* Advisory ID: DRUPAL-SA-CONTRIB-2010-070
* Projects: Multiple third party modules - Easy Translator, Block Queue,
Multiple Image Upload (Imagex)
* Version: 5.x, 6.x
* Date: 2010-06-23
* Security risks: Critical
* Exploitable from: Remote
* Vulnerability: Multiple (SQL Injection, CSRF, Access bypass)
-------- VERSIONS AFFECTED AND PROPOSED SOLUTIONS
----------------------------
Easy Translator [1] for Drupal 6.x
The module is vulnerable to SQL injections. *Solution:* Disable the
module. There is no safe version of the module to use.
Block Queue [2] for Drupal 6.x
The Block Queue module allows users to create "queues" of blocks much
like NodeQueue allows to create queues for nodes. The module is
vulnerable to Cross-Site Request Forgeries as it allows a non-admin user
to trick an admin into removing blocks from queues by directing him/her
to a url via a link or image. *Solution:* Disable the module. There is no
safe version of the module to use.
Multiple Image Upload (Imagex) [3] for Drupal 5.x and 6.x
The Multiple Image Upload module enables images to be "drag 'n' dropped"
uploaded into Drupal. The module is vulnerable to access bypass.
*Solution:* Disable the module. There is no safe version of the module to
use. All releases of the module were marked unsupported earlier.
Drupal core is not affected. If you do not use any of the module releases
above there is nothing you need to do.
-------- ONGOING MAINTENANCE OF THESE MODULES
--------------------------------
If you are interested in taking over maintenance of a module, or branch of a
module, that is no longer supported, and are capable of fixing security
vulnerabilities, you may apply to do so using the abandoned project takeover
process [4].
-------- REPORTED BY
---------------------------------------------------------
* Easy Translator issue reported by Jakub Suchy [5] of the Drupal Security
Team
* Blockqueue issue reported by mr.baileys [6] of the Drupal Security Team
* Multiple Image Upload (Imagex) issue reported by Greg Knaddison [7] of the
Drupal Security Team
-------- CONTACT
-------------------------------------------------------------
The security team for Drupal [8] can be reached at security at drupal.org or
via the form at http://drupal.org/contact.
Read more about the Security Team and Security Advisories at
http://drupal.org/security.
[1] http://drupal.org/project/vitzo_easy_translator
[2] http://drupal.org/project/blockqueue
[3] http://drupal.org/project/imagex
[4] http://drupal.org/node/251466
[5] http://drupal.org/user/31977
[6] http://drupal.org/user/383424
[7] http://drupal.org/user/36762
[8] http://drupal.org/security-team
* Advisory ID: DRUPAL-SA-CONTRIB-2010-069
* Project: Case Tracker (third-party module)
* Version: 5.x
* Date: 2010-June-23
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Multiple Vulnerabilities
-------- DESCRIPTION
---------------------------------------------------------
The Case Tracker module enables teams to track outstanding cases which need
resolution by attaching a status, priority and type.
-------- CROSS SITE SCRIPTING (XSS)
------------------------------------------
The module does not sanitize some of the user-supplied data before displaying
it, leading to a cross site scripting (XSS [1]) vulnerability that may lead
to a malicious user gaining full administrative access. This vulnerability is
mitigated by the fact that an attacker must have the "administer casetracker"
permission, which should generally only be granted to trusted roles.
-------- ACCESS BYPASS
-------------------------------------------------------
The module provides the "access case tracker" permission which is used to
restrict access to reports and other functionality provided. However it was
also used to restrict access to individual project and case nodes but only in
some instances. This access check has been removed and instead users are
encouraged to install a content access module to restrict access to these
nodes.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Case Tracker module for Drupal 5.x versions prior to 5.x-1.4
Drupal core is not affected. If you do not use the contributed Case Tracker
[2] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Case Tracker module for Drupal 5.x upgrade to Case Tracker
5.x-1.4 [3]
As the "access case tracker" permission no longer controls access to project
and case nodes, users are encouraged to install a content access module to
restrict access to these nodes as necessary. See also the Case Tracker
project page [4].
