-2.0 * Image module for Drupal 5.x prior to 5.x-1.10 Drupal core is not affected. If you do not use the contributed Image module there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Image for Drupal 6.x upgrade to Image 6.x-1.1 [2]. * If you use Image 5.x-2.0-alpha5 or lower for Drupal 5.x upgrade to Image 5.x-2.0 [3]. * If you use Image 5.x-1.9 or lower for Drupal 5.x upgrade to Image 5.x-1.10 [4]. See also the Image project page [5]. -------- REPORTED BY --------------------------------------------------------- Justin Klein Keane [6] -------- FIXED BY ------------------------------------------------------------ * sun [7], module maintainer * joachim [8], module maintainer * Justin Klein Keane [9] -------- CONTACT ------------------------------------------------------------- The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact [10]. Learn more about the team and their policies [11], writing secure code for Drupal [12], and secure configuration [13] of your site. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/1004800 [3] http://drupal.org/node/1004802 [4] http://drupal.org/node/1004804 [5] http://drupal.org/project/image [6] http://drupal.org/user/302225 [7] http://drupal.org/user/54136 [8] http://drupal.org/user/107701 [9] http://drupal.org/user/302225 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2010-112 - oEmbed - Access Bypass
by security-news＠drupal.org 22 Dec '10

22 Dec '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-112 * Project: oEmbed (third-party module) * Version: 6.x * Date: 2010-December-22 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Access Bypass -------- DESCRIPTION --------------------------------------------------------- The oEmbed module allows a Drupal site to embed content from oEmbed-providers as well as for a site to become an oEmbed-provider itself so that other oEmbed-enabled websites can embed its content. If an external site requested to embed a node, the oEmbed provider did not check node access, resulting in content not otherwise accessable by a user to be embeddable. This only affects sites that are using the oEmbed Provider sub-module. -------- VERSIONS AFFECTED --------------------------------------------------- * oEmbed module for Drupal 6.x versions prior to 6.x-0.8 Drupal core is not affected. If you do not use the contributed oEmbed [1] module, together with its oEmbed provider module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the oEmbed module for Drupal 6.x upgrade to oEmbed 6.x-0.8 [2]. See also the oEmbed project page [3]. -------- REPORTED BY --------------------------------------------------------- * Benjamin Doherty [4] -------- FIXED BY ------------------------------------------------------------ * Pelle Wessman [5], module co-maintainer -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact. Learn more about the team and their policies [6], writing secure code for Drupal [7], and secure configuration [8] of your site. [1] http://drupal.org/project/oembed [2] http://drupal.org/node/998376 [3] http://drupal.org/project/oembed [4] http://drupal.org/user/100456 [5] http://drupal.org/user/341713 [6] http://drupal.org/security-team [7] http://drupal.org/writing-secure-code [8] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2010-111 - Views - Cross Site Scripting
by security-news＠drupal.org 15 Dec '10

15 Dec '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-111 * Project: Views (third-party module) * Version: 6.x * Date: 2010-December-15 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- The Views module provides a flexible method for Drupal site designers to control how lists and tables of content are presented. Under certain circumstances, Views could display parts of the page path without escaping, resulting in a relected Cross Site Scripting (XSS [1]) vulnerability. An attacker could exploit this to gain full administrative access. *Mitigating factors:* This vulnerability only occurs with a specific combination of configuration options for a specific View, but this combination is used in the default Views provided by some additional modules. A malicious user would need to get an authenticated administrative user to visit a specially crafted URL. -------- VERSIONS AFFECTED --------------------------------------------------- * Views module for Drupal 6.x versions prior to 6.x-2.12 Drupal core is not affected. If you do not use the contributed Views [2] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Views module for Drupal 6.x upgrade to Views 6.x-2.12 [3] See also the Views project page [4]. -------- REPORTED BY --------------------------------------------------------- * Alexander Kirienko [5] -------- FIXED BY ------------------------------------------------------------ * Earl Miles (merlinofchaos [6]), module maintainer -------- CONTACT ------------------------------------------------------------- The Drupal security team [7] can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/project/views [3] http://drupal.org/node/999386 [4] http://drupal.org/project/views [5] http://drupal.org/user/1019216 [6] http://drupal.org/user/26979 [7] http://drupal.org/security-team

