June 2010 - Security-news - lists.drupal.org

SA-CONTRIB-2010-070 - Multiple vulnerabilities in multiple contributed modules
by security-news＠drupal.org 23 Jun '10

23 Jun '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-070 * Projects: Multiple third party modules - Easy Translator, Block Queue, Multiple Image Upload (Imagex) * Version: 5.x, 6.x * Date: 2010-06-23 * Security risks: Critical * Exploitable from: Remote * Vulnerability: Multiple (SQL Injection, CSRF, Access bypass) -------- VERSIONS AFFECTED AND PROPOSED SOLUTIONS ---------------------------- Easy Translator [1] for Drupal 6.x The module is vulnerable to SQL injections. *Solution:* Disable the module. There is no safe version of the module to use. Block Queue [2] for Drupal 6.x The Block Queue module allows users to create "queues" of blocks much like NodeQueue allows to create queues for nodes. The module is vulnerable to Cross-Site Request Forgeries as it allows a non-admin user to trick an admin into removing blocks from queues by directing him/her to a url via a link or image. *Solution:* Disable the module. There is no safe version of the module to use. Multiple Image Upload (Imagex) [3] for Drupal 5.x and 6.x The Multiple Image Upload module enables images to be "drag 'n' dropped" uploaded into Drupal. The module is vulnerable to access bypass. *Solution:* Disable the module. There is no safe version of the module to use. All releases of the module were marked unsupported earlier. Drupal core is not affected. If you do not use any of the module releases above there is nothing you need to do. -------- ONGOING MAINTENANCE OF THESE MODULES -------------------------------- If you are interested in taking over maintenance of a module, or branch of a module, that is no longer supported, and are capable of fixing security vulnerabilities, you may apply to do so using the abandoned project takeover process [4]. -------- REPORTED BY --------------------------------------------------------- * Easy Translator issue reported by Jakub Suchy [5] of the Drupal Security Team * Blockqueue issue reported by mr.baileys [6] of the Drupal Security Team * Multiple Image Upload (Imagex) issue reported by Greg Knaddison [7] of the Drupal Security Team -------- CONTACT ------------------------------------------------------------- The security team for Drupal [8] can be reached at security at drupal.org or via the form at http://drupal.org/contact. Read more about the Security Team and Security Advisories at http://drupal.org/security. [1] http://drupal.org/project/vitzo_easy_translator [2] http://drupal.org/project/blockqueue [3] http://drupal.org/project/imagex [4] http://drupal.org/node/251466 [5] http://drupal.org/user/31977 [6] http://drupal.org/user/383424 [7] http://drupal.org/user/36762 [8] http://drupal.org/security-team

1 0

SA-CONTRIB-2010-069 - Case Tracker - Multiple Vulnerabilities
by security-news＠drupal.org 23 Jun '10

23 Jun '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-069 * Project: Case Tracker (third-party module) * Version: 5.x * Date: 2010-June-23 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Multiple Vulnerabilities -------- DESCRIPTION --------------------------------------------------------- The Case Tracker module enables teams to track outstanding cases which need resolution by attaching a status, priority and type. -------- CROSS SITE SCRIPTING (XSS) ------------------------------------------ The module does not sanitize some of the user-supplied data before displaying it, leading to a cross site scripting (XSS [1]) vulnerability that may lead to a malicious user gaining full administrative access. This vulnerability is mitigated by the fact that an attacker must have the "administer casetracker" permission, which should generally only be granted to trusted roles. -------- ACCESS BYPASS ------------------------------------------------------- The module provides the "access case tracker" permission which is used to restrict access to reports and other functionality provided. However it was also used to restrict access to individual project and case nodes but only in some instances. This access check has been removed and instead users are encouraged to install a content access module to restrict access to these nodes. -------- VERSIONS AFFECTED --------------------------------------------------- * Case Tracker module for Drupal 5.x versions prior to 5.x-1.4 Drupal core is not affected. If you do not use the contributed Case Tracker [2] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Case Tracker module for Drupal 5.x upgrade to Case Tracker 5.x-1.4 [3] As the "access case tracker" permission no longer controls access to project and case nodes, users are encouraged to install a content access module to restrict access to these nodes as necessary. See also the Case Tracker project page [4]. -------- REPORTED BY --------------------------------------------------------- * Mariano D'Agostino [5] * Clemens Tolboom [6] -------- FIXED BY ------------------------------------------------------------ * Jeff Miccolis [7], module maintainer * David Rothstein [8] of the Drupal security team -------- CONTACT ------------------------------------------------------------- The Drupal security team [9] can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/project/casetracker [3] http://drupal.org/node/835962 [4] http://drupal.org/project/casetracker [5] http://drupal.org/user/154086 [6] http://drupal.org/user/125814 [7] http://drupal.org/user/31731 [8] http://drupal.org/user/124982 [9] http://drupal.org/security-team

