Security-news August 2010

security-news@drupal.org

1 participants
12 discussions

SA-CONTRIB-2010-089 - Simplenews Content Selection - Cross Site Scripting
by security-news＠drupal.org 18 Aug '10

18 Aug '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-089 * Project: Simplenews content selection (third-party module) * Version: 6.x * Date: 2010-August-18 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Cross site scripting -------- DESCRIPTION --------------------------------------------------------- This module allows you to select content from your website and send a newsletter with the selected content. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting (XSS [1]) vulnerability that may lead to a malicious user gaining full administrative access. -------- VERSIONS AFFECTED --------------------------------------------------- * Simplenews Content Selection module 6.x-1.5 Drupal core is not affected. If you do not use the contributed Simplenews Content Selection [2] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Simplenews Content Selection module for Drupal 6.x upgrade to Simplenews Content Selection 6.x-1.6 [3] See also the Simplenews Content Selection project page [4]. -------- REPORTED BY --------------------------------------------------------- * Henry Sudhof [5]. -------- FIXED BY ------------------------------------------------------------ * De Waele Dieter [6], module maintainer -------- CONTACT ------------------------------------------------------------- The Drupal security team [7] can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/project/simplenews_content_selection [3] http://drupal.org/node/887110 [4] http://drupal.org/project/simplenews_content_selection [5] http://drupal.org/user/730666 [6] http://drupal.org/user/253145 [7] http://drupal.org/security-team

1 0

SA-CONTRIB-2010-088 - Content Construction Kit (CCK) - Access Bypass
by security-news＠drupal.org 12 Aug '10

12 Aug '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-088 * Project: Content Construction Kit (CCK) (third-party module) * Version: 6.x * Date: 2010-August-11 * Security risk: Less Critical * Exploitable from: Remote * Vulnerability: Access Bypass -------- DESCRIPTION --------------------------------------------------------- The Content Construction Kit (CCK) project is a set of modules that allows you to add custom fields to nodes using a web browser. The CCK "Node Reference" module provides a backend URL that is used for asynchronous requests by the "autocomplete" widget to locate nodes the user can reference. In some cases, this was not correctly checking that the user had field level access to the source field, allowing direct queries to the backend URL to return node titles and IDs which the user would otherwise be unable to access. Note that as Drupal 5 CCK does not have any field access control functionality, this issue only applies to the Drupal 6 version. This advisory is a follow-up related to advisory SA-CONTRIB-2010-065 [1]. -------- VERSIONS AFFECTED --------------------------------------------------- * Content Construction Kit (CCK) module for Drupal 6.x versions prior to 6.x-2.8 Drupal core is not affected. If you do not use the contributed Content Construction Kit (CCK) [2] module, together with any node or field access module there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Content Construction Kit (CCK) module for Drupal 6.x upgrade to Content Construction Kit (CCK) 6.x-2.8 [3] See also the Content Construction Kit (CCK) project page [4]. -------- REPORTED BY --------------------------------------------------------- * Alexis Wilke [5] -------- FIXED BY ------------------------------------------------------------ * Marc Ferran (markus_petrux) [6], module co-maintainer * Peter Wolanin (pwolanin) [7], of the Drupal security team -------- CONTACT ------------------------------------------------------------- The Drupal security team [8] can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/node/829566 [2] http://drupal.org/project/cck [3] http://drupal.org/node/880732 [4] http://drupal.org/project/cck [5] http://drupal.org/user/356197 [6] http://drupal.org/user/39593 [7] http://drupal.org/user/49851 [8] http://drupal.org/security-team

1 0

SA-CONTRIB-2010-087 - GovDelivery - Cross site scripting
by security-news＠drupal.org 11 Aug '10

