* Advisory ID: DRUPAL-SA-CONTRIB-2010-051
* Project: Heartbeat (third-party module)
* Version: 6.x
* Date: 2010-May-19
* Security risk: Critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
The Heartbeat project contains a suite of modules to display user activity on
a website. These modules do not properly sanitize some of their output,
allowing certain users the ability to insert arbitrary HTML and script code.
Such a cross site scripting (XSS [1]) attack may lead to a malicious user
gaining full administrative access. Depending on how the modules are
configured, this vulnerability may extend to relatively unprivileged users,
such as those with the ability to post comments, user "shouts" or other
content.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Heartbeat for Drupal 6.x versions prior to 6.x-4.9
Drupal core is not affected. If you do not use the contributed Heartbeat [2]
modules, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Heartbeat module for Drupal 6.x, update to Heartbeat
6.x-4.9 [3].
See also the Heartbeat project page [4].
-------- REPORTED BY
---------------------------------------------------------
Some aspects of the vulnerability were reported by Sebastian Szałachowski,
and others were reported by Jochen Stals [5] (Stalski), the module
maintainer.
-------- FIXED BY
------------------------------------------------------------
Jochen Stals [6] (Stalski), the module maintainer, and David Rothstein [7] of
the Drupal Security Team
-------- CONTACT
-------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/project/heartbeat
[3] http://drupal.org/node/802508
[4] http://drupal.org/project/heartbeat
[5] http://drupal.org/user/322618
[6] http://drupal.org/user/322618
[7] http://drupal.org/user/124982
* Advisory ID: DRUPAL-SA-CONTRIB-2010-050
* Project: CAPTCHA (third-party module)
* Version: 5.x, 6.x
* Date: 2010-May-19
* Security risk: Not Critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
The CAPTCHA module enables a site administrator to put a CAPTCHA form element
(a simple challenge that is easy for humans, but hard for automated spam
bots) on any form. The CAPTCHA module does not sanitize the CAPTCHA
description that is added as help text to the CAPTCHA form element, allowing
users with permissions to configure the CAPTCHA settings to insert arbitrary
HTML and script code. Such a cross site scripting (XSS [1]) attack may lead
to a malicious user gaining full administrative access. This vulnerability is
mitigated by the attacker needing the "administer CAPTCHA settings"
permission in order to exploit it.
-------- VERSIONS AFFECTED
---------------------------------------------------
* CAPTCHA module for Drupal 5.x versions prior to 5.x-3.3
* CAPTCHA module for Drupal 6.x versions prior to 6.x-2.2
Drupal core is not affected. If you do not use the contributed CAPTCHA [2]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use CAPTCHA module for Drupal 5.x, update to CAPTCHA 5.x-3.3 [3].
* If you use CAPTCHA module for Drupal 6.x, update to CAPTCHA 6.x-2.2 [4].
See also the CAPTCHA project page [5].
-------- REPORTED BY
---------------------------------------------------------
mr.baileys [6]
-------- FIXED BY
------------------------------------------------------------
Stefaan Lippens [7] (soxofaan), the CAPTCHA module maintainer
-------- CONTACT
-------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/project/captcha
[3] http://drupal.org/node/802904
[4] http://drupal.org/node/802896
[5] http://drupal.org/project/captcha
[6] http://drupal.org/user/383424
[7] http://drupal.org/user/41478
* Advisory ID: DRUPAL-SA-CONTRIB-2010-049
* Project: Wordpress Import (third-party module)
* Version: 6.x
* Date: 2010-May-19
* Security risk: Highly Critical
* Exploitable from: Remote
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
The Wordpress Import module provides the ability to import nodes from a
Wordpress WXR export file. The form to import a WXR file does not use the
correct access permission and allows any user to upload arbitrary files and
import data from a remote WRX file.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Wordpress Import for Drupal 6.x versions prior to 6.x-2.1 including all
versions of 6.x-1.x.
Drupal core is not affected. If you do not use the contributed Wordpress
Import [1] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version and revoke the "import wordpress blog" permission
from untrusted roles.
* If you use Wordpress Import 6.x-2.x or 6.x-1.x upgrade to Wordpress Import
6.x-2.1 [2]. The Wordpress Import 6.x-1.x branch is no longer maintained.
