Security-news April 2010

security-news@drupal.org

1 participants
5 discussions

SA-CONTRIB-2010-038 - Privatemsg - Access bypass
by security-news＠drupal.org 28 Apr '10

28 Apr '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-038 * Project: Privatemsg (third-party module) * Version: 6.x * Date: 2010-April-28 * Security risk: Less Critical * Exploitable from: Remote * Vulnerability: Access Bypass -------- DESCRIPTION --------------------------------------------------------- The Privatemsg module allows to send private messages between users. Additionally, the sub module Privatemsg Email Notification sends e-mail notification when such a message is sent. The page to configure the template for these e-mails does not use the correct access permission which allows all users with the read privatemsg permission to access and alter the settings on that page. -------- VERSIONS AFFECTED --------------------------------------------------- * Privatemsg for Drupal 6.x versions prior to 6.x-1.2 Drupal core is not affected. If you do not use the contributed Privatemsg [1] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version. * If you use Privatemsg for Drupal 6.x upgrade to Privatemsg 6.x-1.2 [2] -------- REPORTED BY --------------------------------------------------------- * Lee Rowlands [3], module maintainer -------- FIXED BY ------------------------------------------------------------ * Lee Rowlands [4], module maintainer. * Sascha Grossebacher [5], module maintainer. -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/project/privatemsg [2] http://drupal.org/node/784598 [3] http://drupal.org/user/395439 [4] http://drupal.org/user/395439 [5] http://drupal.org/user/214652

1 0

SA-CONTRIB-2010-037 - Decisions - Access bypass
by security-news＠drupal.org 28 Apr '10

28 Apr '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-037 * Project: Decisions (third-party module) * Version: 5.x, 6.x * Date: 2010-April-28 * Security risk: Less Critical * Exploitable from: Remote * Vulnerability: Access Bypass -------- DESCRIPTION --------------------------------------------------------- Decisions is a replacement for poll.module and provides advanced voting systems and decision-making tools. It aims to enable groups to take decisions online in a manner that replicates and augments what is possible in face-to-face meeting. In some listings, the Decisions module does not construct its SQL query to respect node access restrictions, thus users can see listings of nodes which should not be accessible to them. -------- VERSIONS AFFECTED --------------------------------------------------- * Decisions for Drupal 5.x versions prior to 5.x-1.2 * Decisions for Drupal 6.x versions prior to 6.x-1.7 Drupal core is not affected. If you do not use the contributed Decisions [1] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version. * If you use Decisions for Drupal 5.x upgrade to Decisions 5.x-1.2 [2] * If you use Decisions for Drupal 6.x upgrade to Decisions 6.x-1.7 [3] -------- REPORTED BY --------------------------------------------------------- * Kirill Stealth [4] -------- FIXED BY ------------------------------------------------------------ * Antoine Beaupré [5], module maintainer. * Ezra Barnett Gildesgame [6], module maintainer. -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/project/decisions [2] http://drupal.org/node/784444 [3] http://drupal.org/node/783766 [4] http://drupal.org/user/205226 [5] http://drupal.org/user/1274 [6] http://drupal.org/user/69959

1 0

SA-CONTRIB-2010-036 - Views - multiple vulnerabilities
by security-news＠drupal.org 08 Apr '10

08 Apr '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-036 * Project: Views (third-party module) * Version: 5.x, 6.x * Date: 2010-April-7 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting (XSS), arbitrary code execution -------- DESCRIPTION --------------------------------------------------------- The Views module provides a flexible method for Drupal site designers to control how lists of content are presented. Views accepts parameters in the URL and uses them in an AJAX callback. The values were not filtered, thus allowing injection of JavaScript code via the AJAX response. A user tricked into visiting a crafted URL could be exposed to arbitrary script or HTML injected into the page. In addition, the Views module does not properly sanitize file descriptions when displaying them in a view, thus the the file desciptions may be used to inject arbitrary script or HTML. Such cross site scripting [1] (XSS) attacks may lead to a malicious user gaining full administrative access. These vulnerabilities affect only the Drupal 6 version. The file description vulnerability is mitigated by the fact that the attacker must have permission to upload files. In both the Drupal 5 and Drupal 6 versions, users with permission to 'administer views' can execute arbitrary PHP code using the views import feature. An additional check for the permission 'use PHP for block visibility' has been added to insure that the site administrator has already granted users of the import functionality the permission to execute PHP. -------- VERSIONS AFFECTED --------------------------------------------------- * Versions of Views for Drupal 6.x prior to 6.x-2.9 * Versions of Views for Drupal 5.x prior to 5.x-1.7 Note - the 6.x-3.x branch alpha releases are affected also. If you do not use the contributed Views module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Views for Drupal 6.x upgrade to Views 6.x-2.9 [2] or any later version. * If you use Views for Drupal 6.x upgrade to Views 5.x-1.7 [3] or any later version. Also see the Views [4] project page. -------- REPORTED BY --------------------------------------------------------- * XSS via AJAX parameters reported by Angel Lozano Alcazar of S21Sec * XSS via file descriptions reported by Martin Barbella [5] * PHP execution reported by Derek Wright (dww [6]) of the Drupal Security Team [7] -------- FIXED BY ------------------------------------------------------------ * Earl Miles (merlinofchaos [8]) Views project maintainer. -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/765088 [3] http://drupal.org/node/765090 [4] http://drupal.org/project/views [5] http://drupal.org/user/633600 [6] http://drupal.org/user/46549 [7] http://drupal.org/security-team [8] http://drupal.org/user/26979

