Security-news May 2010

security-news@drupal.org

1 participants
24 discussions

SA-CONTRIB-2010-061 - AddonChat - Multiple Vulnerabilities
by security-news＠drupal.org 26 May '10

26 May '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-061 * Project: AddonChat (third-party module) * Version: 6.x-1.x * Date: 2010-May-26 * Security risk: Highly Critical * Exploitable from: Remote * Vulnerability: Multiple (Privilege Escalation, Cross-site scripting) -------- DESCRIPTION --------------------------------------------------------- The AddonChat module provides Drupal integration with the AddonChat Java chat room. Due to unsafe handling of the global $user object, failed authentication at the custom addonchat_auth.php script will log in an attacker as the chosen user. Additionally, several configuration variables are not escaped correctly, leading to a cross-site scripting vulnerability. Users with "access administration pages" permission could add arbitrary HTML and javascript to pages. -------- VERSIONS AFFECTED --------------------------------------------------- * AddonChat module for Drupal 6.x versions prior to 6.x-1.2 Drupal core is not affected. If you do not use the contributed AddonChat [1] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version. * If you use the AddonChat module for Drupal 6.x upgrade to AddonChat 6.x-1.2 [2] -------- REPORTED BY --------------------------------------------------------- * Jonathan Hedstrom [3] * Dylan Tack [4] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Jonathan Hedstrom [5] and Chris Duerr [6], the module maintainer. -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact [7]. Read more about the Security Team and Security Advisories at http://drupal.org/security. [1] http://drupal.org/project/addonchat [2] http://drupal.org/node/810260 [3] http://drupal.org/user/208732 [4] http://drupal.org/user/96647 [5] http://drupal.org/user/208732 [6] http://drupal.org/user/602324 [7] http://drupal.org/contact

1 0

SA-CONTRIB-2010-060 - Scheduler - Cross Site Scripting
by security-news＠drupal.org 26 May '10

26 May '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-060 * Project: Scheduler (third-party module) * Version: 5.x, 6.x * Date: 2010-May-26 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Scheduler allows nodes to be published and unpublished on specified dates. Scheduler does not sanitize titles for unpublished nodes on the scheduled nodes overview list, leading to a Cross Site Scripting (XSS [1]) vulnerability that may lead to a malicious user gaining full administrative access. The risk is mitigated by the fact that an attacker must succeed in a) creating a node that is b) scheduled (requires "schedule (un)publishing of nodes" permission) and c) unpublished. -------- VERSIONS AFFECTED --------------------------------------------------- * Scheduler module for Drupal 5.x versions prior to 5.x-1-19 * Scheduler module for Drupal 6.x versions prior to 6.x-1.7 Drupal core is not affected. If you do not use the contributed Scheduler [2] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Scheduler module for Drupal 5.x upgrade to Scheduler 5.x-1-19 [3] * If you use the Scheduler module for Drupal 6.x upgrade to Scheduler 6.x-1.7 [4] See also the Scheduler project page [5]. -------- REPORTED BY --------------------------------------------------------- * mr.baileys [6] of the Drupal security team -------- FIXED BY ------------------------------------------------------------ * Eric Schaefer [7], module maintainer -------- CONTACT ------------------------------------------------------------- The Drupal security team [8] can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/project/scheduler [3] http://drupal.org/node/809136 [4] http://drupal.org/node/809134 [5] http://drupal.org/project/scheduler [6] http://drupal.org/user/383424 [7] http://drupal.org/user/20786 [8] http://drupal.org/security-team

1 0

SA-CONTRIB-2010-059: Panels - Arbitrary PHP code execution
by security-news＠drupal.org 20 May '10