11 Aug '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-087 * Project: GovDelivery Integration (third-party module) * Version: 6.x * Date: 2010-Aug-11 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross site scripting -------- DESCRIPTION --------------------------------------------------------- The GovDelivery module provides integration with the GovDelivery On-Demand Mailer service, a web service for GovDelivery customers that sends messages directly based on configured account information. The module replaces the backend of SMTP library in your Drupal site with calls to the GovDelivery service, so all mail sent from your site uses the ODM service. The module does not sanitize some of the user-supplied data before displaying it (for Drupal 6.x-1.0 only), leading to a Cross Site Scripting (XSS) vulnerability that may lead to a malicious user gaining full administrative access. -------- VERSIONS AFFECTED --------------------------------------------------- * GovDelivery module for Drupal 6.x versions prior to 6.x-1.1 Drupal core is not affected. If you do not use the contributed GovDelivery Integration [1] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the GovDelivery module for Drupal 6.x upgrade to GovDelivery 6.x-1.1 [2] See also the GovDelivery Integration project page [3]. -------- REPORTED BY --------------------------------------------------------- * ben.bunk [4], module co-maintainer -------- FIXED BY ------------------------------------------------------------ * ben.bunk [5], module co-maintainer -------- CONTACT ------------------------------------------------------------- The Drupal security team [6] can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/project/govdelivery [2] http://drupal.org/node/880684 [3] http://drupal.org/project/govdelivery [4] http://drupal.org/user/764808 [5] http://drupal.org/user/764808 [6] http://drupal.org/security-team

1 0

SA-CONTRIB-2010-086 - Prepopulate - Access Bypass
by security-news＠drupal.org 11 Aug '10

11 Aug '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-086 * Project: Prepopulate (third-party module) * Version: 5.x and 6.x * Date: 2010-Aug-11 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Access Bypass -------- DESCRIPTION --------------------------------------------------------- The Prepopulate module provides the ability for form fields to be pre-populated via the request sent for the form. The module is vulnerable to access bypass which would allow a malicious user to change the value of fields they would not otherwise have access to alter. -------- VERSIONS AFFECTED --------------------------------------------------- * Prepopulate module for Drupal 6.x versions prior to 6.x-2.0 [1] * Prepopulate module for Drupal 5.x versons prior to 5.x-1.5 [2] Drupal core is not affected. If you do not use the contributed Prepopulate [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Prepopulate module for Drupal 6.x upgrade to Prepopulate 6.x-2.0 [4] * If you use the Prepopulate module for Drupal 5.x upgrade to Prepopulate 5.x-1.5 [5] See also the Prepopulate project page [6]. -------- REPORTED BY --------------------------------------------------------- * Aren Cambre [7] -------- FIXED BY ------------------------------------------------------------ * Joshua Brauer (jbrauer [8]) the module maintainer -------- CONTACT ------------------------------------------------------------- The Drupal security team [9] can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/node/880652 [2] http://drupal.org/node/880656 [3] http://drupal.org/project/prepopulate [4] http://drupal.org/node/880652 [5] http://drupal.org/node/880656 [6] http://drupal.org/project/prepopulate [7] http://drupal.org/user/97356 [8] http://drupal.org/user/253145 [9] http://drupal.org/security-team

1 0

SA-CONTRIB-2010-085 - Pathauto - Cross Site Scripting
by security-news＠drupal.org 11 Aug '10

