* Advisory ID: DRUPAL-SA-CONTRIB-2010-078
* Project: Kaltura (third-party module)
* Versions: 5.x, 6.x
* Date: 2010-July-28
* Security risk: Less Critical
* Exploitable from: Remote
* Vulnerability: Information disclosure
-------- DESCRIPTION
---------------------------------------------------------
The Kaltura module integrates the Kaltura open source video platform with
Drupal. When installing, uninstalling, or configuring the module, it would
surreptitiously inject a hidden iframe into the messages displayed to the
administrator with the source pointing to corp.kaltura.com/stats/drupal.
These requests were made without prior knowledge or authorization of site
administrators. The iframe also included information such as the site's
Kaltura partner ID, registration ID, or registration error code. Because most
browsers also include the referring site when dispalying an iframe,
information such as the URL or IP address of the Drupal site could also have
been obtained.
-------- RESPONSIBLE COLLECTION OF USAGE STATISTICS FOR DRUPAL MODULES
-------
The popularity of modules hosted on drupal.org is already tracked based on
data in the request when a Drupal installation checks to see if any of its
modules have new releases (see the Kaltura usage page [1] for example). This
information is gathered with privacy in mind: an open discussion [2] occurred
before including private information in the requests; the data is not shared
outside of Drupal.org server administrators (approximately 10 people); site
administrators are alerted to this system during installation of their site
and they can opt in or out at any time.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Kaltura module for Drupal 6.x prior to 6.x-1.5, and all 6.x-2.x versions
* Kaltura module for Drupal 5.x prior to 5.x-1.4
Drupal core is not affected. If you do not use the Kaltura module, there is
nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use Kaltura module for Drupal 5.x upgrade to Kaltura 5.x-1.4 [3]
* If you use Kaltura module for Drupal 6.x upgrade to Kaltura 6.x-1.5 [4]
* If you use Kaltura module for Drupal version 6.x-2.0 or 6.x-2.x-dev,
downgrade to Kaltura 6.x-1.5 [5]
Also see the Kaltura project page [6].
-------- REPORTED BY
---------------------------------------------------------
* Denis Slepichev [7]
* Chris Burgess [8]
-------- FIXED BY
------------------------------------------------------------
* Chris Burgess [9], the new module maintainer
-------- CONTACT
-------------------------------------------------------------
The Drupal security team [10] can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://drupal.org/project/usage/kaltura
[2] http://lists.drupal.org/pipermail/development/2007-December/027921.html
[3] http://drupal.org/node/867754
[4] http://drupal.org/node/848996
[5] http://drupal.org/node/848996
[6] http://drupal.org/project/kaltura
[7] http://drupal.org/user/399704
[8] http://drupal.org/user/76026
[9] http://drupal.org/user/76026
[10] http://drupal.org/security-team
* Advisory ID: DRUPAL-SA-CONTRIB-2010-077
* Project: Sage Pay Direct Payment Gateway for Ubercart (third-party module)
* Version: 5.x, 6.x
* Date: 2010-July-28
* Security risk: Less Critical
* Exploitable from: Remote
* Vulnerability: Information Disclosure
-------- DESCRIPTION
---------------------------------------------------------
The Sage Pay Direct Payment Gateway for Ubercart (uc_protx_vsp_direct)
processes credit card transactions in Ubercart stores using the Sage Pay
Direct service. The module may show remote 3-D Secure pages to the user in an
iframe when their bank supports the Verified by Visa or MasterCard SecureCode
verification schemes. These pages can include sensitive information relating
to the user's credit card. In some configurations, the page containing the
iframe may be stored in the Drupal cache and incorrectly shown to a
subsequent anonymous user.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Sage Pay Direct Payment Gateway for Ubercart module for Drupal 5.x
versions prior to 5.x-1.9
* Sage Pay Direct Payment Gateway for Ubercart for Drupal 6.x versions prior
to 6.x-1.4
Drupal core is not affected. If you do not use the contributed Sage Pay
Direct Payment Gateway for Ubercart there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Sage Pay Direct Payment Gateway for Ubercart module for
Drupal 5.x upgrade to the 5.x-1.9 version [1]
* If you use the Sage Pay Direct Payment Gateway for Ubercart module for
Drupal 6.x upgrade to the 6.x-1.4 version [2]
See also the Sage Pay Direct Payment Gateway for Ubercart project page [3].
