* Advisory ID: DRUPAL-SA-CONTRIB-2010-038
* Project: Privatemsg (third-party module)
* Version: 6.x
* Date: 2010-April-28
* Security risk: Less Critical
* Exploitable from: Remote
* Vulnerability: Access Bypass
-------- DESCRIPTION
---------------------------------------------------------
The Privatemsg module allows to send private messages between users.
Additionally, the sub module Privatemsg Email Notification sends e-mail
notification when such a message is sent. The page to configure the template
for these e-mails does not use the correct access permission which allows all
users with the read privatemsg permission to access and alter the settings on
that page.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Privatemsg for Drupal 6.x versions prior to 6.x-1.2
Drupal core is not affected. If you do not use the contributed Privatemsg [1]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version.
* If you use Privatemsg for Drupal 6.x upgrade to Privatemsg 6.x-1.2 [2]
-------- REPORTED BY
---------------------------------------------------------
* Lee Rowlands [3], module maintainer
-------- FIXED BY
------------------------------------------------------------
* Lee Rowlands [4], module maintainer.
* Sascha Grossebacher [5], module maintainer.
-------- CONTACT
-------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://drupal.org/project/privatemsg
[2] http://drupal.org/node/784598
[3] http://drupal.org/user/395439
[4] http://drupal.org/user/395439
[5] http://drupal.org/user/214652
* Advisory ID: DRUPAL-SA-CONTRIB-2010-037
* Project: Decisions (third-party module)
* Version: 5.x, 6.x
* Date: 2010-April-28
* Security risk: Less Critical
* Exploitable from: Remote
* Vulnerability: Access Bypass
-------- DESCRIPTION
---------------------------------------------------------
Decisions is a replacement for poll.module and provides advanced voting
systems and decision-making tools. It aims to enable groups to take decisions
online in a manner that replicates and augments what is possible in
face-to-face meeting. In some listings, the Decisions module does not
construct its SQL query to respect node access restrictions, thus users can
see listings of nodes which should not be accessible to them.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Decisions for Drupal 5.x versions prior to 5.x-1.2
* Decisions for Drupal 6.x versions prior to 6.x-1.7
Drupal core is not affected. If you do not use the contributed Decisions [1]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version.
* If you use Decisions for Drupal 5.x upgrade to Decisions 5.x-1.2 [2]
* If you use Decisions for Drupal 6.x upgrade to Decisions 6.x-1.7 [3]
-------- REPORTED BY
---------------------------------------------------------
* Kirill Stealth [4]
-------- FIXED BY
------------------------------------------------------------
* Antoine Beaupré [5], module maintainer.
* Ezra Barnett Gildesgame [6], module maintainer.
-------- CONTACT
-------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://drupal.org/project/decisions
[2] http://drupal.org/node/784444
[3] http://drupal.org/node/783766
[4] http://drupal.org/user/205226
[5] http://drupal.org/user/1274
[6] http://drupal.org/user/69959
* Advisory ID: DRUPAL-SA-CONTRIB-2010-036
* Project: Views (third-party module)
* Version: 5.x, 6.x
* Date: 2010-April-7
* Security risk: Critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting (XSS), arbitrary code execution
-------- DESCRIPTION
---------------------------------------------------------
The Views module provides a flexible method for Drupal site designers to
control how lists of content are presented. Views accepts parameters in the
URL and uses them in an AJAX callback. The values were not filtered, thus
allowing injection of JavaScript code via the AJAX response. A user tricked
into visiting a crafted URL could be exposed to arbitrary script or HTML
injected into the page. In addition, the Views module does not properly
sanitize file descriptions when displaying them in a view, thus the the file
desciptions may be used to inject arbitrary script or HTML. Such cross site
scripting [1] (XSS) attacks may lead to a malicious user gaining full
administrative access. These vulnerabilities affect only the Drupal 6
version. The file description vulnerability is mitigated by the fact that the
attacker must have permission to upload files. In both the Drupal 5 and
Drupal 6 versions, users with permission to 'administer views' can execute
arbitrary PHP code using the views import feature. An additional check for
the permission 'use PHP for block visibility' has been added to insure that
the site administrator has already granted users of the import functionality
the permission to execute PHP.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Versions of Views for Drupal 6.x prior to 6.x-2.9
* Versions of Views for Drupal 5.x prior to 5.x-1.7
Note - the 6.x-3.x branch alpha releases are affected also. If you do not use
the contributed Views module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use Views for Drupal 6.x upgrade to Views 6.x-2.9 [2] or any later
version.