1 0

SA-CONTRIB-2010-110 - Drupal For Firebug - Cross-site Request Forgery
by security-news＠drupal.org 15 Dec '10

15 Dec '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-110 * Project: Drupal For Firebug (third-party module) * Version: 5.x, 6.x * Date: 2010-Dec-15 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Cross-site Request Forgery -------- DESCRIPTION --------------------------------------------------------- The Drupal For Firebug module allows developers to use Firebug to get debugging information about their Drupal installation. The module does not properly protect the form used to submit PHP code against Cross-site Request Forgeries (CSRF [1]), allowing a malicious user to trick an authorized user into executing arbitrary PHP code. -------- VERSIONS AFFECTED --------------------------------------------------- * Drupal For Firebug 5.x versions prior to 5.x-1.5 * Drupal For Firebug 6.x versions prior to 6.x-1.4 Drupal core is not affected. If you do not use the contributed Drupal For Firebug [2] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Drupal For Firebug 5.x, upgrade to Drupal For Firebug 5.x-1.5 [3] * If you use Drupal For Firebug 6.x, upgrade to Drupal For Firebug 6.x-1.4 [4] See also the Drupal For Firebug project page [5]. -------- REPORTED BY --------------------------------------------------------- * mr.baileys [6] of the Drupal security team -------- FIXED BY ------------------------------------------------------------ * Matt Cheney (populist [7]), module maintainer -------- CONTACT ------------------------------------------------------------- The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact [8]. [1] http://en.wikipedia.org/wiki/Cross-site_request_forgery [2] http://drupal.org/project/drupalforfirebug [3] http://drupal.org/node/998568 [4] http://drupal.org/node/998566 [5] http://drupal.org/project/drupalforfirebug [6] http://drupal.org/user/383424 [7] http://drupal.org/user/58600 [8] http://drupal.org/contact

1 0

SA-CONTRIB-2010-109 - Embedded Media Field, Media: Video Flotsam, Media: Audio Flotsam - Multiple Vulnerabilities
by security-news＠drupal.org 08 Dec '10

08 Dec '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-109 * Projects: Embedded Media Field, Media: Video Flotsam, Media: Audio Flotsam (third-party module) * Version: 5.x and 6.x * Date: 2010-December-08 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- .... 1 - Arbitrary File Upload/Code Execution Vulnerability The Embedded Thumbnail module (packaged with the project) allows users who upload videos to upload their own thumbnails to replace The Drupal Embedded Media Field module. Unfortunately, the Embedded Thumbnail Module contains a vulnerability that could allow arbitrary file upload, as well as potentially remote and potentially code execution. Malicious users can upload arbitrary files with extensions other than .php, .pl, .py, .cgi, .asp, or .js. Many web servers support legacy PHP extensions not included in this list (such as .phtml, or .php3) which would allow attackers to upload and execute arbitrary PHP code. Attackers could also upload malicious documents or other material with virus payload and use these to attack other users or exploit flaws in file include vulnerabilities. This exploit is mitigated by the fact that the site must have a content type with an embedded media field that allows users to upload custom thumbnails, and the user must have access to create or edit the content type. .... 2 - Embed XSS Vulnerability The 5.x-1.x and 6.x-1.x versions of the Embedded Media Field module comes packaged with "custom provider files" that allow users to add audio and video files to their site by posting a link to the direct url of an audio or video the field emfield provides. Unfortunately the Embedded Media Field module contains an arbitrary HTML injection vulnerability (also known as cross site scripting, or XSS) due to the fact that it fails to sanitize user supplied audio file paths and embed codes before display. *Please note*, recently these 6.x-2.x branch of the Embedded Media Field module, the custom audio and video provider files were moved to separate modules: Media: Video Flotsam 6.x-1.2 [1] and Media: Audio Flotsam [2]. This exploit is mitigated by the fact that the site must have a content type with an embedded media field that has the custom audio or video provider file enabled, and the user must have access to create or edit the content type. -------- VERSIONS AFFECTED --------------------------------------------------- * Embedded Media Field module for Drupal 6.x versions prior to 6.x-1.26 and 6.x-2.4, and for Drupal 5.x versions prior to 5.x-1.12. * Media: Video Flotsam module for Drupal 6.x versions prior to 6.x-1.2. * Media: Audio Flotsam module for Drupal 6.x versions prior to 6.x-1.1. Drupal core is not affected. If you do not use the contributed Embedded Media Field [3] module, together with the Embedded Thumbnail Field module or the custom audio and video provider files included in emfield as well as in Media: Audio Flotsam [4] and/or Media: Video Flotsam [5], there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Embedded Media Field module for Drupal 6.x upgrade to either Embedded Media Field 6.x-2.4 [6] or Embedded Media Field 6.x-1.26 [7]. * If you use the Embedded Media Field module for Drupal 5.x upgrade to Embedded Media Field 5.x-1.12 [8]. * If you use the Media: Video Flotsam module upgrade to Media: Video Flotsam 6.x-1.2 [9] * If you use the Media: Audio Flotsam module upgrade to Media: Audio Flotsam 6.x-1.1 [10] -------- REPORTED BY --------------------------------------------------------- * Stella Power (stella) [11], of the Drupal security team -------- FIXED BY ------------------------------------------------------------ * Stella Power (stella) [12] * Matthew Klein (kleinmp) [13], module co-maintainer -------- CONTACT ------------------------------------------------------------- The Drupal security team [14] can be reached at security at drupal.org or via the form at http://drupal.org/contact [15]. [1] http://drupal.org/project/media_video_flotsam [2] http://drupal.org/project/media_audio_flotsam [3] http://drupal.org/project/emfield [4] http://drupal.org/project/media_audio_flotsam [5] http://drupal.org/project/media_video_flotsam [6] http://drupal.org/node/992912 [7] http://drupal.org/node/992910 [8] http://drupal.org/node/992906 [9] http://drupal.org/node/992918 [10] http://drupal.org/node/992916 [11] http://drupal.org/user/66894 [12] http://drupal.org/user/66894 [13] http://drupal.org/user/390447 [14] http://drupal.org/security-team [15] http://drupal.org/contact