-------- REPORTED BY
---------------------------------------------------------
* Mariano D'Agostino [5]
* Clemens Tolboom [6]
-------- FIXED BY
------------------------------------------------------------
* Jeff Miccolis [7], module maintainer
* David Rothstein [8] of the Drupal security team
-------- CONTACT
-------------------------------------------------------------
The Drupal security team [9] can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/project/casetracker
[3] http://drupal.org/node/835962
[4] http://drupal.org/project/casetracker
[5] http://drupal.org/user/154086
[6] http://drupal.org/user/125814
[7] http://drupal.org/user/31731
[8] http://drupal.org/user/124982
[9] http://drupal.org/security-team
* Advisory ID: DRUPAL-SA-CONTRIB-2010-068
* Project: Masquerade (third-party module)
* Version: 5.x, 6.x
* Date: 2010-June-23
* Security risk: Not critical
* Exploitable from: Remote
* Vulnerability: Cross Site Request Forgery
-------- DESCRIPTION
---------------------------------------------------------
The masquerade module is designed as a tool for site designers and
administrators, allowing a user with the right permissions to temporarily
masquerade as another user. The module is vulnerable to Cross Site Request
Forgeries (CSRF [1]) via the masquerade/switch and masquerade/unswitch paths.
-------- VERSIONS AFFECTED
---------------------------------------------------
* The unsupported Masquerade module for Drupal 5.x versions
* Masquerade module for Drupal 6.x versions prior to 6.x-1.4
Drupal core is not affected. If you do not use the contributed Masquerade [2]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the unsupported Masquerade module for Drupal 5.x, either
disable the module or upgrade to the latest 6.x versions of Drupal core
and the Masquerade module.
* If you use the Masquerade module for Drupal 6.x upgrade to Masquerade
6.x-1.4 [3]
See also the Masquerade project page [4].
-------- REPORTED BY
---------------------------------------------------------
* Ivo Van Geertruyen (mr.baileys [5]) of the Drupal security team
* Peter Wolanin (pwolanin [6]) of the Drupal security team
-------- FIXED BY
------------------------------------------------------------
* Andrew Berry (deviantintegral [7]), module co-maintainer
* Allen Freeman (afreeman [8])
* Ivo Van Geertruyen (mr.baileys [9]) of the Drupal security team
-------- CONTACT
-------------------------------------------------------------
The Drupal security team [10] can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Csrf
[2] http://drupal.org/project/masquerade
[3] http://drupal.org/node/835692
[4] http://drupal.org/project/Masquerade
[5] http://drupal.org/user/383424
[6] http://drupal.org/user/49851
[7] http://drupal.org/user/71291
[8] http://drupal.org/user/450370
[9] http://drupal.org/user/383424
[10] http://drupal.org/security-team
* Advisory ID: DRUPAL-SA-CONTRIB-2010-067
* Project: Views (third-party module)
* Version: 5.x, 6.x
* Date: 2010-June-16
* Security risk: Less critical
* Exploitable from: Remote
* Vulnerability: Multiple vulnerabilities
-------- DESCRIPTION
---------------------------------------------------------
The Views module provides a flexible method for Drupal site designers to
control how lists and tables of content are presented.
-------- CROSS SITE REQUEST FORGERY (CSRF)
-----------------------------------
The Views UI module, which is included with Views, can be used to
enable/disable Views by following a link to a particular page (e.g.
admin/build/views/disable/frontpage). As no protections, such as form tokens,
are in place to prevent forged requests to these pages, the feature is
vulnerable to a Cross Site Request Forgery (CSRF [1]) that would allow an
attacker to enable/disable all Views on a site. Mitigating factors: If Views
UI module is disabled Views will no longer be affected by this vulnerability.
This issue affects Views for Drupal 5 and Drupal 6.
