Security-news February 2010

security-news@drupal.org

1 participants
9 discussions

SA-CONTRIB-2010-020 - Facebook-style Statuses (Microblog) - Access bypass
by security-news＠drupal.org 24 Feb '10

24 Feb '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-020 * Project: Facebook-style Statuses (Microblog) (third-party module) * Version: 6.x-2.x * Date: 2010-February-24 * Security risk: Not Critical * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- The Facebook-style Statuses (Microblog) module enables each user to have a stream of messages ("statuses") like on Facebook. Users can update their own status as well as write messages to other users by visiting the other user's profile. When a user updates his own status and then updates it again within the next 10 seconds, the module assumes that the first was a mistake, and overwrites the older status with the newer one. However, a bug allowed one user's message to overwrite a second user's status if posted within 10 seconds of the second user having updated her status. -------- VERSIONS AFFECTED --------------------------------------------------- * Facebook-style Statuses (Microblog) 6.x-2.x prior to 6.x-2.1 Drupal core is not affected. If you do not use the contributed Facebook-style Statuses (Microblog) module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Facebook-style Statuses (Microblog) for Drupal 6.x upgrade to Facebook-style Statuses (Microblog) 6.x-2.1 [1] See also the Facebook-style Statuses (Microblog) project page [2]. -------- REPORTED BY --------------------------------------------------------- * Hiroaki [3] -------- FIXED BY ------------------------------------------------------------ * Isaac Sukin (IceCreamYou [4]), the module maintainer. -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/node/724806 [2] http://drupal.org/project/facebook_status [3] http://drupal.org/user/709086 [4] http://drupal.org/user/201425

1 0

SA-CONTRIB-2010-019 - Weekly Archive by Node Type - Access Bypass
by security-news＠drupal.org 24 Feb '10

24 Feb '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-019 * Project: Weekly Archive by Node Type (third-party module) * Version: 6.x-2.x * Date: 2010-February-24 * Security risk: Less Critical * Exploitable from: Remote * Vulnerability: Access Bypass -------- DESCRIPTION --------------------------------------------------------- The Weekly Archive by Node Type module generates weekly archive pages and a block with links to the pages. You can specify the node types that will be included in the archive pages. In weekly summaries listings, the Weekly Archive by Node Type module does not construct its SQL query to respect node access restrictions, thus users can see listings of nodes which are restricted by a node access module and which should not be accessible. -------- VERSIONS AFFECTED --------------------------------------------------- * Weekly Archive by Node Type module for Drupal 6.x versions prior to 6.x-2.7 Drupal core is not affected. If you do not use the contributed Weekly Archive by Node Type [1] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version. * If you use the Weekly Archive by Node Type module for Drupal 6.x upgrade to Weekly Archive by Node Type 6.x-2.7 [2] -------- REPORTED BY --------------------------------------------------------- * Aron Hsiao. -------- FIXED BY ------------------------------------------------------------ * Prometheus6 [3], the module maintainer. -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/project/week [2] http://drupal.org/node/723776 [3] http://drupal.org/user/10137

1 0

SA-CONTRIB-2010-018 - Content Distribution - Multiple Vulnerabilities
by security-news＠drupal.org 17 Feb '10

17 Feb '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-018 * Project: Content Distribution (third-party module) * Version: 6.x * Date: 2010 February 17 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Mulitple Vulnerabilities -------- DESCRIPTION --------------------------------------------------------- Content Distribution module allows calling a method to delete particular nodes using a XML-RPC call. When this method is allowed to be called by anonymous users in user permissions, an attacker might delete a random node. In addition, certain actions require Content Distribution to temporarily switch users. This is being done without properly disabling session saving. -------- VERSIONS AFFECTED --------------------------------------------------- * Content Distribution prior to 6.x-1.3 Drupal core is not affected. If you do not use the contributed Content Distribution module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Content Distribution for Drupal 6.x upgrade to Content Distribution 6.x-1.3 [1]. See also the Content Distribution project page [2]. -------- REPORTED BY --------------------------------------------------------- * Joachim Noreiko (joachim [3]), the module co-maintainer. -------- FIXED BY ------------------------------------------------------------ * Joachim Noreiko (joachim [4]), the module co-maintainer. -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/node/716400 [2] http://drupal.org/project/content_distribution [3] http://drupal.org/user/107701 [4] http://drupal.org/user/107701