-------- REPORTED BY
---------------------------------------------------------
* David Long (longwave) [4], module co-maintainer
-------- FIXED BY
------------------------------------------------------------
* David Long (longwave) [5], module co-maintainer
-------- CONTACT
-------------------------------------------------------------
The Drupal security team [6] can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://drupal.org/node/867454
[2] http://drupal.org/node/867456
[3] http://drupal.org/project/uc_protx_vsp_direct
[4] http://drupal.org/user/246492
[5] http://drupal.org/user/246492
[6] http://drupal.org/security-team
* Advisory ID: SA-CONTRIB-2010-076
* Project: Dashboard (third-party module)
* Version: 6.x
* Date: 2010-July-28
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION:
--------------------------------------------------------
The dashboard module allows users to create a personalized set of pages of
widgets created from existing blocks and nodes (like iGoogle). The module
does not escape user generated names for tags & titles associated with
default widgets that are added to a user dashboard page, leading to a Cross
Site Scripting (XSS [1]) vulnerability. Users with the permission to access
or create default dashboard widgets is vulnerable to attack. A malicious user
needs the permission "administer dashboard defaults" to exploit the
vulnerability.
-------- VERSIONS AFFECTED:
--------------------------------------------------
* Dashboard module for Drupal 6.x versions prior to 6.x-2.1 [2]
Drupal core is not affected. If you do not use the contributed Dashboard [3]
module, there is nothing you need to do.
-------- SOLUTION:
-----------------------------------------------------------
Install the latest version:
* Upgrade to Dashboard 6.x-2.1 [4]
See also the Dashboard project page [5].
-------- REPORTED BY:
--------------------------------------------------------
* Greg Knaddison (greggles) [6] a member of the Drupal Security Team
-------- FIXED BY:
-----------------------------------------------------------
* Chris Miller [7], module maintainer
* Greg Knaddison (greggles) [8] a member of the Drupal Security Team
The Drupal security team [9] can be reached at security at drupal.org [10] or
via the form at http://drupal.org/contact [11].
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/866628
[3] http://drupal.org/project/dashboard
[4] http://drupal.org/node/866628
[5] http://drupal.org/project/dashboard
[6] http://drupal.org/user/36762
[7] http://drupal.org/user/274027
[8] http://drupal.org/user/36762
[9] http://drupal.org/security-team
[10] http://drupal.org
[11] http://drupal.org/contact
* Advisory ID: DRUPAL-SA-CONTRIB-2010-075
* Project: Tagging (third-party module)
* Version: 6.x
* Date: 2010-July 21
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
The Tagging module provides an alternative input widget and other features
for taxonomy terms. The module does not properly escape user-provided content
submitted to free-tagging vocabularies displayed on node previews, leading to
a Cross Site Scripting (XSS [1]) vulnerability. Any user with permission to
create or edit a node containing a free-tagging vocabulary is vulnerable to
attack.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Tagging module for Drupal 6.x versions prior to 6.x-2.4.
Drupal core is not affected. If you do not use the contributed Tagging [2]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* Upgrade to Tagging 6.x-2.4 [3]
See also the Tagging project page [4].