1 0

SA-CONTRIB-2010-068 - Masquerade - Cross Site Request Forgery
by security-news＠drupal.org 23 Jun '10

23 Jun '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-068 * Project: Masquerade (third-party module) * Version: 5.x, 6.x * Date: 2010-June-23 * Security risk: Not critical * Exploitable from: Remote * Vulnerability: Cross Site Request Forgery -------- DESCRIPTION --------------------------------------------------------- The masquerade module is designed as a tool for site designers and administrators, allowing a user with the right permissions to temporarily masquerade as another user. The module is vulnerable to Cross Site Request Forgeries (CSRF [1]) via the masquerade/switch and masquerade/unswitch paths. -------- VERSIONS AFFECTED --------------------------------------------------- * The unsupported Masquerade module for Drupal 5.x versions * Masquerade module for Drupal 6.x versions prior to 6.x-1.4 Drupal core is not affected. If you do not use the contributed Masquerade [2] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the unsupported Masquerade module for Drupal 5.x, either disable the module or upgrade to the latest 6.x versions of Drupal core and the Masquerade module. * If you use the Masquerade module for Drupal 6.x upgrade to Masquerade 6.x-1.4 [3] See also the Masquerade project page [4]. -------- REPORTED BY --------------------------------------------------------- * Ivo Van Geertruyen (mr.baileys [5]) of the Drupal security team * Peter Wolanin (pwolanin [6]) of the Drupal security team -------- FIXED BY ------------------------------------------------------------ * Andrew Berry (deviantintegral [7]), module co-maintainer * Allen Freeman (afreeman [8]) * Ivo Van Geertruyen (mr.baileys [9]) of the Drupal security team -------- CONTACT ------------------------------------------------------------- The Drupal security team [10] can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Csrf [2] http://drupal.org/project/masquerade [3] http://drupal.org/node/835692 [4] http://drupal.org/project/Masquerade [5] http://drupal.org/user/383424 [6] http://drupal.org/user/49851 [7] http://drupal.org/user/71291 [8] http://drupal.org/user/450370 [9] http://drupal.org/user/383424 [10] http://drupal.org/security-team

1 0

SA-CONTRIB-2010-067 - Views - Multiple vulnerabilities
by security-news＠drupal.org 17 Jun '10