-------- CROSS SITE SCRIPTING (XSS)
------------------------------------------
Under certain circumstances, Views could display URLs or aggregator feed
titles without escaping, resulting in a Cross Site Scripting (XSS [2])
vulnerability. An attacker could exploit this to gain full administrative
access. This issue affects Views for Drupal 6 only.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Views module for Drupal 5.x versions prior to 5.x-1.8
* Views module for Drupal 6.x versions prior to 6.x-2.11
Drupal core is not affected. If you do not use the contributed Views [3]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Views module for Drupal 5.x upgrade to Views 5.x-1.8 [4]
* If you use the Views module for Drupal 6.x upgrade to Views 6.x-2.11 [5]
See also the Views project page [6].
-------- REPORTED BY
---------------------------------------------------------
* The Cross Site Request Forgery (CSRF) vulnerability was reported by Martin
Barbella (mbarbella [7]).
* The Cross Site Scripting (XSS) vulnerabilities were reported by Earl Miles
(merlinofchaos [8]), module maintainer and Daniel Wehner (dereine [9]),
module co-maintainer
-------- FIXED BY
------------------------------------------------------------
* Earl Miles (merlinofchaos [10]), module maintainer
-------- CONTACT
-------------------------------------------------------------
The Drupal security team [11] can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Csrf
[2] http://en.wikipedia.org/wiki/Cross-site_scripting
[3] http://drupal.org/project/views
[4] http://drupal.org/node/829848
[5] http://drupal.org/node/829846
[6] http://drupal.org/project/views
[7] http://drupal.org/user/633600
[8] http://drupal.org/user/26979
[9] http://drupal.org/user/99340
[10] http://drupal.org/user/26979
[11] http://drupal.org/security-team
* Advisory ID: DRUPAL-SA-CONTRIB-2010-066
* Project: FileField (third-party module)
* Version: 5.x, 6.x
* Date: 2010-June-16
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
FileField module integrates with the Content Construction Kit to provide a
file upload field. It also integrates with the Views and Token modules. The
module does not sanitize some of the user-supplied data before displaying it
(for Drupal 6.x-3.x only), or before adding it to tokens (both 5.x-2.x and
6.x-3.x), leading to a Cross Site Scripting (XSS [1]) vulnerability that may
lead to a malicious user gaining full administrative access. This
vulnerability is mitigated by the fact that the attacker must be able to
create or edit content with a FileField, and the site administrator must have
configured a vulnerable display format ('Path to File' or 'URL to File') or
be using token containing the filename, filepath, or description.
-------- VERSIONS AFFECTED
---------------------------------------------------
* FileField module for Drupal 5.x versions prior to 5.x-2.5
* FileField module for Drupal 6.x versions prior to 6.x-3.4
Drupal core is not affected. If you do not use the contributed FileField [2]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the FileField module for Drupal 5.x upgrade to FileField
5.x-2.5 [3]
* If you use the FileField module for Drupal 6.x upgrade to FileField
6.x-3.4 [4]
See also the FileField project page [5].
-------- REPORTED BY
---------------------------------------------------------
* Justin Klein Keane [6]
* Peter Wolanin [7] of the Drupal security team
-------- FIXED BY
------------------------------------------------------------
* Peter Wolanin [8] of the Drupal security team
* Justin Klein Keane [9]
* Nathan Haug [10], the module maintainer
-------- CONTACT
-------------------------------------------------------------
The Drupal security team [11] can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/project/filefield
[3] http://drupal.org/node/829790
[4] http://drupal.org/node/829754
[5] http://drupal.org/project/filefield
[6] http://drupal.org/user/302225
[7] http://drupal.org/user/49851
[8] http://drupal.org/user/49851
[9] http://drupal.org/user/302225
[10] http://drupal.org/user/35821
[11] http://drupal.org/security-team
* Advisory ID: PSA-2010-002
* Project: Views (third-party module)
* Versions: 5.x, 6.x
* Date: 2010-June-16
* Security risk: Not critical
-------- DESCRIPTION
---------------------------------------------------------
This is a public service announcement regarding the "administer views"
permission provided by the Views module. The Views module provides a flexible
method for Drupal site designers to control how lists and tables of content
are presented. The module grants considerable power to users with "administer
views" permission, with much of a site's behaviour being configurable via the
views administration pages. The permission "administer views" is therefore
comparable in scope to the "administer site configuration" permission. Only
grant this permission to trusted site administrators.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Views module for Drupal 5.x
* Views module for Drupal 6.x
Drupal core is not affected. If you do not use the contributed Views module,
there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Only grant trusted site administrators the "administer views" permission.