1 0

SA-CONTRIB-2010-017 - iTweak Upload - Cross Site Scripting
by security-news＠drupal.org 17 Feb '10

17 Feb '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-017 * Project: iTweak Upload (third-party module) * Version: 6.x * Date: 2010 February 17 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- iTweak Upload does not escape file names when displaying uploaded files. This allows a malicious user with the permission to create content and upload files to perform a Cross Site Scripting [1] (XSS) attack. -------- VERSIONS AFFECTED --------------------------------------------------- * iTweak Upload 6.x-2.x prior to 6.x-2.3 * iTweak Upload 6.x-1.x prior to 6.x-1.2 Drupal core is not affected. If you do not use the contributed iTweak Upload module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use iTweak Upload 6.x-1.x, upgrade to iTweak Upload 6.x-1.2 [2] * If you use iTweak Upload 6.x-2.x, upgrade to iTweak Upload 6.x-2.3 [3] See also the iTweak Upload project page [4]. -------- REPORTED BY --------------------------------------------------------- * Mark Piper -------- FIXED BY ------------------------------------------------------------ * Ilya Ivanchenko [5], the iTweak Upload module maintainer. -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross_Site_Scripting [2] http://drupal.org/node/711072 [3] http://drupal.org/node/711074 [4] http://drupal.org/project/itweak_upload [5] http://drupal.org/user/87708

1 0

SA-CONTRIB-2010-016 - Graphviz Filter - arbitrary code execution
by security-news＠drupal.org 10 Feb '10

10 Feb '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-016 * Project: Graphviz Filter (third-party module) * Version: 6.x, 5.x * Date: 2010 February 10 * Security risk: Highly critical * Exploitable from: Remote * Vulnerability: Arbitrary code execution -------- DESCRIPTION --------------------------------------------------------- Graphviz Filter does not properly filter user input via @command option in node body, leading to a possible Arbitrary Shell Code Execution [1] vulnerability. This vulnerability allows a remote attacker with the ability to create content using a Graphviz input filter to execute an arbitrary shell code on affected system. -------- VERSIONS AFFECTED --------------------------------------------------- * Graphviz 6.x-1.x prior to 6.x-1.6 * Graphviz 5.x-1.x prior to 5.x-1.3 Drupal core is not affected. If you do not use the contributed Graphviz Filter module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Graphviz Filter 6.x-1.x, upgrade to Graphviz Filter 6.x-1.6 [2]. * If you use Graphviz Filter 5.x-1.x, upgrade to Graphviz Filter 5.x-1.3 [3]. See also the Graphviz Filter project page [4]. -------- REPORTED BY --------------------------------------------------------- * Clemens Tolboom [5]. -------- FIXED BY ------------------------------------------------------------ * Karim Ratib [6], the Graphviz Filter module maintainer. -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Arbitrary_code_execution [2] http://drupal.org/node/710798 [3] http://drupal.org/node/710804 [4] http://drupal.org/project/graphviz_filter [5] http://drupal.org/user/125814 [6] http://drupal.org/user/48424

1 0

SA-CONTRIB-2010-015 - Signwriter - Arbitrary code execution
by security-news＠drupal.org 03 Feb '10

03 Feb '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-015 * Project: Signwriter (third-party module) * Version: 5.x, 6.x * Date: 2010-February-3 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Arbitrary code execution -------- DESCRIPTION --------------------------------------------------------- The Signwriter module allows the use of TrueType fonts to replace text in headings, blocks, menus and filtered text. This vulnerability allows a remote attacker with the ability to create content using an input filter created with a Signwriter profile to execute arbitrary PHP code on an affected system. The vulnerability exists due to unsafe use of PHP's preg_replace function with the e option, causing the replacement to be executed as PHP code. -------- VERSIONS AFFECTED --------------------------------------------------- * Signwriter for Drupal 5.x prior to 5.x-1.6 * Signwriter for Drupal 6.x prior to 6.x-2.0-beta2 Drupal core is not affected. If you do not use the Signwriter, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Upgrade to the latest version: * If you use Signwriter for Drupal 5.x upgrade to Signwriter 5.x-1.6 [1] * If you use Signwriter for Drupal 6.x upgrade to Signwriter 6.x-2.0-beta2 [2] See also the Signwriter page [3]. -------- REPORTED BY --------------------------------------------------------- * Martin Barbella [4] -------- FIXED BY ------------------------------------------------------------ * Agileware [5], the module maintainer -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact [6]. [1] http://drupal.org/node/702978 [2] http://drupal.org/node/702976 [3] http://drupal.org/project/signwriter [4] http://drupal.org/user/633600 [5] http://drupal.org/user/89106 [6] http://drupal.org/contact