20 May '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-059 * Project: Panels (third-party module) * Versions: 6.x * Date: 2010 May 19 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Arbitrary PHP code execution The Panels module allows a site administrator to create customized layouts for multiple uses. The "Mini panels" module, included with panels, was found to have an arbitrary PHP code execution vulnerability. Users with the 'create mini panels' permission could execute arbitrary PHP code on the server via the import functionality. An additional check for the permission 'use PHP for block visibility' has been added to ensure that the site administrator has already granted users of the import functionality the permission to execute PHP. -------- VERSIONS AFFECTED --------------------------------------------------- * Versions of Panels for Drupal 6.x prior to 6.x-3.4 Drupal core is not affected. If you do not use the contributed Panels module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Panels for Drupal 6.x upgrade to Panels 6.x-3.4 [1] -------- REPORTED BY --------------------------------------------------------- Sam Boyer [2], co-maintainer of the Panels module. -------- FIXED BY ------------------------------------------------------------ Sam Boyer. -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/node/803916 [2] http://drupal.org/user/146719

1 0

SA-CONTRIB-2010-058: Chaos tool suite - Multiple vulnerabilities
by security-news＠drupal.org 20 May '10

20 May '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-058 * Project: Chaos tool suite (third-party module) * Versions: 6.x * Date: 2010 May 19 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Multiple vulnerabilities The Chaos tool suite (ctools) is primarily a set of APIs and tools to improve the developer experience. This module was found to have multiple vulnerabilities. -------- CROSS SITE SCRIPTING (XSS) ------------------------------------------ The module did not properly sanitize node titles under certain circumstances, resulting in multiple cross-site scripting [1] vulnerabilities which could lead to a malicious user gaining full administrative access. -------- CROSS-SITE REQUEST FORGERY ------------------------------------------ The module did not use the form API or tokens to protect certain administrative actions, allowing an attacker to trick an administrator into unintentionally enabling or disabling pages (cross-site request forgery [2]). -------- ARBITRARY PHP CODE EXECUTION ---------------------------------------- Users with the 'administer page manager' permission could execute arbitrary PHP code on the server via the import functionality. An additional check for the permission 'use PHP for block visibility' has been added to ensure that the site administrator has already granted users of the import functionality the permission to execute PHP. -------- ACCESS BYPASS ------------------------------------------------------- Users with 'access content' permission were able to view the titles of unpublished nodes under certain circumstances. -------- VERSIONS AFFECTED --------------------------------------------------- * Versions of "Chaos tool suite" for Drupal 6.x prior to 6.x-1.4 Drupal core is not affected. If you do not use the contributed "Chaos tool suite" module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use "Chaos tool suite" for Drupal 6.x upgrade to Chaos tool suite 6.x-1.4 [3] -------- REPORTED BY --------------------------------------------------------- The cross-site scripting issue was reported by Martin Barbella [4]. The cross-site request forgery, arbitrary PHP code execution, and access bypass issues were reported by Justin Klein Keane [5]. -------- FIXED BY ------------------------------------------------------------ The cross-site scripting issue was fixed by Earl Miles [6]. The cross-site request forgery, arbitrary PHP code execution, and access bypass issues were fixed by Sam Boyer [7]. -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://en.wikipedia.org/wiki/Cross-site_request_forgery [3] http://drupal.org/node/803912 [4] http://drupal.org/user/633600 [5] http://drupal.org/user/302225 [6] http://drupal.org/user/26979 [7] http://drupal.org/user/146719

1 0

SA-CONTRIB-2010-057 - Rotor Banner - Cross Site Scripting (XSS)
by security-news＠drupal.org 20 May '10

20 May '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-057 * Project: Rotor Banner (third-party module) * Versions: 6.x-2.x, 5.x-1.x * Date: 2010-March-27 * Security risk: Less Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Rotor Banner module allows users to upload images which can then be displayed in a block and rotated through using jQuery. However, when these images are displayed, the values for the various image attributes (srs, title, alt) are not properly sanitized, leading to a cross site scripting [1] (XSS) vulnerability. XSS vulnerabilities may expose site administrative accounts which could lead to a variety of additional compromises. This vulnerability is mitigated by the fact that an attacker must have the "create rotor item" or "edit any rotor item" permissions, which should generally only be granted to trusted roles. -------- VERSIONS AFFECTED --------------------------------------------------- * Rotor Banner module for Drupal 5.x versions prior to 5.x-1.8, and for Drupal 6.x versions prior to 6.x-2.5. Drupal core is not affected. If you do not use the contributed Rotor Banner module, there is nothing you need to do. Solution Install the latest version. * If you use the Rotor Banner module for Drupal 6.x-2.x upgrade to Rotor Banner 6.x-2.5 * If you use the Rotor Banner module for Drupal 5.x-1.x upgrade to Rotor Banner 5.x-1.8 Reported by * Martin Barbella (http://drupal.org/user/633600) Fixed by * mrfelton the module maintainer. Contact The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting

1 0

SA-CONTRIB-2010-056 - User Queue - Cross Site Request Forgery
by security-news＠drupal.org 20 May '10

20 May '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-056 * Project: User Queue (third-party module) * Versions: 6.x * Date: 2010-May-19 * Security risk: Less Critical * Exploitable from: Remote * Vulnerability: Cross-site Request Forgery -------- DESCRIPTION --------------------------------------------------------- The User Queue module allows you to create multiple queues, add users to them, and order the users within the queue. The module is vulnerable to cross-site request forgeries (CSRF [1]) via the URL used to delete users from the queue. A user with "administer user queues" permission could be manipulated into requesting this URL and removing any user from the queue. -------- VERSIONS AFFECTED --------------------------------------------------- * User Queue module for Drupal 6.x version prior to 6.x-1.1. Drupal core is not affected. If you do not use the contributed User Queue module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version. * If you use the User Queue module for Drupal 6.x upgrade to User Queue 6.x-1.1 [2] See also the User Queue project page [3]. -------- REPORTED BY --------------------------------------------------------- * George Gongadze [4] -------- FIXED BY ------------------------------------------------------------ * Matt Johnson [5], the module maintainer -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact [6]. [1] http://en.wikipedia.org/wiki/Csrf [2] http://drupal.org/node/803842 [3] http://drupal.org/project/userqueue [4] http://drupal.org/user/322910 [5] http://drupal.org/user/169600 [6] http://drupal.org/contact

1 0

SA-CONTRIB-2010-055 - Simplenews - Access bypass
by security-news＠drupal.org 19 May '10

19 May '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-055 * Project: Simplenews (third-party module) * Version: 6.x * Date: 2010-May-19 * Security risk: Less Critical * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- Simplenews publishes and sends email newsletters to lists of subscribers, with both anonymous and authenticated users being able to opt-in to mailing lists. The user subscription form does not use the correct access permission resulting in any user with the permission 'subscribe to newsletters' being able to edit other user subscriptions. -------- VERSIONS AFFECTED --------------------------------------------------- * Simplenews module for Drupal 6.x versions prior to 6.x-1.2 Drupal core is not affected. If you do not use the contributed Simplenews [1] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Simplenews module for Drupal 6.x upgrade to Simplenews 6.x-1.2 [2] -------- REPORTED BY --------------------------------------------------------- * rpk [3] * Opengl [4] * Miro Dietiker [5] -------- FIXED BY ------------------------------------------------------------ * Erik Stielstra [6], module maintainer * Miro Dietiker [7] -------- CONTACT ------------------------------------------------------------- The security team for Drupal [8] can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/project/simplenews [2] http://drupal.org/node/803254 [3] http://drupal.org/user/254717 [4] http://drupal.org/user/474706 [5] http://drupal.org/user/227761 [6] http://drupal.org/user/73854 [7] http://drupal.org/user/227761 [8] http://drupal.org/security-team

1 0

SA-CONTRIB-2010-054 - Storm - Cross Site Scripting (XSS)
by security-news＠drupal.org 19 May '10

19 May '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-054 * Project: Storm (third-party module) * Version: 6.x * Date: 2010-May-19 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting (XSS) -------- DESCRIPTION --------------------------------------------------------- The Storm project provides a group of modules for project management and billing. The module displays data entered by users without sanitising it, allowing for a cross site scripting [1] (XSS) attack that may lead to a malicious user gaining full administrative access. -------- VERSIONS AFFECTED --------------------------------------------------- * Storm project for Drupal 5.x (all versions). This branch is unsupported and has not been fixed. It is recommended not to use Storm for Drupal 5.x. * Storm project for Drupal 6.x versions prior to 6.x-1.33 Drupal core is not affected. If you do not use the contributed Storm module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ * If you use the Storm module for Drupal 5.x, uninstall this module * If you use the Storm module for Drupal 6.x, upgrade to Storm 6.x-1.33 [2] -------- REPORTED BY --------------------------------------------------------- Disclosed outside the Drupal Security Team process. [3] -------- FIXED BY ------------------------------------------------------------ * juliangb [4], the module maintainer -------- CONTACT ------------------------------------------------------------- The security team for Drupal [5] can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://ftp.drupal.org/files/projects/storm-6.x-1.33.tar.gz [3] http://drupal.org/security-team#report-issue [4] http://drupal.org/user/719472 [5] http://drupal.org/security-team