-------- CONTACT
-------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
* Advisory ID: DRUPAL-SA-CONTRIB-2010-065
* Project: Content Construction Kit (CCK) (third-party module)
* Version: 5.x, 6.x
* Date: 2010-June-16
* Security risk: Less Critical
* Exploitable from: Remote
* Vulnerability: Access Bypass
-------- DESCRIPTION
---------------------------------------------------------
The Content Construction Kit (CCK) project is a set of modules that allows
you to add custom fields to nodes using a web browser. The CCK "Node
Reference" module can be configured to display referenced nodes as hidden,
title, teaser or full view. Node access was not checked when displaying these
which could expose view access on controlled nodes to unprivileged users. In
addition, Node Reference provides a backend URL that is used for asynchronous
requests by the "autocomplete" widget to locate nodes the user can reference.
This was not checking that the user had field level access to the source
field, allowing direct queries to the backend URL to return node titles and
IDs which the user would otherwise be unable to access. Note that as Drupal 5
CCK does not have any field access control functionality, this issue only
applies to the Drupal 6 version.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Content Construction Kit (CCK) module for Drupal 5.x versions prior to
5.x-1.11
* Content Construction Kit (CCK) module for Drupal 6.x versions prior to
6.x-2.7
Drupal core is not affected. If you do not use the contributed Content
Construction Kit (CCK) [1] module, together with any node or field access
module there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Content Construction Kit (CCK) module for Drupal 5.x
upgrade to Content Construction Kit (CCK) 5.x-1.11 [2]
* If you use the Content Construction Kit (CCK) module for Drupal 6.x
upgrade to Content Construction Kit (CCK) 6.x-2.7 [3]
See also the Content Construction Kit (CCK) project page [4].
-------- REPORTED BY
---------------------------------------------------------
* recrit [5]
* Marc Ferran (markus_petrux) [6], module co-maintainer
-------- FIXED BY
------------------------------------------------------------
* Yves Chedemois (yched) [7], module co-maintainer
* Marc Ferran (markus_petrux) [8], module co-maintainer
* Karen Stevenson (KarenS) [9], module co-maintainer
-------- CONTACT
-------------------------------------------------------------
The Drupal security team [10] can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://drupal.org/project/cck
[2] http://drupal.org/node/828986
[3] http://drupal.org/node/828988
[4] http://drupal.org/project/cck
[5] http://drupal.org/user/452914
[6] http://drupal.org/user/39593
[7] http://drupal.org/user/39567
[8] http://drupal.org/user/39593
[9] http://drupal.org/user/45874
[10] http://drupal.org/security-team
* Advisory ID: DRUPAL-SA-CONTRIB-2010-064
* Project: Ubercart MIGS Payment Gateway (third-party module)
* Versions: 6.x
* Date: 2010-Jun-16
* Security risk: Critical
* Exploitable from: Remote
* Vulnerability: Web Parameter Tampering
The Ubercart MIGS Payment Gateway module provides support for the MIGS
3rd-party payment gateway used by ANZ, Commonwealth Bank, Bendigo Bank, and
various other banks worldwide for payment processing. This module was
susceptible to web parameter tampering [1] which allowed users to bypass
paying the full amount due on checkout. The amount paid was correctly
recorded against the order, but certain site configurations might allow
purchases to be delivered despite incomplete payment. This has been resolved
in the latest release, which also incorporates other features to match bank
requirements.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Ubercart MIGS Payment Gateway for Drupal 6.x prior to uc_migs-6.x-1.2.