1 0

SA-CONTRIB-2010-014 - Node Export - Arbitrary code execution
by security-news＠drupal.org 03 Feb '10

03 Feb '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-014 * Project: Node Export (third-party module) * Version: 5.x, 6.x * Date: 2010-February-3 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Arbitrary code execution -------- DESCRIPTION --------------------------------------------------------- The Node export module allows users to export and import nodes. Node export does not warn administrators that users with the "access administration pages" permission together with the "import nodes" permission can execute arbitrary PHP statements during the import operation. -------- VERSIONS AFFECTED --------------------------------------------------- * Node Export for Drupal 5.x prior to 5.x-2.3 * Node Export for Drupal 6.x prior to 6.x-2.19 Drupal core is not affected. If you do not use the Node Export module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Upgrade to the latest version: * If you use Node Export for Drupal 5.x upgrade to Node Export 5.x-2.3 [1] * If you use Node Export for Drupal 6.x upgrade to Node Export 6.x-2.19 [2] Since the "import nodes" permission has been renamed, you will need to grant the permission to import nodes to authorized users again. See also the Node Export page [3]. -------- REPORTED BY --------------------------------------------------------- * mr.baileys [4] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * danielb [5], the module maintainer -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/node/703246 [2] http://drupal.org/node/703244 [3] http://drupal.org/project/node_export [4] http://drupal.org/user/383424 [5] http://drupal.org/user/134005

1 0

SA-CONTRIB-2010-013 - Menu Breadcrumb - Cross site scripting
by security-news＠drupal.org 03 Feb '10

03 Feb '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-013 * Project: Menu Breadcrumb (third-party module) * Version: 6.x * Date: 2010-February-03 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Menu Breadcrumb module allows to use the menu the current page belongs to as breadcrumb. The module does not properly sanitize parts of the provided block, leading to a cross-site scripting (XSS [1]) vulnerability. Such an attack may lead to a malicious user gaining full administrative access. Mitigating factors: A user must have a role with the permission /administer blocks/ to exploit this vulnerability. -------- VERSIONS AFFECTED --------------------------------------------------- * Menu Breadcrumb for Drupal 6.x prior to 6.x-1.3 Drupal core is not affected. If you do not use the contributed Menu Breadcrumb module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Upgrade to the latest version: * If you use Menu Breadcrumb for Drupal 6.x upgrade to Menu Breadcrumb 6.x-1.3 [2] See also the Menu Breadcrumb project page [3]. -------- REPORTED BY --------------------------------------------------------- * mr.baileys [4] -------- FIXED BY ------------------------------------------------------------ * Chris Burgess [5], the module maintainer -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/703010 [3] http://drupal.org/project/menu_breadcrumb [4] http://drupal.org/user/383424 [5] http://drupal.org/user/76026

1 0

SA-CONTRIB-2010-012 - ODF Import - Access Bypass (possible Cross Site Scripting)
by security-news＠drupal.org 03 Feb '10

03 Feb '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-012 * Project: ODF Import (third-party module) * Version: 6.x-1.0 * Date: 2010-February-3 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- ODF Import module enables users of a Drupal site to import content created in the ODF format (e.g. using OpenOffice.org). When importing content it always used an input format which might not be available to the user importing the content leading to a cross-site scripting (XSS [1]) vulnerability. Such an attack may lead to a malicious user gaining full administrative access. Mitigating factors: this only impacts sites which also use the ODF Import module, where users have the "import odf" permission. -------- VERSIONS AFFECTED --------------------------------------------------- * ODF Import for Drupal 6.x prior to 6.x-1.0 Drupal core is not affected. If you do not use the contributed ODF Import module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Upgrade to the latest version: * If you use ODF Import for Drupal 6.x upgrade to ODF Import 6.x-1.1 [2] See also the ODF Import project page [3]. -------- REPORTED BY --------------------------------------------------------- * Frederic G. Marand [4] -------- FIXED BY ------------------------------------------------------------ * Vivek Khurana [5], the module maintainer -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/702470 [3] http://drupal.org/project/odfimport [4] http://drupal.org/user/27985 [5] http://drupal.org/user/407445

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news February 2010