11 Aug '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-085 * Project: Pathauto (third-party module) * Version: 5.x, 6.x * Date: 2010-August-11 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Pathauto module automatically generates path aliases for various kinds of content (nodes, categories, users) without requiring the user to manually specify the path alias. It also provides additional tokens that can be used in URL alias patterns and anywhere else that the Token API [1] is used. The module does not sanitize the text in the [bookpathalias], [catalias], and [termalias] tokens. Under rare circumstances those tokens could cause a Cross Site Scripting (XSS [2]) vulnerability that may lead to a malicious user gaining full administrative access. This vulnerability is mitigated by the fact that a malicious user must have "create url aliases" permission and then one of those tokens must be used to display output on an HTML page (for instance, displaying a message to the user using an action from the token_actions.module). The normal circumstance of using these tokens as part of a Pathauto URL alias pattern is not vulnerable. -------- VERSIONS AFFECTED --------------------------------------------------- * Pathauto module for Drupal 5.x versions prior to 5.x-2.4 * Pathauto module for Drupal 6.x versions prior to 6.x-1.4 Drupal core is not affected. If you do not use the contributed Pathauto [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Pathauto module for Drupal 5.x upgrade to Pathauto 5.x-2.4 [4] * If you use the Pathauto module for Drupal 6.x upgrade to Pathauto 6.x-1.4 [5] See also the Pathauto project page [6]. -------- SAFE USE OF TOKENS -------------------------------------------------- The existing [bookpathalias], [termalias], and [catalias] tokens are now sanitized. New [bookpathalias-raw], [termalias-raw], and [catalias-raw] companion tokens have been added for the un-sanitized versions of each token respectfully. This is also a reminder to modules that use the Token API [7] to display output on an HTML page (such as displaying a message to the user), that no tokens with the -raw suffix should be used. -------- REPORTED BY --------------------------------------------------------- * Dave Reid [8] of the Drupal security team and module co-maintainer -------- FIXED BY ------------------------------------------------------------ * Dave Reid [9] of the Drupal security team and module co-maintainer -------- CONTACT ------------------------------------------------------------- The Drupal security team [10] can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/project/token [2] http://en.wikipedia.org/wiki/Cross-site_scripting [3] http://drupal.org/project/pathauto [4] http://drupal.org/node/880462 [5] http://drupal.org/node/880464 [6] http://drupal.org/project/pathauto [7] http://drupal.org/project/token [8] http://drupal.org/user/53892 [9] http://drupal.org/user/53892 [10] http://drupal.org/security-team

1 0

SA-CONTRIB-2010-084 - OpenID - Authentication bypass
by security-news＠drupal.org 11 Aug '10

11 Aug '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-084 * Project: OpenID (third-party module) * Version: 5.x * Date: 2010-Aug-11 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Authentication bypass -------- DESCRIPTION --------------------------------------------------------- The OpenID module provides users the ability to login to sites using an OpenID account. The OpenID module doesn't implement the all required verifications from the OpenID 2.0 protocol and is vulnerable to a number of attacks. Specifically: - OpenID should verify that a "openid.response_nonce" has not already been used for an assertion by the OpenID provider - OpenID should verify the value of openid.return_to as obtained from the OpenID provider - OpenID must verify that all fields that are required to be signed are signed These specification violations allow malicious sites to harvest positive assertions from OpenID providers and use them on sites using the OpenID module to obtain access to preexisting accounts bound to the harvested OpenIDs. Intercepted assertions from OpenID providers can also be replayed and used to obtain access to user accounts bound to the intercepted OpenIDs. -------- VERSIONS AFFECTED --------------------------------------------------- * OpenID module for Drupal 5.x versions prior to 5.x-1.4 This issue affects the OpenID module for Drupal 5.x only. A separate security announcement [1] and release is published for the OpenID core module in Drupal 6.x. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the OpenID module for Drupal 5.x upgrade to OpenID 5.x-1.4 [2] See also the OpenID project page [3]. -------- REPORTED BY --------------------------------------------------------- * Johnny Bufu [4] * Christian Schmidt [5] * Heine Deelstra [6] of the Drupal security team -------- FIXED BY ------------------------------------------------------------ * Christian Schmidt [7] * Heine Deelstra [8] of the Drupal security team * Damien Tournoud [9] of the Drupal security team -------- CONTACT ------------------------------------------------------------- The Drupal security team [10] can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/node/880476 [2] http://drupal.org/node/880496 [3] http://drupal.org/project/openid [4] http://drupal.org/user/226462 [5] http://drupal.org/user/216078 [6] http://drupal.org/user/17943 [7] http://drupal.org/user/216078 [8] http://drupal.org/user/17943 [9] http://drupal.org/user/22211 [10] http://drupal.org/security-team

1 0

SA-CORE-2010-002 - Drupal core - Multiple vulnerabilities
by security-news＠drupal.org 11 Aug '10