17 Jun '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-067 * Project: Views (third-party module) * Version: 5.x, 6.x * Date: 2010-June-16 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- The Views module provides a flexible method for Drupal site designers to control how lists and tables of content are presented. -------- CROSS SITE REQUEST FORGERY (CSRF) ----------------------------------- The Views UI module, which is included with Views, can be used to enable/disable Views by following a link to a particular page (e.g. admin/build/views/disable/frontpage). As no protections, such as form tokens, are in place to prevent forged requests to these pages, the feature is vulnerable to a Cross Site Request Forgery (CSRF [1]) that would allow an attacker to enable/disable all Views on a site. Mitigating factors: If Views UI module is disabled Views will no longer be affected by this vulnerability. This issue affects Views for Drupal 5 and Drupal 6. -------- CROSS SITE SCRIPTING (XSS) ------------------------------------------ Under certain circumstances, Views could display URLs or aggregator feed titles without escaping, resulting in a Cross Site Scripting (XSS [2]) vulnerability. An attacker could exploit this to gain full administrative access. This issue affects Views for Drupal 6 only. -------- VERSIONS AFFECTED --------------------------------------------------- * Views module for Drupal 5.x versions prior to 5.x-1.8 * Views module for Drupal 6.x versions prior to 6.x-2.11 Drupal core is not affected. If you do not use the contributed Views [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Views module for Drupal 5.x upgrade to Views 5.x-1.8 [4] * If you use the Views module for Drupal 6.x upgrade to Views 6.x-2.11 [5] See also the Views project page [6]. -------- REPORTED BY --------------------------------------------------------- * The Cross Site Request Forgery (CSRF) vulnerability was reported by Martin Barbella (mbarbella [7]). * The Cross Site Scripting (XSS) vulnerabilities were reported by Earl Miles (merlinofchaos [8]), module maintainer and Daniel Wehner (dereine [9]), module co-maintainer -------- FIXED BY ------------------------------------------------------------ * Earl Miles (merlinofchaos [10]), module maintainer -------- CONTACT ------------------------------------------------------------- The Drupal security team [11] can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Csrf [2] http://en.wikipedia.org/wiki/Cross-site_scripting [3] http://drupal.org/project/views [4] http://drupal.org/node/829848 [5] http://drupal.org/node/829846 [6] http://drupal.org/project/views [7] http://drupal.org/user/633600 [8] http://drupal.org/user/26979 [9] http://drupal.org/user/99340 [10] http://drupal.org/user/26979 [11] http://drupal.org/security-team

1 0

SA-CONTRIB-2010-066 - FileField - Cross Site Scripting
by security-news＠drupal.org 17 Jun '10

17 Jun '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-066 * Project: FileField (third-party module) * Version: 5.x, 6.x * Date: 2010-June-16 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- FileField module integrates with the Content Construction Kit to provide a file upload field. It also integrates with the Views and Token modules. The module does not sanitize some of the user-supplied data before displaying it (for Drupal 6.x-3.x only), or before adding it to tokens (both 5.x-2.x and 6.x-3.x), leading to a Cross Site Scripting (XSS [1]) vulnerability that may lead to a malicious user gaining full administrative access. This vulnerability is mitigated by the fact that the attacker must be able to create or edit content with a FileField, and the site administrator must have configured a vulnerable display format ('Path to File' or 'URL to File') or be using token containing the filename, filepath, or description. -------- VERSIONS AFFECTED --------------------------------------------------- * FileField module for Drupal 5.x versions prior to 5.x-2.5 * FileField module for Drupal 6.x versions prior to 6.x-3.4 Drupal core is not affected. If you do not use the contributed FileField [2] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the FileField module for Drupal 5.x upgrade to FileField 5.x-2.5 [3] * If you use the FileField module for Drupal 6.x upgrade to FileField 6.x-3.4 [4] See also the FileField project page [5]. -------- REPORTED BY --------------------------------------------------------- * Justin Klein Keane [6] * Peter Wolanin [7] of the Drupal security team -------- FIXED BY ------------------------------------------------------------ * Peter Wolanin [8] of the Drupal security team * Justin Klein Keane [9] * Nathan Haug [10], the module maintainer -------- CONTACT ------------------------------------------------------------- The Drupal security team [11] can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/project/filefield [3] http://drupal.org/node/829790 [4] http://drupal.org/node/829754 [5] http://drupal.org/project/filefield [6] http://drupal.org/user/302225 [7] http://drupal.org/user/49851 [8] http://drupal.org/user/49851 [9] http://drupal.org/user/302225 [10] http://drupal.org/user/35821 [11] http://drupal.org/security-team

1 0

PSA-2010-002 - Views - Administer views permission
by security-news＠drupal.org 17 Jun '10