*Important note*: Only give fully trusted users the "import wordpress blog"
permission. Wordpress Import 6.x-2.1 still allows a user with that permission
to upload arbitrary files.
-------- REPORTED BY
---------------------------------------------------------
* Jennifer Hodgdon [3].
-------- FIXED BY
------------------------------------------------------------
* Yann Rocq [4], module maintainer.
* lavamind [5], module maintainer.
-------- CONTACT
-------------------------------------------------------------
The security team for Drupal [6] can be reached at security at drupal.org or
via the form at http://drupal.org/contact.
[1] http://drupal.org/project/wordpress_import
[2] http://drupal.org/node/802810
[3] http://drupal.org/user/155601
[4] http://drupal.org/user/57294
[5] http://drupal.org/user/564674
[6] http://drupal.org/security-team
* Advisory ID: PSA-2010-001
* Project: Drupal core and contrib
* Versions: 5.x and 6.x and above
* Date: 2010-May-13
* Security risk: None
-------- DESCRIPTION
---------------------------------------------------------
This is a public service announcement regarding Drupal Security Team
policies. In a previous PSA [1] we stated that vulnerabilities in modules
which require the "administer content types" permission to be exploited would
not receive an official security release with a security advisory (SA) and
would be handled publicly much like the way the "administer site
configuration" permission was treated. We now maintain a list of permissions
that are treated similarly at Security advisories process and permissions
policy [2]. That page also clarifies which projects (modules, themes, and
distributions) on drupal.org receive SAs and includes only projects that have
an official release that is identified as "Y.x-Z.0" and not for projects in
beta, alpha, or even release candidate (RC) stage. This means that a security
vulnerability in a 6.x-1.0 or 6.x-2.2 release will receive a SA while a
6.x-1.0-beta10 or 6.x-2.0-RC3 will not receive a SA. A project maintainer may
use the "Security update" term to indicate a release that includes security
improvements even if there is no SA, but they are not required to do so.
Using the "Security update" term will trigger the Update module in Drupal
6.x+ core to alert site maintainers to update their site. The goal with this
policy is to ensure that official security releases with SAs are relevant and
receive appropriate attention, to allow maintainers to readily fix problems
when their project is still in active development, and to permit effective
channels of communication between the maintainers and users of a project.
-------- SOLUTION
------------------------------------------------------------
Only grant the most trusted site administrators the permissions listed on the
Security advisories process and permissions policy [3] page. Be aware that
projects on drupal.org will not receive an SA and security vulnerabilities
will not be kept private until a project reaches an official release
"Y.x-Z.0" status. You are encouraged to use only "Y.x-Z.0" projects for your
sites, and to contribute to or sponsor work on projects you use so that they
can reach an official release.
-------- CONTACT
-------------------------------------------------------------
The security team for Drupal [4] can be reached at security at drupal.org or
via the form at http://drupal.org/contact.
[1] http://drupal.org/node/372836
[2] http://drupal.org/security-advisory-policy
[3] http://drupal.org/security-advisory-policy
[4] http://drupal.org/security-team
* Advisory ID: DRUPAL-SA-CONTRIB-2010-048
* Project: CiviRegister (third-party module)
* Version: 5.x, 6.x
* Date: 2010-May-12
* Security risk: Critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
The CiviRegister module replaces the standard Drupal user registration form
with a CiviCRM Profile form configured to create users. Notifications on the
Profile's administrative page include unsanitized data obtained from the URL.
A malicious user could create a special link which would inject arbitrary
HTML into the resulting page, if clicked by a Drupal user with 'administer
CiviCRM permissions.' Exploiting this vulnerability could allow a malicious
user to gain the permissions of the targeted user.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Versions of CiviRegister for Drupal 6.x prior to 6.x-1.1
* Versions of CiviRegister for Drupal 5.x.
Drupal core is not affected. If you do not use the contributed CiviRegister
[1] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version.
* If you use CiviRegister for Drupal 6.x upgrade to CiviRegister 6.x-1.1 [2]
or any later version.
