Security-news September 2010

security-news@drupal.org

1 participants
9 discussions

SA-CONTRIB-2010-098 - Memcache - Multiple vulnerabilities
by security-news＠drupal.org 30 Sep '10

30 Sep '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-098 * Project: memcache (third-party module) * Version: 5.x, 6.x * Date: 2010-September-29 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Access bypass, Cross-Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Memcache project [1] provides an alternative cache backend which works with memcached program to speed up high traffic sites. The memcache backend caches the current $user object a little too aggressively, which can lead to a role change not being recognized until the user logs in again. The memcache_admin module does not sanitize some of the user supplied data before displaying it, leading to a Cross Site Scripting (XSS [2]) vulnerability which can be used by a malicious user to gain full administrative access. -------- VERSIONS AFFECTED --------------------------------------------------- * Memcache for Drupal 6.x versions prior to 6.x-1.6 * Memcache for Drupal 5.x versions prior to 5.x-1.10 Drupal core is not affected. If you do not use the contributed Memcache [3] backend there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Memcache for Drupal 6.x, upgrade to Memcache 6.x-1.6 [4] * If you use the Memcache for Drupal 5.x, upgrade to Memcache 5.x-2.10 [5] See also the Memcache project page [6]. -------- REPORTED BY --------------------------------------------------------- * Justin James Grevich (jgrevich) [7] * Moshe Weitzman [8], of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Robert Douglass (robertDouglass) [9], module maintainer * Moshe Weitzman [10], of the Drupal Security Team -------- CONTACT ------------------------------------------------------------- The Drupal security team [11] can be reached at security at drupal.org or via the form at http://drupal.org/contact [12]. [1] http://drupal.org/project/memcache [2] http://en.wikipedia.org/wiki/Cross-site_scripting [3] http://drupal.org/project/memcache [4] http://drupal.org/node/926474 [5] http://drupal.org/node/926478 [6] http://drupal.org/project/memcache [7] http://drupal.org/user/355156 [8] http://drupal.org/user/31977 [9] http://drupal.org/user/5449 [10] http://drupal.org/user/23 [11] http://drupal.org/security-team [12] http://drupal.org/contact

1 0

SA-CONTRIB-2010-097 - Imagemenu - Multiple vulnerabilities
by security-news＠drupal.org 29 Sep '10

29 Sep '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-097 * Project: Imagemenu (third-party module) * Version: 5.x, 6.x * Date: 2010-September-29 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Cross-Site Scripting, Cross-site Request Forgery -------- DESCRIPTION --------------------------------------------------------- The Imagemenu module allows users to create and maintain image based menus. The Drupal 5 branch of this module contains a Cross Site Request Forgery (CSRF [1]) vulnerability which could allow a malicious user to trick an administrator into unintentionally enabling or disabling menu items provided by this module. The Drupal 6 branch of this module does not properly sanitize some user-supplied menu and menu item properties, leading to Cross-Site Scripting (XSS [2]) vulnerabilities. The risk is mitigated by the fact that the "administer imagemenu" permission is required in order to exploit this vulnerability. -------- VERSIONS AFFECTED --------------------------------------------------- * Imagemenu for Drupal 6 prior to 6.x-1.3 * Imagemenu for Drupal 5 prior to 5.x-1.2 Drupal core is not affected. If you do not use the contributed Imagemenu [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Imagemenu module for Drupal 6.x upgrade to Imagemenu 6.x-1.3 [4] * If you use the Imagemenu module for Drupal 5.x upgrade to Imagemenu 5.x-1.2 [5] See also the Imagemenu [6] project page. -------- REPORTED BY --------------------------------------------------------- * The XSS vulnerability on menu titles was reported by Joachim Noreiko (joachim [7]) * The XSS vulnerability on menu item description and the CSRF vulnerability were reported by Ivo Van Geertruyen (mr.baileys [8]) of the Drupal security team [9] -------- FIXED BY ------------------------------------------------------------ * Paul Maddern (pobster [10]), module maintainer * Ivo Van Geertruyen (mr.baileys [11]) of the Drupal security team [12] -------- CONTACT ------------------------------------------------------------- The Drupal security team [13] can be reached at security at drupal.org or via the form at http://drupal.org/contact [14]. [1] http://en.wikipedia.org/wiki/Cross-site_request_forgery [2] http://en.wikipedia.org/wiki/Cross-site_scripting [3] http://drupal.org/project/imagemenu [4] http://drupal.org/node/925726 [5] http://drupal.org/node/925730 [6] http://drupal.org/project/imagemenu [7] http://drupal.org/user/107701 [8] http://drupal.org/user/383424 [9] http://drupal.org/security-team [10] http://drupal.org/user/25159 [11] http://drupal.org/user/383424 [12] http://drupal.org/security-team [13] http://drupal.org/security-team [14] http://drupal.org/contact