1 0

SA-CONTRIB-2010-108 - Who Bought What|Ubercart - Multiple Vulnerabilities
by security-news＠drupal.org 08 Dec '10

08 Dec '10

* DRUPAL-SA-CONTRIB-2010-108 * Who Bought What|Ubercart (third-party module) * Version: 6.x * Date: 2010-Dec-08 * Security risk: Highly Critical * Exploitable from: Remote * Vulnerability: Multiple Vulnerabilities -------- DESCRIPTION --------------------------------------------------------- The Who Bought What-module collects and displays relevant information about purchases, including purchaser name, quantity, payment status, and all attributes. The module does not properly sanitize arguments passed via the URL when used in SQL queries, leading to a SQL Injection [1] vulnerability. Additionally, the module neglects to sanitize some of the user-generated content before displaying it, leading to a Cross-Site Scripting (XSS [2]) vulnerability. Finally, the module allows users with the "view uc_who_bought_what" permission to view the title of any node in the system, including unpublished nodes and nodes that user might otherwise not have access to, which constitutes an Information Disclosure vulnerability. -------- VERSIONS AFFECTED --------------------------------------------------- * Who Bought What|Ubercart module for Drupal 6.x versions prior to 6.x-2.11. Drupal core is not affected. If you do not use the contributed Who Bought What|Ubercart module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Who Bought What|Ubercart module for Drupal 6.x upgrade to Who Bought What|Ubercart 6.x-2.11 [3] See also the Who Bought What|Ubercart project page [4]. -------- REPORTED BY --------------------------------------------------------- * The SQL Injection vulnerability was reported by Mark Styles (lambic [5]) * The XSS and Information Disclosure vulnerabilities were reported by mr.baileys [6] of the Drupal.org Security Team -------- FIXED BY ------------------------------------------------------------ * Michael Moradzadeh (Cayenne [7]), module maintainer -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact [8]. [1] http://en.wikipedia.org/wiki/SQL_Injection [2] http://en.wikipedia.org/wiki/Cross-site_scripting [3] http://drupal.org/node/991762 [4] http://drupal.org/project/uc_who_bought_what [5] http://drupal.org/user/58843 [6] http://drupal.org/user/383424 [7] http://drupal.org/user/92993 [8] http://drupal.org/contact