* If you use the CiviRegister module for Drupal 5.x, you should uninstall
CiviRegister. CiviRegister and CiviCRM are no longer supported for Drupal
5.x.
-------- REPORTED BY
---------------------------------------------------------
* Matt Chapman, the module maintainer [3]
-------- FIXED BY
------------------------------------------------------------
* Matt Chapman, the module maintainer [4]
-------- CONTACT
-------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact [5].
Read more about the Security Team and Security Advisories at
http://drupal.org/security [6].
[1] http://drupal.org/project/civiregister
[2] http://drupal.org/node/797342
[3] http://drupal.org/user/143172
[4] http://drupal.org/user/143172
[5] http://drupal.org/contact
[6] http://drupal.org/security
* Advisory ID: DRUPAL-SA-CONTRIB-2010-047
* Project: Services (third-party module)
* Version: 6.x
* Date: 2010-May-12
* Security risk: Critical
* Exploitable from: Remote
* Vulnerability: Access Bypass
-------- DESCRIPTION
---------------------------------------------------------
The Services module allows users to expose Drupal functionality to remote
users. Services provides the ability for developers to define access
callbacks in code for exposed services.
When using session ID authentication without API key authentication, the
module does not properly check access when a service is using the default
access callback. This allows users to access functionality which should have
been controlled by user permissions. This vulnerability is nonexistent if
session ID authentication is used in combination with API key authentication.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Services module for Drupal 6.x versions prior to 6.x-2.1
Drupal core is not affected. If you do not use the contributed Services [1]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version.
* If you use the Services module for Drupal 6.x upgrade to Services 6.x-2.1
[2]
-------- REPORTED BY
---------------------------------------------------------
* Edsko de Vries [3]
* Greg Dunlap [4], the module maintainer
-------- FIXED BY
------------------------------------------------------------
* Greg Dunlap [5], the module maintainer
-------- CONTACT
-------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact [6].
Read more about the Security Team and Security Advisories at
http://drupal.org/security.
[1] http://drupal.org/project/services
[2] http://drupal.org/node/797264
[3] http://drupal.org/user/527220
[4] http://drupal.org/user/128537
[5] http://drupal.org/user/128537
[6] http://drupal.org/contact
* Advisory ID: DRUPAL-SA-CONTRIB-2010-046
* Project: Award (third-party module)
* Version: 5.x, 6.x
* Date: 2010-May-12
* Security risk: Critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
The Award module allows administrators to identify one or more content types
as "awards" that can be granted to users.
When the title of an award is displayed on a user's profile page it is not
properly sanitized, resulting in a cross site scripting vulnerability.
Attackers must have the permission to create Award content to exploit.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Award module for Drupal 5.x versions prior to 5.x-1.2
* Award module for Drupal 6.x versions prior to 6.x-1.1
Drupal core is not affected. If you do not use the contributed Award [1]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version.
* If you use the Award module for Drupal 5.x upgrade to Award 5.x-1.2 [2]
* If you use the Award module for Drupal 6.x upgrade to Award 6.x-1.1 [3]
-------- REPORTED BY
---------------------------------------------------------
* Martin Barbella [4]
-------- FIXED BY
------------------------------------------------------------
* Josh Benner [5], the module maintainer
-------- CONTACT
-------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact [6].
Read more about the Security Team and Security Advisories at
http://drupal.org/security.
[1] http://drupal.org/project/award
[2] http://drupal.org/node/795836
[3] http://drupal.org/node/795828
[4] http://drupal.org/user/633600
[5] http://drupal.org/user/150069
[6] http://drupal.org/contact
* Advisory ID: DRUPAL-SA-CONTRIB-2010-045
* Project: Auto Assign Role (third-party module)
* Version: 6.x
* Date: 2010-May-12
* Security risk: Less Critical
* Exploitable from: Remote
* Vulnerability: Access Bypass
-------- DESCRIPTION
---------------------------------------------------------
The Auto Assign Role serves three primary purposes. The first is to provide
an automatic assignment of roles when a new account is created. The second is
to allow the end user the option of choosing their own role or roles when
they create their account. The third is to provide paths that will trigger a
specific role when an account is created. Auto Assign Role recently added a
node autocomplete that did not properly utilize the Drupal node access API.