1 0

SA-CONTRIB-2010-096 - Domain access - Multiple Vulnerabilities
by security-news＠drupal.org 22 Sep '10

22 Sep '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-096 * Project: Domain access (third-party module) * Version: 5.x, 6.x, 7.x * Date: 2010-September-22 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Cross-Site Scripting, Priviledge Escalation -------- DESCRIPTION --------------------------------------------------------- The Domain Access module suite allows users to maintain content shared across multiple domains running from a single Drupal installation. In several instances, the module does not sanitize the user-supplied domain name before displaying it, leading to a Cross-Site Scripting (XSS [1]) vulnerability that may lead to a malicious user gaining full administrative access. This vulnerability is mitigated by the fact that user must have the "administer domains" permission in order to create and edit domain names. The Domain Configuration sub-module allows certain site information settings to be configured per domain. Users with the "administer domains" permission could change these settings, even if they lacked the permission to edit the settings on the primary domain. -------- VERSIONS AFFECTED --------------------------------------------------- * Domain access module for Drupal 5.x versions prior to 5.x-1.15 * Domain access module for Drupal 6.x versions prior to 6.x.2.6 * Domain access module for Drupal 7.x versions prior to 7.x.2.4 Drupal core is not affected. If you do not use the contributed Domain access [2] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Domain access module for Drupal 5.x upgrade to Domain access 5.x-1.15 [3] * If you use the Domain access module for Drupal 6.x upgrade to Domain access 6.x.2.6 [4] * If you use the Domain access module for Drupal 7.x upgrade to Domain access 7.x.2.4 [5] See also the Domain access project page [6]. -------- REPORTED BY --------------------------------------------------------- * Sam Oldak [7] (Cross-Site Scripting) * brt [8] (Privilege escalation) * Nirbhasa Magee [9] (Privilege escalation) -------- FIXED BY ------------------------------------------------------------ * Sam Oldak [10] * Ken Rickard [11], the module maintainer -------- CONTACT ------------------------------------------------------------- The Drupal security team [12] can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/project/domain [3] http://drupal.org/node/919890 [4] http://drupal.org/node/919896 [5] http://drupal.org/node/919900 [6] http://drupal.org/project/domain [7] http://drupal.org/user/366337 [8] http://drupal.org/user/26752 [9] http://drupal.org/user/151770 [10] http://drupal.org/user/366337 [11] http://drupal.org/user/20975 [12] http://drupal.org/security-team

1 0

SA-CONTRIB-2010-095 - Lightbox2 - Multiple Vulnerabilities
by security-news＠drupal.org 22 Sep '10