17 Jun '10

* Advisory ID: PSA-2010-002 * Project: Views (third-party module) * Versions: 5.x, 6.x * Date: 2010-June-16 * Security risk: Not critical -------- DESCRIPTION --------------------------------------------------------- This is a public service announcement regarding the "administer views" permission provided by the Views module. The Views module provides a flexible method for Drupal site designers to control how lists and tables of content are presented. The module grants considerable power to users with "administer views" permission, with much of a site's behaviour being configurable via the views administration pages. The permission "administer views" is therefore comparable in scope to the "administer site configuration" permission. Only grant this permission to trusted site administrators. -------- VERSIONS AFFECTED --------------------------------------------------- * Views module for Drupal 5.x * Views module for Drupal 6.x Drupal core is not affected. If you do not use the contributed Views module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Only grant trusted site administrators the "administer views" permission. -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

1 0

SA-CONTRIB-2010-065 - Content Construction Kit (CCK) - Access Bypass
by security-news＠drupal.org 16 Jun '10

16 Jun '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-065 * Project: Content Construction Kit (CCK) (third-party module) * Version: 5.x, 6.x * Date: 2010-June-16 * Security risk: Less Critical * Exploitable from: Remote * Vulnerability: Access Bypass -------- DESCRIPTION --------------------------------------------------------- The Content Construction Kit (CCK) project is a set of modules that allows you to add custom fields to nodes using a web browser. The CCK "Node Reference" module can be configured to display referenced nodes as hidden, title, teaser or full view. Node access was not checked when displaying these which could expose view access on controlled nodes to unprivileged users. In addition, Node Reference provides a backend URL that is used for asynchronous requests by the "autocomplete" widget to locate nodes the user can reference. This was not checking that the user had field level access to the source field, allowing direct queries to the backend URL to return node titles and IDs which the user would otherwise be unable to access. Note that as Drupal 5 CCK does not have any field access control functionality, this issue only applies to the Drupal 6 version. -------- VERSIONS AFFECTED --------------------------------------------------- * Content Construction Kit (CCK) module for Drupal 5.x versions prior to 5.x-1.11 * Content Construction Kit (CCK) module for Drupal 6.x versions prior to 6.x-2.7 Drupal core is not affected. If you do not use the contributed Content Construction Kit (CCK) [1] module, together with any node or field access module there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Content Construction Kit (CCK) module for Drupal 5.x upgrade to Content Construction Kit (CCK) 5.x-1.11 [2] * If you use the Content Construction Kit (CCK) module for Drupal 6.x upgrade to Content Construction Kit (CCK) 6.x-2.7 [3] See also the Content Construction Kit (CCK) project page [4]. -------- REPORTED BY --------------------------------------------------------- * recrit [5] * Marc Ferran (markus_petrux) [6], module co-maintainer -------- FIXED BY ------------------------------------------------------------ * Yves Chedemois (yched) [7], module co-maintainer * Marc Ferran (markus_petrux) [8], module co-maintainer * Karen Stevenson (KarenS) [9], module co-maintainer -------- CONTACT ------------------------------------------------------------- The Drupal security team [10] can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/project/cck [2] http://drupal.org/node/828986 [3] http://drupal.org/node/828988 [4] http://drupal.org/project/cck [5] http://drupal.org/user/452914 [6] http://drupal.org/user/39593 [7] http://drupal.org/user/39567 [8] http://drupal.org/user/39593 [9] http://drupal.org/user/45874 [10] http://drupal.org/security-team

1 0

SA-CONTRIB-2010-064 - Ubercart MIGS Payment Gateway - Web Parameter Tampering
by security-news＠drupal.org 16 Jun '10