-------- REPORTED BY
---------------------------------------------------------
* Mike Stefanello [5]
* Barry Jaspan [6] of the Drupal security team
-------- FIXED BY
------------------------------------------------------------
* Eugen Mayer [7], module maintainer
* Mike Stefanello [8]
-------- CONTACT
-------------------------------------------------------------
The Drupal security team [9] can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/project/tagging
[3] http://drupal.org/node/857494
[4] http://drupal.org/project/tagging
[5] http://drupal.org/user/107190
[6] http://drupal.org/user/46413
[7] http://drupal.org/user/108406
[8] http://drupal.org/user/107190
[9] http://drupal.org/security-team
* Advisory ID: DRUPAL-SA-CONTRIB-2010-074
* Projects: Drupad (third-party module)
* Version: 6.x
* Date: 2010-07-14
* Security risks: Critical
* Exploitable from: Remote
* Vulnerability: CSRF
-------- DESCRIPTION
---------------------------------------------------------
The Drupad module is the companion module of the iPhone / iPodTouch
application also called Drupad. The module doesn't check if the incoming
request is made from the application, leading to a CSRF vulneraby. This
vulnerability can be used to delete users and content, or set the site in
offline mode when a privileged user visits a malicious site.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Drupad for Drupal 6.x versions prior to 6.x-1.1
Drupal core is not affected. If you do not use the contributed Drupad [1]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* Upgrade to Drupad 6.x-1.1 [2]
See also the Drupad project page [3].
-------- REPORTED BY
---------------------------------------------------------
* Heine Deelstra [4] of the Drupal security team
-------- FIXED BY
------------------------------------------------------------
* Jérémy Chatard [5], module maintainer
-------- CONTACT
-------------------------------------------------------------
The Drupal security team can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://drupal.org/project/drupad
[2] http://drupal.org/node/854034
[3] http://drupal.org/project/drupad
[4] http://drupal.org/user/17943
[5] http://drupal.org/user/130002
* Advisory ID: DRUPAL-SA-CONTRIB-2010-073
* Projects: Multiple third party modules - Simple Gallery, OG Menu, Tell A
Friend Node, JsMath For Displaying Mathematics With TeX
* Version: 5.x, 6.x
* Date: 2010-July-14
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Multiple (Cross Site Scripting, Email Header Injection)
-------- VERSIONS AFFECTED AND PROPOSED SOLUTIONS
----------------------------
Simple Gallery [1] for Drupal 6.x
This module creates a simple gallery using taxonomy and CCK imagefields.
The module is vulnerable to a Cross Site Scripting [2] (XSS) attack. This
can be exploited by users with the ability to add taxonomy terms or tag
content. *Solution:* Disable the module. There is no safe version of the
module to use.
OG Menu [3] for Drupal 6.x
Enables users to manage menus by Organic Groups. The module is vulnerable
to a Cross Site Scripting [4] (XSS) attack which can be exploited by
users with the "administer og menu" permission . *Solution:* Disable the
module. There is no safe version of the module to use.
Tell A Friend Node [5] for Drupal 6.x
This module provides a Tell A Friend node type for creating multiple tell
a friend pages on a site. The module is vulnerable to email header
injection attacks by spam bots and can be abused by any user with the
"access tellafriend nodes" permission. *Solution:* Disable the module.
There is no safe version of the module to use.
JsMath For Displaying Mathematics With TeX [6] for Drupal 5.x and 6.x
This module enables the jsMath script for displaying mathematical
expressions. The module is vulnerable to a Cross Site Scripting [7] (XSS)
attack. This vulnerability can only be exploited by users with the
"access administration pages" permission. *Solution:* Disable the module.
There is no safe version of the module to use.
Drupal core is not affected. If you do not use any of the module releases
above there is nothing you need to do.
-------- ONGOING MAINTENANCE OF THESE MODULES
--------------------------------
If you are interested in taking over maintenance of a module, or branch of a
module, that is no longer supported, and are capable of fixing security
vulnerabilities, you may apply to do so using the abandoned project takeover
process [8].
-------- REPORTED BY
---------------------------------------------------------
* Simple Gallery issue reported by Owen Barton [9] of the Drupal Security
Team
* OG Menu issue reported by Justin C. Klein Keane [10]
* Tell A Friend Node issue reported by James McDonald [11]
* JsMath For Displaying Mathematics With TeX issue reported by Kyle Small
[12]
-------- CONTACT
-------------------------------------------------------------
The security team for Drupal [13] can be reached at security at drupal.org or
via the form at http://drupal.org/contact.
Read more about the Security Team and Security Advisories at
http://drupal.org/security.