This may allow users with the 'administer autoassignrole' permission users to
view the content of nodes that they should not have permission to access.
-------- VERSIONS AFFECTED
---------------------------------------------------
* AutoAssign Role [1] module for Drupal 6.x version prior to 6.x-1.2.
Drupal core is not affected. If you do not use the contributed Auto Assign
Role module for Drupal 6.x, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version or disable the module. If you use Auto Assign Role
prior to 6.x-1.2, upgrade to Auto Assign Role 6.x-1.2 [2]
-------- REPORTED BY
---------------------------------------------------------
* mr.baileys [3].
-------- FIXED BY
------------------------------------------------------------
* Kevin Bridges [4], the module maintainer.
-------- CONTACT
-------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact [5].
Read more about the Security Team and Security Advisories at
http://drupal.org/security.
[1] http://drupal.org/project/autoassignrole
[2] http://drupal.org/node/795926
[3] http://drupal.org/user/383424
[4]
[5] http://drupal.org/contact
* Advisory ID: DRUPAL-SA-CONTRIB-2010-044
* Project: Bibliography (third-party module)
* Version: 5.x, 6.x
* Date: 2010-May-12
* Security risk: Moderately Critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
The Bibliography module enables users to manage and display lists of
scholarly publications. The module does not sanitize some of the
user-supplied data before displaying it, leading to a Cross Site Scripting
(XSS [1]) vulnerability. This is mitigated by the fact that only users with
the 'administer biblio' permission are able to exploit this vulnerability.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Bibliography module 5.x-1.17 and prior versions
* Bibliography module 6.x-1.9 and prior versions
Drupal core is not affected. If you do not use the contributed Bibliography
[2] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use Bibliography for Drupal 5.x upgrade to Bibliography 5.x-1.20
[3]
* If you use Bibliography for Drupal 6.x upgrade to Bibliography 6.x-1.11
[4]
See also the Bibliography project page [5].
-------- REPORTED BY
---------------------------------------------------------
* Martin Barbella [6]
-------- FIXED BY
------------------------------------------------------------
Ron Jerome [7], the module maintainer.
-------- CONTACT
-------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact [8].
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/project/biblio
[3] http://drupal.org/node/796498
[4] http://drupal.org/node/796502
[5] http://drupal.org/project/biblio
[6] http://drupal.org/user/633600
[7] http://drupal.org/user/54997
[8] http://drupal.org/contact
* Advisory ID: DRUPAL-SA-CONTRIB-2010-043
* Project: Wordfilter (third-party module)
* Version: 5.x, 6.x
* Date: 2010-May-12
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
The Wordfilter module implements an input filter that rewrites content to
remove improper or foul language. Wordfilter does not sanitize the list of
words that are filtered along with their replacements, allowing users with
permissions to manage the list of banned words to insert arbitrary HTML and
script code. Such a cross site scripting [1] (XSS) attack may lead to a
malicious user gaining full administrative access. This vulnerability is
mitigated by the attacker needing the "administer words filtered" permission
in order to exploit it.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Wordfilter 5.x prior to 5.x-1.1 [2]
* Wordfilter 6.x prior to 6.x-1.1 [3]
Drupal core is not affected. If you do not use the contributed Wordfilter
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use Wordfilter module for Drupal 5.x, update to Wordfilter 5.x-1.1
[4].
* If you use Wordfilter module for Drupal 6.x, update to Wordfilter 6.x-1.1
[5].
See also the Wordfilter project page [6]
-------- REPORTED BY
---------------------------------------------------------
* mr.baileys [7] of the Drupal Security Team [8].
-------- FIXED BY
------------------------------------------------------------
* Jeff Warrington (jaydub) [9], module co-maintainer.
-------- CONTACT
-------------------------------------------------------------
The Security Team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact [10].
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/796620
[3] http://drupal.org/node/796618
[4] http://drupal.org/node/796620
[5] http://drupal.org/node/796618
[6] http://drupal.org/project/wordfilter
[7] http://drupal.org/user/383424
[8] http://drupal.org/security-team
[9] http://drupal.org/user/46257
[10] http://drupal.org/contact