Drupal core is not affected. If you do not use the contributed Ubercart MIGS
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use uc_migs for Drupal 6.x upgrade to uc_migs-6.x-1.2 [2].
See also the Ubercart MIGS Gateway project page [3].
-------- REPORTED BY
---------------------------------------------------------
Chris Burgess [4], the uc_migs maintainer.
-------- FIXED BY
------------------------------------------------------------
Chris Burgess
-------- CONTACT
-------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.
[1] http://www.owasp.org/index.php/Web_Parameter_Tampering
[2] http://drupal.org/node/828614
[3] http://drupal.org/project/uc_migs
[4] http://drupal.org/user/76026
* Advisory ID: DRUPAL-SA-CONTRIB-2010-063
* Project: Studio theme pack (third-party theme)
* Version: 6.x
* Date: 2010-June-16
* Security risk: Critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
Studio theme pack is a set of themes for use as a base in creating a new
theme. The Canvas-theme, part of Studio theme pack and used as base theme for
the Workspace and Paint themes, also included in Studio theme pack, does not
sanitize some of the user-supplied data before displaying it, leading to a
Cross Site Scripting (XSS [1]) vulnerability that may lead to a malicious
user gaining full administrative access.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Studio theme pack Drupal 6.x versions prior to 6.x-1.2
Drupal core is not affected. If you do not use the contributed Studio theme
pack [2] theme, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Studio theme pack theme for Drupal 6.x upgrade to Studio
theme pack 6.x-1.2 [3]
See also the Studio theme pack project page [4].
-------- REPORTED BY
---------------------------------------------------------
* Pelle Wessman
-------- FIXED BY
------------------------------------------------------------
* Al Steffen (Zarabadoo [5]), theme maintainer
-------- CONTACT
-------------------------------------------------------------
The Drupal security team [6] can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/project/studio
[3] http://drupal.org/node/829292
[4] http://drupal.org/project/studio
[5] http://drupal.org/user/103935
[6] http://drupal.org/security-team
* Advisory ID: DRUPAL-SA-CONTRIB-2010-062
* Project: Ogone | Ubercart payment (third-party module)
* Version: 5.x, 6.x
* Date: 2010-June-16
* Security risk: Critical
* Exploitable from: Remote
* Vulnerability: Access Bypass
-------- DESCRIPTION
---------------------------------------------------------
Ogone | Ubercart payment is a payment module for Ubercart that integrates
Ogone PSP gateway as a checkout method for Ubercart. The module does not
always correctly verify the order status returned by the Ogone gateway,
potentially allowing unpaid orders to be processed.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Ogone | Ubercart payment module for Drupal 5.x versions prior to 5.x-1.6
* Ogone | Ubercart payment module for Drupal 6.x versions prior to 6.x-1.5
Drupal core is not affected. If you do not use the contributed Ogone |
Ubercart payment [1] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Ogone | Ubercart payment module for Drupal 5.x upgrade to
Ogone | Ubercart payment 5.x-1.6 [2]
* If you use the Ogone | Ubercart payment module for Drupal 6.x upgrade to
Ogone | Ubercart payment 6.x-1.5 [3]
See also the Ogone | Ubercart payment project page [4].
-------- REPORTED BY
---------------------------------------------------------
* Arjean [5]
-------- FIXED BY
------------------------------------------------------------
* Kees Kodde (kees@qrios [6]), module maintainer
-------- CONTACT
-------------------------------------------------------------
The Drupal security team [7] can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://drupal.org/project/uc_ogone
[2] http://drupal.org/node/828320
[3] http://drupal.org/node/828318
[4] http://drupal.org/project/uc_ogone
[5] http://drupal.org/user/331955
[6] http://drupal.org/user/48715
[7] http://drupal.org/security-team