1 0

SA-CONTRIB-2010-107 - Services - Access bypass
by security-news＠drupal.org 02 Dec '10

02 Dec '10

* DRUPAL-SA-CONTRIB-2010-107 * Services (third-party module) * Version: 6.x * Date: 2010-Dec-01 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Access Bypass -------- DESCRIPTION --------------------------------------------------------- The Services module allows users to expose Drupal functionality to remote users. Services provides the ability for users to update nodes contained in a drupal install via the services api. When using using the node.save service it is possible for a user to supply a specifically crafted node or format type and circumvent access control checks. This only affects sites that are using the node.save service. -------- VERSIONS AFFECTED --------------------------------------------------- * Services module for Drupal 6.x versions prior to 6.x-2.3. * Drupal core is not affected. If you do not use the contributed Services module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Services module for Drupal 6.x upgrade to Services 6.x-2.3 [1] -------- REPORTED BY --------------------------------------------------------- * Yonathan Offek [2] -------- FIXED BY ------------------------------------------------------------ * Marc Ingram [3], module co-maintainer -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact [4]. [1] http://drupal.org/node/986550 [2] http://drupal.org/user/194009 [3] http://drupal.org/user/77320 [4] http://drupal.org/contact

1 0

SA-CONTRIB-2010-106 - Comment Edited - Cross Site Scripting
by security-news＠drupal.org 01 Dec '10

01 Dec '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-106 * Project: Comment Edited (third-party module) * Version: 6.x * Date: 2010-Dec-01 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Comment Edited module displays a customizable message at the bottom of a comment when it has been edited. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting (XSS [1]) vulnerability that may lead to a malicious user gaining full administrative access. This vulnerability is mitigated by the fact that the attacker must have a role with the 'administer comments' permission which should generally only be granted to trusted roles. -------- VERSIONS AFFECTED --------------------------------------------------- * Comment Edited module for Drupal 6.x versions prior to 6.x-1.4 Drupal core is not affected. If you do not use the contributed Comment Edited [2] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Comment Edited module for Drupal 6.x upgrade to Comment Edited 6.x-1.4 [3] See also the Comment Edited project page [4]. -------- REPORTED BY --------------------------------------------------------- * Balazs Dianiska (snufkin) [5], module maintainer -------- FIXED BY ------------------------------------------------------------ * Balazs Dianiska (snufkin) [6], module maintainer -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact. Learn more about the team and their policies [7], writing secure code for Drupal [8], and Secure Configuration [9] of your site. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/project/comment_edited [3] http://drupal.org/node/986524 [4] http://drupal.org/project/comment_edited [5] http://drupal.org/user/58645 [6] http://drupal.org/user/58645 [7] http://drupal.org/security-team [8] http://drupal.org/writing-secure-code [9] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2010-105 - Outline Designer - Cross Site Request Forgery
by security-news＠drupal.org 01 Dec '10

01 Dec '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-105 * Project: Outline Designer (third-party module) * Version: 6.x * Date: 2010-December-01 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross-site Request Forgery -------- DESCRIPTION --------------------------------------------------------- Outline Designer allows for easier creation and management of items in a Book. The Outline Designer modules does not properly protect some of its paths against Cross Site Request Forgeries (CSRF), allowing an attacker to get a user with the permission to administer site configuration to change any book nodes. -------- VERSIONS AFFECTED --------------------------------------------------- * Outline Designer for Drupal 6.x prior to Outline Designer 6.x-1.2 Drupal core is not affected. If you do not use the contributed module Outline Designer there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Outline Designer for Drupal 6.x upgrade to Outline Designer 6.x-1.2 [1] See also the Outline Designer [2] project page. -------- REPORTED BY --------------------------------------------------------- * Bryan Ollendyke (btopro [3]), module maintainer -------- FIXED BY ------------------------------------------------------------ * Bryan Ollendyke (btopro [4]), module maintainer -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact. Learn more about the team and their policies [5], writing secure code for Drupal [6], and secure configuration [7] of your site. [1] http://drupal.org/node/954666 [2] http://drupal.org/project/outline_designer [3] http://drupal.org/user/24286 [4] http://drupal.org/user/24286 [5] http://drupal.org/security-team [6] http://drupal.org/writing-secure-code [7] http://drupal.org/security/secure-configuration

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news December 2010