11 Aug '10

* Advisory ID: DRUPAL-SA-CORE-2010-002 * Project: Drupal core * Version: 5.x, 6.x * Date: 2010-August-11 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- Multiple vulnerabilities and weaknesses were discovered in Drupal. .... OpenID authentication bypass The OpenID module provides users the ability to login to sites using an OpenID account. The OpenID module doesn't implement all the required verifications from the OpenID 2.0 protocol and is vulnerable to a number of attacks. Specifically: - OpenID should verify that a "openid.response_nonce" has not already been used for an assertion by the OpenID provider - OpenID should verify the value of openid.return_to as obtained from the OpenID provider - OpenID must verify that all fields that are required to be signed are signed These specification violations allow malicious sites to harvest positive assertions from OpenID providers and use them on sites using the OpenID module to obtain access to preexisting accounts bound to the harvested OpenIDs. Intercepted assertions from OpenID providers can also be replayed and used to obtain access to user accounts bound to the intercepted OpenIDs. This issue affects Drupal 6.x only. A separate security announcement and release [1] is published for the contributed OpenID module for Drupal 5.x. .... File download access bypass The upload module allows users to upload files and provides access checking for file downloads. The module looks up files for download in the database and serves them for download after access checking. However, it does not account for the fact that certain database configurations will not consider case differences in file names. If a malicious user uploads a file which only differs in letter case, access will be granted for the earlier upload regardless of actual file access to that. This issue affects Drupal 5.x and 6.x. .... Comment unpublishing bypass The comment module allows users to leave comments on content on the site. The module supports unpublishing comments by privileged users. Users with the "post comments without approval" permission however could craft a URL which allows them to republish previously unpublished comments. This issue affects Drupal 5.x and 6.x. .... Actions cross site scripting The actions feature combined with Drupal's trigger module allows users to configure certain actions to happen when users register, content is submitted, and so on; through a web based interface. Users with "administer actions permission" can enter action descriptions and messages which are not properly filtered on output. Users with content and taxonomy tag submission permissions can create nodes and taxonomy terms which are not properly sanitized for inclusion in action messages and inject arbitrary HTML and script code into Drupal pages. Such a cross-site scripting attack may lead to the malicious user gaining administrative access. Wikipedia has more information about cross-site scripting [2] (XSS). This issue affects Drupal 6.x only. -------- VERSIONS AFFECTED --------------------------------------------------- * Drupal 6.x before version 6.18 or 6.19. * Drupal 5.x before version 5.23. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you are running Drupal 6.x then upgrade to Drupal 6.18 [3] or Drupal 6.19 [4]. * If you are running Drupal 5.x then upgrade to Drupal 5.23 [5]. Drupal 5 will no longer be maintained when Drupal 7 is released [6]. Upgrading to Drupal 6 [7] is recommended. The security team starts a new practice of releasing both a pure security update without other bugfixes and a security update combined with other bug fixes and improvements. You can choose to either only include the security update for an immediate fix (which might require less quality assurance and testing) or more fixes and improvements alongside the security fixes by choosing between Drupal 6.18 and Drupal 6.19. Read the announcement [8] for more information. -------- REPORTED BY --------------------------------------------------------- The OpenID authentication bypass issues were reported by Johnny Bufu [9], Christian Schmidt [10] and Heine Deelstra [11] (*). The file download access bypass was reported by Dylan Tack [12] (*). The comment unpublish bypass issue was reported by Heine Deelstra [13] (*). The actions module cross site scripting was reported by Justin Klein Keane [14] and Heine Deelstra [15] (*). (*) Member of the Drupal security team. -------- FIXED BY ------------------------------------------------------------ The OpenID authentication issues were fixed by Christian Schmidt [16], Heine Deelstra [17] (*) and Damien Tournoud [18] (*). The file download access bypass was fixed by Dave Reid [19] (*) and Neil Drumm [20] (*). The comment unpublish bypass issue was fixed by Heine Deelstra [21] (*). The actions module cross site scripting was fixed by Justin Klein Keane [22] and Heine Deelstra [23] (*). (*) Member of the Drupal security team. -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/node/880480 [2] http://en.wikipedia.org/wiki/Cross-site_scripting [3] http://ftp.drupal.org/files/projects/drupal-6.18.tar.gz [4] http://ftp.drupal.org/files/projects/drupal-6.19.tar.gz [5] http://ftp.drupal.org/files/projects/drupal-5.23.tar.gz [6] http://drupal.org/node/725382 [7] http://drupal.org/upgrade [8] http://drupal.org/drupal-6.19 [9] http://drupal.org/user/226462 [10] http://drupal.org/user/216078 [11] http://drupal.org/user/17943 [12] http://drupal.org/user/96647 [13] http://drupal.org/user/17943 [14] http://drupal.org/user/302225 [15] http://drupal.org/user/17943 [16] http://drupal.org/user/216078 [17] http://drupal.org/user/17943 [18] http://drupal.org/user/22211 [19] http://drupal.org/user/53892 [20] http://drupal.org/user/3064 [21] http://drupal.org/user/17943 [22] http://drupal.org/user/302225 [23] http://drupal.org/user/17943