22 Sep '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-095 * Project: Lightbox2 (third-party module) * Version: 5.x, 6.x * Date: 2010-September-22 * Security risk: Highly Critical * Exploitable from: Remote * Vulnerability: Access Bypass, Cross-Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Lightbox2 module enables images to be overlaid on the current page using JavaScript. The module displays images above the page instead of within it, freeing the page design from layout constraints and keeping users on the same page. The module does not sanitize some of the user supplied data before displaying it, leading to a Cross Site Scripting (XSS [1]) vulnerability which can be used by a malicious user to gain full administrative access. The Lightbox2 module also enables Embedded Media Field [2] and Acidfree [3] videos to be displayed in a modal popup. In some cases checks on the user's field level access to the source video were not carried out correctly, allowing direct queries to the backend URL resulting in the display of videos which the user would otherwise be unable to access. -------- VERSIONS AFFECTED --------------------------------------------------- * Lightbox2 module for Drupal 6.x versions prior to 6.x-1.10 * Lightbox2 module for Drupal 5.x versions prior to 5.x-2.10 Drupal core is not affected. If you do not use the contributed Lightbox2 [4] module there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Lightbox2 module for Drupal 6.x upgrade to Lightbox2 6.x-1.10 [5] * If you use the Lightbox2 module for Drupal 5.x upgrade to Lightbox2 5.x-2.10 [6] See also the Lightbox2 project page [7]. -------- REPORTED BY --------------------------------------------------------- * mr.baileys [8], of the Drupal Security Team * Jakub Suchy (meba) [9], of the Drupal Security Team * Stella Power (stella) [10], module maintainer * hefox [11] -------- FIXED BY ------------------------------------------------------------ * Stella Power (stella) [12], module maintainer -------- CONTACT ------------------------------------------------------------- The Drupal security team [13] can be reached at security at drupal.org or via the form at http://drupal.org/contact [14]. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/project/emfield [3] http://drupal.org/project/acidfree [4] http://drupal.org/project/lightbox2 [5] http://drupal.org/node/919648 [6] http://drupal.org/node/919636 [7] http://drupal.org/project/lightbox2 [8] http://drupal.org/user/383424 [9] http://drupal.org/user/31977 [10] http://drupal.org/user/66894 [11] http://drupal.org/user/426416 [12] http://drupal.org/user/66894 [13] http://drupal.org/security-team [14] http://drupal.org/contact

1 0

SA-CONTRIB-2010-094 - Embedded Media Field - Access bypass
by security-news＠drupal.org 22 Sep '10

22 Sep '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-094 * Project: Embedded Media Field (third-party module) * Version: 5.x, 6.x * Date: 2010-September-22 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Access Bypass -------- DESCRIPTION --------------------------------------------------------- The Embedded Media Field project is a set of modules that enable editors to post URL's and embed codes for third party media providers such as YouTube, Vimeo, or Flickr, which will be automatically parsed and displayed using preset formatters. The Embedded Video Field module (packaged with the project) enables videos to be displayed in a modal popup using the Lightbox2 [1], Shadowbox [2], Colorbox [3], and Thickbox [4] modules. In some cases checks on the user's field level access to the source video were not carried out correctly, allowing direct queries to the backend URL resulting in the display of videos which the user would otherwise be unable to access. -------- VERSIONS AFFECTED --------------------------------------------------- * Embedded Media Field module for Drupal 6.x versions prior to 6.x-1.24 and 6.x-2.0 * Embedded Media Field module for Drupal 5.x versions prior to 5.x-1.10 Drupal core is not affected. If you do not use the contributed Embedded Media Field [5] module, together with the Embedded Video Field module there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Embedded Media Field module for Drupal 6.x upgrade to Embedded Media Field 6.x-2.1 [6] or Embedded Media Field 6.x-1.25 [7] * If you use the Embedded Media Field module for Drupal 5.x upgrade to Embedded Media Field 5.x-1.11 [8] See also the Embedded Media Field project page [9]. .... Important note Users wishing to update from version DRUPAL 6.x-1.x to version DRUPAL 6.x-2.x (or greater) of Embedded Media Field should be aware that as of version DRUPAL 6.x-2.x the module no longer provides direct support for third party media providers, instead it acts as an API for other modules to use. All providers previously supported directly in earlier versions are now supported externally; see the partial list at the project page for a list of modules offering this support (such as Media: YouTube [10], Media: Vimeo [11], and Media: Flickr [12]). Please note that at this time there are not yet specific modules for all the individual providers; if you don't see your desired provider in that list, it most likely will be in one of the 'Flotsam' modules listed at the end of that list, which serve as a temporary placeholder. Developers interested in creating or maintaining one of these individual provider modules are encouraged to contact the module maintainers. -------- REPORTED BY --------------------------------------------------------- * Stella Power (stella) [13], of the Drupal security team -------- FIXED BY ------------------------------------------------------------ * Stella Power (stella) [14], of the Drupal security team * Aaron Winborn (aaron) [15], module co-maintainer -------- CONTACT ------------------------------------------------------------- The Drupal security team [16] can be reached at security at drupal.org or via the form at http://drupal.org/contact [17]. [1] http://drupal.org/project/lightbox2 [2] http://drupal.org/project/shadowbox [3] http://drupal.org/project/colorbox [4] http://drupal.org/project/thickbox [5] http://drupal.org/project/emfield [6] http://drupal.org/node/919368 [7] http://drupal.org/node/919366 [8] http://drupal.org/node/919364 [9] http://drupal.org/project/emfield [10] http://drupal.org/project/media_youtube [11] http://drupal.org/project/media_vimeo [12] http://drupal.org/project/media_flickr [13] http://drupal.org/user/66894 [14] http://drupal.org/user/66894 [15] http://drupal.org/user/33420 [16] http://drupal.org/security-team [17] http://drupal.org/contact