1 0

SA-CONTRIB-2010-035: Smileys - Cross Site Request Forgery
by security-news＠drupal.org 07 Apr '10

07 Apr '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-035 * Project: Smileys (third-party module) * Versions: 5.x * Date: 2010-April-07 * Security risk: Less Critical * Exploitable from: Remote * Vulnerability: Cross-site Request Forgery -------- DESCRIPTION --------------------------------------------------------- The Smileys module provides a text filter that substitutes emoticons with images. The module is vulnerable to cross-site request forgeries (CSRF [1]) via the URL used to delete smileys. A user with "administer smileys" permission could be tricked into visiting the smiley delete URL and unwittingly remove smileys from the site. -------- VERSIONS AFFECTED --------------------------------------------------- * Smileys module for Drupal 5.x version prior to 5.x-1.2 [2]. *Note that Smileys version 6.x-1.0-alpha5 and earlier versions for Drupal 6.x are also affected. However, the security team does not provide support for alpha releases.* Drupal core is not affected. If you do not use the contributed Smileys module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version. * If you use the Smileys module for Drupal 5.x-1.x upgrade to Smileys 5.x-1.2 [3] See also the Smileys project page [4]. -------- REPORTED BY --------------------------------------------------------- * Andrey Tretyakov [5] -------- FIXED BY ------------------------------------------------------------ * Gurpartap Singh [6], the module maintainer * mr.baileys [7] of the Drupal security team. -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact [8]. [1] http://en.wikipedia.org/wiki/Csrf [2] http://drupal.org/node/764826 [3] http://drupal.org/node/764826 [4] http://drupal.org/project/smileys [5] http://drupal.org/user/169459 [6] http://drupal.org/user/41470 [7] http://drupal.org/user/383424 [8] http://drupal.org/contact

1 0

SA-CONTRIB-2010-034 - Internationalization - Cross Site Scripting
by security-news＠drupal.org 07 Apr '10

07 Apr '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-034 * Project: Internationalization (third-party module) * Version: 6.x * Date: 2010-April-7 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Internationalization module enables translation of user defined strings using Drupal's locale interface. Some of these user defined strings have Input formats associated with them and some of the strings used for translating blocks were not properly filtered before display. Additionally all strings translated using this module were not checked for potential malicious HTML and script code as regular Drupal string translations are. Both issues would allow a user with the 'translate interface' or the 'administer blocks' permissions to attempt a cross site scripting (XSS) attack which may lead to the user gaining full administrative access. -------- VERSIONS AFFECTED --------------------------------------------------- * Internationalization 6.x prior to 6.x-1.4 Drupal core is not affected. If you do not use the contributed Internationalization module, there is nothing you need to do. Also if you are not using Internationalization's 'String translation' (i18nstrings) module you don't need to update. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Internationalization module for Drupal 6.x, update to Internationalization 6.x-1.4 [1] and run the Drupal database update. See also the Internationalization project page [2] -------- REPORTED BY --------------------------------------------------------- * Antonio Ospite [3] -------- FIXED BY ------------------------------------------------------------ * Jose Reyero [4], the module maintainer. -------- CONTACT ------------------------------------------------------------- The Security Team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact [5]. [1] http://drupal.org/node/764906 [2] http://drupal.org/project/i18n [3] http://drupal.org/user/234884 [4] http://drupal.org/user/4299 [5] http://drupal.org/contact

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news April 2010