16 Jun '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-064 * Project: Ubercart MIGS Payment Gateway (third-party module) * Versions: 6.x * Date: 2010-Jun-16 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Web Parameter Tampering The Ubercart MIGS Payment Gateway module provides support for the MIGS 3rd-party payment gateway used by ANZ, Commonwealth Bank, Bendigo Bank, and various other banks worldwide for payment processing. This module was susceptible to web parameter tampering [1] which allowed users to bypass paying the full amount due on checkout. The amount paid was correctly recorded against the order, but certain site configurations might allow purchases to be delivered despite incomplete payment. This has been resolved in the latest release, which also incorporates other features to match bank requirements. -------- VERSIONS AFFECTED --------------------------------------------------- * Ubercart MIGS Payment Gateway for Drupal 6.x prior to uc_migs-6.x-1.2. Drupal core is not affected. If you do not use the contributed Ubercart MIGS module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use uc_migs for Drupal 6.x upgrade to uc_migs-6.x-1.2 [2]. See also the Ubercart MIGS Gateway project page [3]. -------- REPORTED BY --------------------------------------------------------- Chris Burgess [4], the uc_migs maintainer. -------- FIXED BY ------------------------------------------------------------ Chris Burgess -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://www.owasp.org/index.php/Web_Parameter_Tampering [2] http://drupal.org/node/828614 [3] http://drupal.org/project/uc_migs [4] http://drupal.org/user/76026

1 0

SA-CONTRIB-2010-063 - Studio theme pack - Cross Site Scripting
by security-news＠drupal.org 16 Jun '10

16 Jun '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-063 * Project: Studio theme pack (third-party theme) * Version: 6.x * Date: 2010-June-16 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Studio theme pack is a set of themes for use as a base in creating a new theme. The Canvas-theme, part of Studio theme pack and used as base theme for the Workspace and Paint themes, also included in Studio theme pack, does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting (XSS [1]) vulnerability that may lead to a malicious user gaining full administrative access. -------- VERSIONS AFFECTED --------------------------------------------------- * Studio theme pack Drupal 6.x versions prior to 6.x-1.2 Drupal core is not affected. If you do not use the contributed Studio theme pack [2] theme, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Studio theme pack theme for Drupal 6.x upgrade to Studio theme pack 6.x-1.2 [3] See also the Studio theme pack project page [4]. -------- REPORTED BY --------------------------------------------------------- * Pelle Wessman -------- FIXED BY ------------------------------------------------------------ * Al Steffen (Zarabadoo [5]), theme maintainer -------- CONTACT ------------------------------------------------------------- The Drupal security team [6] can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/project/studio [3] http://drupal.org/node/829292 [4] http://drupal.org/project/studio [5] http://drupal.org/user/103935 [6] http://drupal.org/security-team

1 0

SA-CONTRIB-2010-062 - Ogone | Ubercart payment - Access Bypass
by security-news＠drupal.org 16 Jun '10

16 Jun '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-062 * Project: Ogone | Ubercart payment (third-party module) * Version: 5.x, 6.x * Date: 2010-June-16 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Access Bypass -------- DESCRIPTION --------------------------------------------------------- Ogone | Ubercart payment is a payment module for Ubercart that integrates Ogone PSP gateway as a checkout method for Ubercart. The module does not always correctly verify the order status returned by the Ogone gateway, potentially allowing unpaid orders to be processed. -------- VERSIONS AFFECTED --------------------------------------------------- * Ogone | Ubercart payment module for Drupal 5.x versions prior to 5.x-1.6 * Ogone | Ubercart payment module for Drupal 6.x versions prior to 6.x-1.5 Drupal core is not affected. If you do not use the contributed Ogone | Ubercart payment [1] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Ogone | Ubercart payment module for Drupal 5.x upgrade to Ogone | Ubercart payment 5.x-1.6 [2] * If you use the Ogone | Ubercart payment module for Drupal 6.x upgrade to Ogone | Ubercart payment 6.x-1.5 [3] See also the Ogone | Ubercart payment project page [4]. -------- REPORTED BY --------------------------------------------------------- * Arjean [5] -------- FIXED BY ------------------------------------------------------------ * Kees Kodde (kees@qrios [6]), module maintainer -------- CONTACT ------------------------------------------------------------- The Drupal security team [7] can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/project/uc_ogone [2] http://drupal.org/node/828320 [3] http://drupal.org/node/828318 [4] http://drupal.org/project/uc_ogone [5] http://drupal.org/user/331955 [6] http://drupal.org/user/48715 [7] http://drupal.org/security-team

1 0