1 0

SA-CONTRIB-2010-083 - Ubercart sub-modules - Multiple Vulnerabilities
by security-news＠drupal.org 11 Aug '10

11 Aug '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-083 * Project: UC2Checkout, UCPaypal, UC Cart LInks (third-party modules in the Ubercart Project) * Version: 5.x, 6.x * Date: 2010-Aug-11 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Access Bypass, Cross Site Request Forgery -------- DESCRIPTION --------------------------------------------------------- The Ubercart module for Drupal provides e-commerce features. Several modules within Ubercart were vulnerable to various security issues. 1) The 2Checkout gateway module did not properly verify the payment notification information. A malicious user could use a specially crafted HTTP request to simulate payment and order completion on arbitrary orders. If the 2Checkout gateway module is not installed then your site is not at risk to this vulnerability. 2) The Paypal module's WPS payment method did not properly verify the payment notification information. A malicious user could alter HTML form data to send payment to a different Paypal account and still check out on the site. If you do not use the Paypal WPS payment method then your site is not at risk to this vulnerability. 3) The Ubercart Cart Links module is vulnerable to both an Access Bypass and Cross Site Request Forgery where a malicious user could both trick other users into adding or removing items from their cart and add items to a cart which are not published on the site. If you do not use Ubercart Cart Links module your site is not at risk to this vulnerability. -------- VERSIONS AFFECTED --------------------------------------------------- * Ubercart module for Drupal 5.x versions prior to 5.x-1.10 * Ubercart module for Drupal 6.x versions prior to 6.x-2.4 Drupal core is not affected. If you do not use the contributed Ubercart [1] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Ubercart module for Drupal 5.x upgrade to Ubercart 5.x-1.10 [2] * If you use the Ubercart module for Drupal 6.x upgrade to Ubercart 6.x-2.4 [3] See also the Ubercart project page [4]. -------- REPORTED BY --------------------------------------------------------- * Greg Knaddison [5] of the Drupal Security Team * Guy Paddock [6] * Nathan Phillip Brink [7] -------- FIXED BY ------------------------------------------------------------ * Lyle Mantooth [8], the module maintainer * Greg Knaddison [9] of the Drupal Security Team -------- CONTACT ------------------------------------------------------------- The Drupal security team [10] can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/project/ubercart [2] http://drupal.org/node/880378 [3] http://drupal.org/node/880390 [4] http://drupal.org/project/ubercart [5] http://drupal.org/user/UID [6] http://drupal.org/user/156932 [7] http://drupal.org/user/829476 [8] http://drupal.org/user/86683 [9] http://drupal.org/user/UID [10] http://drupal.org/security-team

1 0

SA-CONTRIB-2010-082 - Print - Local file read access
by security-news＠drupal.org 11 Aug '10