1 0

SA-CONTRIB-2010-053 - External Link Page - Cross Site Scripting (XSS)
by security-news＠drupal.org 19 May '10

19 May '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-053 * Project: External Link Page (third-party module) * Version: 5.x, 6.x * Date: 2010-March-19 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting .... Description The External Link Page provides a content filter that redirects external links to a customizable page. This page informs the user that they are about to leave the site and then redirects them. The module does not sanitise data input in it's administration page before displaying it on redirect pages, allowing for a cross site scripting [1] (XSS) attack that may lead to a malicious user gaining full administrative access. .... Versions affected * External Link Page prior to 5.x-1.0 * External Link Page prior to 6.x-1.2 Drupal core is not affected. If you do not use the contributed External Link Page module, there is nothing you need to do. .... Solution Install the latest version: * If you use External Link Page for Drupal 5.x upgrade to External Link Page 5.x-1.0 [2] * If you use External Link Page for Drupal 6.x upgrade to External Link Page 6.x-1.2 [3] .... Reported by * zzolo [4], the module maintainer .... Fixed by * zzolo [5], the module maintainer .... Contact The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/xxxx [3] http://drupal.org/node/xxxx [4] http://drupal.org/user/147331 [5] http://drupal.org/user/147331

1 0

SA-CONTRIB-2010-052 - Multiple vulnerabilities in multiple contributed modules
by security-news＠drupal.org 19 May '10