1 0

SA-CONTRIB-2010-093 - Advanced Taxonomy Blocks - Multiple Vulnerabilities
by security-news＠drupal.org 15 Sep '10

15 Sep '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-093 * Project: Advanced Taxonomy Blocks (third-party module) * Version: 6.x * Date: 2010-September-15 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting, Cross Site Request Forgery -------- DESCRIPTION --------------------------------------------------------- Advanced Taxonomy Blocks makes use of the JQuery menu module to create extremely customizable blocks for browsing through single hierarchy taxonomies. The module contained Cross Site Scripting vulnerabilities which could allow a malicious user with one of several non-default permissions to inject arbitrary javascript into the administrative pages provided by this module. The module also contained Cross Site Request Forgery vulnerabilities which could allow an attacker to trick an administrator into unintentionally deleting or resetting blocks provided by this module. -------- VERSIONS AFFECTED --------------------------------------------------- * Advanced Taxonomy Blocks module for Drupal 6.x versions prior to 6.x-3.4 Drupal core is not affected. If you do not use the contributed Advanced Taxonomy Blocks [1] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Advanced Taxonomy Blocks module for Drupal 6.x upgrade to Advanced Taxonomy Blocks 6.x-3.4 [2] See also the Advanced Taxonomy Blocks [3]. -------- REPORTED BY --------------------------------------------------------- * mr.baileys , of the Drupal Security Team. -------- FIXED BY ------------------------------------------------------------ * Aaron Hawkins , the module maintainer. -------- CONTACT ------------------------------------------------------------- The Drupal security team [4] can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/project/taxonomyblocks [2] http://drupal.org/node/912584 [3] http://drupal.org/project/taxonomyblocks [4] http://drupal.org/security-team

1 0

SA-CONTRIB-2010-092 - Advanced Book Blocks - Multiple Vulnerabilities
by security-news＠drupal.org 15 Sep '10

15 Sep '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-092 * Project: Advanced Book Blocks (third-party module) * Version: 6.x * Date: 2010-September-15 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting, Cross Site Request Forgery -------- DESCRIPTION --------------------------------------------------------- The Advanced Book Blocks module enables you to integrate with the API provided by the JQuery Menu module (version 1.8 and higher) to provide click and expand book menus with the ability to customize each block individually. The module contained Cross Site Scripting vulnerabilities which could allow a malicious user with one of several non-default permissions to inject arbitrary javascript into the administrative pages provided by this module. The module also contained Cross Site Request Forgery vulnerabilities which could allow an attacker to trick an administrator into unintentionally deleting or resetting blocks provided by this module. -------- VERSIONS AFFECTED --------------------------------------------------- * Advanced Book Blocks module for Drupal 6.x versions prior to 6.x-2.2 Drupal core is not affected. If you do not use the contributed Advanced Book Blocks [1] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Advanced Book Blocks module for Drupal 6.x upgrade to Advanced Book Blocks 6.x-2.2 [2] See also the Advanced Book Blocks [3]. -------- REPORTED BY --------------------------------------------------------- * Matt Chapman , of the Drupal Security Team. -------- FIXED BY ------------------------------------------------------------ * Aaron Hawkins , the module maintainer. * Matt Chapman , of the Drupal Security Team. -------- CONTACT ------------------------------------------------------------- The Drupal security team [4] can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/project/advancedbookblocks [2] http://drupal.org/node/912586 [3] http://drupal.org/project/advancedbookblocks [4] http://drupal.org/security-team