11 Aug '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-082 * Project: Printer, e-mail and PDF versions (third-party module) * Version: 5.x, 6.x * Date: 2010-August-11 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Local file read access -------- DESCRIPTION --------------------------------------------------------- The Printer, e-mail and PDF versions ("print") module provides printer-friendly versions of content, including a PDF version that is generated by one of three supported generation tools (dompdf, TCPDF and wkhtmltopdf). When using the wkhtmltopdf PDF generation tool, that tool is able to access local files in the Drupal server environment. Users with the ability to create unfiltered HTML in the node content could trick the tool to access any file accessible by the Web server user and to display its contents inside the generated PDF. Sites should not grant the ability to post unfiltered HTML to untrusted roles. -------- VERSIONS AFFECTED --------------------------------------------------- * Printer, e-mail and PDF versions 6.x prior to 6.x-1.11 * Printer, e-mail and PDF versions 5.x prior to 5.x-4.10 Drupal core is not affected. If you do not use the contributed Printer, e-mail and PDF versions module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Printer, e-mail and PDF versions for Drupal 6.x upgrade to Printer, e-mail and PDF versions 6.x-1.11 [1] * If you use Printer, e-mail and PDF versions for Drupal 5.x upgrade to Printer, e-mail and PDF versions 5.x-4.10 [2] If you use the wkhtmltopdf PDF generation tool, and it's version is older than 0.9.6, please upgrade [3] to a more recent version, as the module now supports only versions 0.9.6 or higher. See also the Printer, e-mail and PDF versions project page [4]. -------- REPORTED BY --------------------------------------------------------- * Douglas Bagnall [5] -------- FIXED BY ------------------------------------------------------------ * João Ventura [6], module maintainer * James Gilliland [7], module maintainer -------- CONTACT ------------------------------------------------------------- The Drupal security team [8] can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/node/880280 [2] http://drupal.org/node/880276 [3] http://code.google.com/p/wkhtmltopdf [4] http://drupal.org/project/print [5] http://drupal.org/user/758786 [6] http://drupal.org/user/122464 [7] http://drupal.org/user/48673 [8] http://drupal.org/security-team

1 0

SA-CONTRIB-2010-081 - FileField Sources - Arbitrary Code Execution
by security-news＠drupal.org 11 Aug '10

11 Aug '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-081 * Project: FileField Sources (third-party module) * Version: 6.x * Date: 2010-May-19 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Arbitrary Code Execution -------- DESCRIPTION --------------------------------------------------------- The FileField Sources module expands on the abilities of FileField, allowing users to select new or existing files through additional means, including: Reuse of existing files through an autocomplete textfield or IMCE, or transfering files directly from remote servers. The module does not sanitize the file extemsions of files that have been transfered from remote servers, allowing for the transfering of files that match allowed extensions but actually contain malicious code. This could potentially allow an attacker to transfer scripts to the server and execute them. This vulerability is usually mitigated by Drupal core's built-in security mechanisms which prevent code execution of uploads that are within the Drupal files directory. This exploit should not affect the majority of Drupal sites. Users would also need the ability to use the FileField Sources module which requires permission to create or edit a node that has a FileField with FileField Sources configured for it. -------- VERSIONS AFFECTED --------------------------------------------------- * FileField Sources module for Drupal 6.x versions prior to 6.x-1.2 Drupal core is not affected. If you do not use the contributed FileField Sources [1] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the FileField Sources module for Drupal 6.x upgrade to FileField Sources 6.x-1.2 [2] See also the FileField Sources project page [3]. -------- REPORTED BY --------------------------------------------------------- * Apa Sajja -------- FIXED BY ------------------------------------------------------------ * Nathan Haug [4], module maintainer * Greg Knaddison [5] of the Drupal security team -------- CONTACT ------------------------------------------------------------- The Drupal security team [6] can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/project/filefield_sources [2] http://drupal.org/node/880248 [3] http://drupal.org/project/filefield_sources [4] http://drupal.org/user/35821 [5] http://drupal.org/user/36762 [6] http://drupal.org/security-team

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news August 2010