[1] http://drupal.org/project/simplegallery
[2] http://en.wikipedia.org/wiki/Cross_Site_Scripting
[3] http://drupal.org/project/og_menu
[4] http://en.wikipedia.org/wiki/Cross_Site_Scripting
[5] http://drupal.org/project/tellafriend_node
[6] http://drupal.org/project/jsmath
[7] http://en.wikipedia.org/wiki/Cross_Site_Scripting
[8] http://drupal.org/node/251466
[9] http://drupal.org/user/19668
[10] http://drupal.org/user/302225
[11] http://drupal.org/user/418221
[12] http://drupal.org/user/832278
[13] http://drupal.org/security-team
* Advisory ID: DRUPAL-SA-CONTRIB-2010-0XX
* Project: Hierarchical Select (third-party module)
* Version: 5.x, 6.x
* Date: 2010-July-07
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
The Hierarchical Select module provides a "hierarchical_select" form element,
which is a greatly enhanced way for letting the user select items in a
taxonomy. The module does not sanitize some of the user-supplied data before
displaying it, leading to a Cross Site Scripting (XSS [1]) vulnerability that
may lead to a malicious user gaining full administrative access. This
vulnerability is mitigated by the fact that the attacker must have a role
with the 'administer taxonomy' permission.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Hierarchical Select module for Drupal 5.x versions prior to 5.x-3.2
* Hierarchical Select module for Drupal 6.x versions prior to 6.x-3.2
Drupal core is not affected. If you do not use the contributed Hierarchical
Select [2] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Hierarchical Select module for Drupal 5.x upgrade to
Hierarchical Select 5.x-3.2 [3]
* If you use the Hierarchical Select module for Drupal 6.x upgrade to
Hierarchical Select 6.x-3.2 [4]
See also the Hierarchical Select project page [5].
-------- REPORTED BY
---------------------------------------------------------
* Jingxiang Rao [6]
* Sam Oldak
-------- FIXED BY
------------------------------------------------------------
* Wim Leers [7], the module maintainer
* Sam Oldak
-------- CONTACT
-------------------------------------------------------------
The Drupal security team [8] can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/project/hierarchical_select
[3] http://drupal.org/node/847286
[4] http://drupal.org/node/847284
[5] http://drupal.org/project/hierarchical_select
[6] http://drupal.org/user/623328
[7] http://drupal.org/user/99777
[8] http://drupal.org/security-team
* Advisory ID: DRUPAL-SA-CONTRIB-2010-071
* Project: MultiSafepay Integration (third-party module)
* Version: 6.x
* Date: 2010-July-07
* Security risk: Critical
* Exploitable from: Remote
* Vulnerability: Cross Site Request Forgery
-------- DESCRIPTION
---------------------------------------------------------
The MultiSafepay Integration module provides integration between the Ubercart
e-commerce solution and the MultiSafepay payment system. The module is
vulnerable to Cross Site Request Forgeries (CSRF [1]) which would allow a
malicious user to alter the status of orders or to trick other users into
altering the status of orders.
-------- VERSIONS AFFECTED
---------------------------------------------------
* MultiSafepay Integration module for Drupal 6.x versions prior to 6.x-1.1
[2]
Drupal core is not affected. If you do not use the contributed MultiSafepay
Integration [3] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the MultiSafepay Integration module for Drupal 6.x upgrade to
MultiSafepay Integration 6.x-1.1 [4]
See also the MultiSafepay Integration project page [5].
-------- REPORTED BY
---------------------------------------------------------
* Peter Wolanin (pwolanin [6]) of the Drupal security team
-------- FIXED BY
------------------------------------------------------------
* Dieter De Waele (coworks_dieter [7]) the module maintainer
-------- CONTACT
-------------------------------------------------------------
The Drupal security team [8] can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Csrf
[2] http://drupal.org/node/846200
[3] http://drupal.org/project/uc_multisafepay
[4] http://drupal.org/node/846200
[5] http://drupal.org/project/uc_multisafepay
[6] http://drupal.org/user/49851
[7] http://drupal.org/user/253145
[8] http://drupal.org/security-team