* If you use Views for Drupal 6.x upgrade to Views 5.x-1.7 [3] or any later
version.
Also see the Views [4] project page.
-------- REPORTED BY
---------------------------------------------------------
* XSS via AJAX parameters reported by Angel Lozano Alcazar of S21Sec
* XSS via file descriptions reported by Martin Barbella [5]
* PHP execution reported by Derek Wright (dww [6]) of the Drupal Security
Team [7]
-------- FIXED BY
------------------------------------------------------------
* Earl Miles (merlinofchaos [8]) Views project maintainer.
-------- CONTACT
-------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/765088
[3] http://drupal.org/node/765090
[4] http://drupal.org/project/views
[5] http://drupal.org/user/633600
[6] http://drupal.org/user/46549
[7] http://drupal.org/security-team
[8] http://drupal.org/user/26979
* Advisory ID: DRUPAL-SA-CONTRIB-2010-035
* Project: Smileys (third-party module)
* Versions: 5.x
* Date: 2010-April-07
* Security risk: Less Critical
* Exploitable from: Remote
* Vulnerability: Cross-site Request Forgery
-------- DESCRIPTION
---------------------------------------------------------
The Smileys module provides a text filter that substitutes emoticons with
images. The module is vulnerable to cross-site request forgeries (CSRF [1])
via the URL used to delete smileys. A user with "administer smileys"
permission could be tricked into visiting the smiley delete URL and
unwittingly remove smileys from the site.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Smileys module for Drupal 5.x version prior to 5.x-1.2 [2].
*Note that Smileys version 6.x-1.0-alpha5 and earlier versions for Drupal 6.x
are also affected. However, the security team does not provide support for
alpha releases.* Drupal core is not affected. If you do not use the
contributed Smileys module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version.
* If you use the Smileys module for Drupal 5.x-1.x upgrade to Smileys
5.x-1.2 [3]
See also the Smileys project page [4].
-------- REPORTED BY
---------------------------------------------------------
* Andrey Tretyakov [5]
-------- FIXED BY
------------------------------------------------------------
* Gurpartap Singh [6], the module maintainer
* mr.baileys [7] of the Drupal security team.
-------- CONTACT
-------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact [8].
[1] http://en.wikipedia.org/wiki/Csrf
[2] http://drupal.org/node/764826
[3] http://drupal.org/node/764826
[4] http://drupal.org/project/smileys
[5] http://drupal.org/user/169459
[6] http://drupal.org/user/41470
[7] http://drupal.org/user/383424
[8] http://drupal.org/contact
* Advisory ID: DRUPAL-SA-CONTRIB-2010-034
* Project: Internationalization (third-party module)
* Version: 6.x
* Date: 2010-April-7
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
The Internationalization module enables translation of user defined strings
using Drupal's locale interface. Some of these user defined strings have
Input formats associated with them and some of the strings used for
translating blocks were not properly filtered before display. Additionally
all strings translated using this module were not checked for potential
malicious HTML and script code as regular Drupal string translations are.
Both issues would allow a user with the 'translate interface' or the
'administer blocks' permissions to attempt a cross site scripting (XSS)
attack which may lead to the user gaining full administrative access.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Internationalization 6.x prior to 6.x-1.4
Drupal core is not affected. If you do not use the contributed
Internationalization module, there is nothing you need to do. Also if you are
not using Internationalization's 'String translation' (i18nstrings) module
you don't need to update.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use Internationalization module for Drupal 6.x, update to
Internationalization 6.x-1.4 [1] and run the Drupal database update.
See also the Internationalization project page [2]
-------- REPORTED BY
---------------------------------------------------------
* Antonio Ospite [3]
-------- FIXED BY
------------------------------------------------------------
* Jose Reyero [4], the module maintainer.
-------- CONTACT
-------------------------------------------------------------
The Security Team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact [5].
[1] http://drupal.org/node/764906
[2] http://drupal.org/project/i18n
[3] http://drupal.org/user/234884
[4] http://drupal.org/user/4299
[5] http://drupal.org/contact