19 May '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-052 * Projects: Multiple third party modules - Privatemsg, Weather Underground, Tellafriend, Menu Block Split, osCommerce, Download Count, Comment Page, False Account Detector, User Queue * Version: 5.x, 6.x * Date: 2010-05-19 * Security risks: Critical * Exploitable from: Remote * Vulnerability: Multiple (Cross-site Request Forgery, Cross-site scripting, Email header injection, SQL Injection) -------- VERSIONS AFFECTED AND PROPOSED SOLUTIONS ---------------------------- Private Message [1] versions for the 5.x versions of Drupal The Privatemsg (also known as Private Message) module enables messages to be sent internally on a site. The module is vulnerable to cross-site request forgeries [2] (CSRF) via it's message delete form. This would allow a malicious user to trick an admin into deleting arbitrary message content by directing them to the url via a link or image src, etc. or trick a user into deleting their own messages. *Solution:* Disable the module or upgrade to the latest 6.x versions of Drupal core and the Private message module. Weather Underground [3] 6.x-2.0 The Weather Underground module retrieves and displays weather information from Weather Underground (http://www.wunderground.com). The block subject can be configured on the wunderground settings page but is not sanitized before display, allowing for a cross site scripting [4] (XSS) attack that may lead to a malicious user gaining full administrative access. This vulnerability is mitigated by the fact that an attacker must have the "access administration pages" permission which should generally only be granted to trusted roles. *Solution:* Disable the module. There is no safe version of the module to use. Tellafriend [5] version 6.x-2.10 and 5.x-2.7 The Tellafriend module enables site visitors to send e-mails about the site to their contacts via a form. The module is vulnerable to email header injection and could be exploited to send spam. *Solution:* Disable the module. There is no safe version of the module to use. Menu Block Split [6] version 6.x-2.1 and 5.x-2.1 The Menu Block Split module enables any menu block to be split into two different blocks: a first block with the first level menu entries only, and a second block with any second level and sub level menu entries. The block subject can be configured on the Menu Block Split settings page, but is not sanitized before display, allowing for a cross site scripting [7] (XSS) attack that may lead to a malicious user gaining full administrative access. *Solution:* Disable the module. There is no safe version of the module to use. osCommerce [8] version 6.x-1.0 The osCommerce module provides a front end to the osCommerce application. The module's 'Title for manufacturers block' configuration field is not sanitized before display, allowing for a cross site scripting [9] (XSS) attack that may lead to a malicious user gaining full administrative access. *Solution:* Disable the module. There is no safe version of the module to use. download_count [10] version 6.x-1.3 and 5.x-1.0 The download_count module increments a download counter each time an attached file is successfully downloaded. This module is vulnerable to cross site scripting [11] (XSS) attack that may lead to a malicious user gaining full administrative access. *Solution:* Disable the module. There is no safe version of the module to use. Comment Page [12] version 6.x-1.1 and 5.x-1.1 The Comment Page module displays each comments on it's own page, with an optional thread review that links to other comments in a comment thread. The module does not properly sanitize some content before outputting it, exposing multiple cross site scripting [13] (XSS) vulnerabilities and allowing malicious users with the permission "post comments" to inject scripts. Additionally, Comment Page incorrectly uses drupal_access_denied (not stopping the flow after calling this function) and uses a non-existing permission ("admin comments") as access argument to it's administration page.. *Solution:* Disable the module. There is no safe version of the module to use. False Account Detector [14] versions for the 5.x and 6.x versions of Drupal The False Account Detector module helps administrators to find out which users have more than one account on a Drupal system and can block them from creating new accounts. The module does not properly sanitize received cookies, exposing multiple cross site scripting [15] (XSS) and SQL Injection vulnerabilities and allowing malicious authenticated users to block other user accounts. *Solution:* Disable the module. There is no safe version of the module to use. User Queue [16] version 6.x-1.0 The Userqueue module enables site builders to create a queue (or list) of users on a site. The modules is vulnerable to a CSRF vulnerability which would allow a malicious user to trick a site builder into deleting a user from a queue. *Solution:* Disable the module. There is no safe version of the module to use. Drupal core is not affected. If you do not use any of the module releases above there is nothing you need to do. -------- ONGOING MAINTENANCE OF THESE MODULES -------------------------------- If you are interested in taking over maintenance of a module, or branch of a module, that is no longer supported, and are capable of fixing security vulnerabilities, you may apply to do so using the abandoned project takeover process [17]. -------- REPORTED BY --------------------------------------------------------- Peter Wolanin [18] of the Drupal Security Team John Morahan [19] of the Drupal Security Team Dylan Tack [20] of the Drupal Security Team Kieran Lal [21] of the Drupal Security Team Ivo Van Geertruyen [22] of the Drupal Security Team Martin Barbella [23] Brandon Bergren [24] George Gongadze [25] -------- CONTACT ------------------------------------------------------------- The security team for Drupal [26] can be reached at security at drupal.org or via the form at http://drupal.org/contact. Read more about the Security Team and Security Advisories at http://drupal.org/security. [1] http://drupal.org/project/privatemsg [2] http://en.wikipedia.org/wiki/Csrf [3] http://drupal.org/project/wunderground [4] http://en.wikipedia.org/wiki/Cross-site_scripting [5] http://drupal.org/project/tellafriend [6] http://drupal.org/project/menu_block_split [7] http://en.wikipedia.org/wiki/Cross-site_scripting [8] http://drupal.org/project/oscommerce [9] http://en.wikipedia.org/wiki/Cross-site_scripting [10] http://drupal.org/project/download_count [11] http://en.wikipedia.org/wiki/Cross-site_scripting [12] http://drupal.org/project/comment_page [13] http://en.wikipedia.org/wiki/Cross-site_scripting [14] http://drupal.org/project/false_account [15] http://en.wikipedia.org/wiki/Cross-site_scripting [16] http://drupal.org/project/userqueue [17] http://drupal.org/node/251466 [18] http://drupal.org/user/49851 [19] http://drupal.org/user/58170 [20] http://drupal.org/user/96647 [21] http://drupal.org/user/18703 [22] http://drupal.org/user/383424 [23] http://drupal.org/user/633600 [24] http://drupal.org/user/53081 [25] http://drupal.org/user/322910 [26] http://drupal.org/security-team

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news May 2010