1 0

SA-CONTRIB-2010-091 - Mollom - Information Disclosure
by security-news＠drupal.org 15 Sep '10

15 Sep '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-091 * Project: Mollom (third-party module) * Version: 6.x * Date: 2010-September-15 * Security risk: Less Critical * Exploitable from: Remote * Vulnerability: Information Disclosure -------- DESCRIPTION --------------------------------------------------------- The Mollom module provides a combination of CAPTCHA challenges with text analysis to intelligently block spam. In some configurations, sensitive user data (e.g., a user's plain-text password) might be logged through calls to Drupal's watchdog API. This vulnerability is mitigated by the fact that this information would only be disclosed to users with access to view log messages, usually a role with the 'access site reports' permission or access to system syslog files, which should generally only be granted to trusted users. -------- VERSIONS AFFECTED --------------------------------------------------- * Mollom module for Drupal 6.x versions prior to 6.x-1.14 Mollom for Drupal 5.x is not affected, but the alpha Mollom release for Drupal 7.x is affected. Drupal core is not affected. If you do not use the contributed Mollom module there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Mollom module for Drupal 6.x upgrade to the 6.x-1.14 version [1] See also the Mollom project page [2]. -------- REPORTED BY --------------------------------------------------------- * Katherine Senzee (ksenzee) [3] -------- FIXED BY ------------------------------------------------------------ * Daniel Kudwien (sun) [4], module co-maintainer * Dries [5], module co-maintainer -------- CONTACT ------------------------------------------------------------- The Drupal security team [6] can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/node/912420 [2] http://drupal.org/project/mollom [3] http://drupal.org/user/139855 [4] http://drupal.org/user/54136 [5] http://drupal.org/user/1 [6] http://drupal.org/security-team

1 0

SA-CONTRIB-2010-090 - Yr Weatherdata - SQL Injection
by security-news＠drupal.org 08 Sep '10

08 Sep '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-090 * Project: Yr Weatherdata (third-party module) * Version: 6.x * Date: 2010-September-08 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: SQL Injection -------- DESCRIPTION --------------------------------------------------------- The Yr Weatherdata module displays weather forecasts, and enables users with the proper permission to set the sort method. When setting the sorting method the module does not filter the value input by the user correctly. This vulnerability can be exploited to perform an SQL Injection attack [1]. -------- VERSIONS AFFECTED --------------------------------------------------- * Yr Weatherdata module for Drupal 6.x before version 6.x-1.6 Drupal core is not affected. If you do not use the contributed Yr Weatherdata [2] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Yr Weatherdata module for Drupal 6.x before version 6.x-1.6 upgrade to Yr Weatherdata 6.x-1.6 [3] or later, preferably the current Yr Weatherdata 6.x-1.10 [4] See also the Yr Weatherdata project page [5]. -------- REPORTED BY --------------------------------------------------------- * Fredrik Kilander (tjodolv [6]), module maintainer -------- FIXED BY ------------------------------------------------------------ * Fredrik Kilander (tjodolv [7]), module maintainer -------- CONTACT ------------------------------------------------------------- The Drupal security team [8] can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Sql_injection [2] http://drupal.org/project/yr_verdata [3] http://drupal.org/node/606290 [4] http://drupal.org/node/824368 [5] http://drupal.org/project/yr_verdata [6] http://drupal.org/user/196733 [7] http://drupal.org/user/196733 [8] http://drupal.org/security-team

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news September 2010