Security-news January 2011

security-news@drupal.org

1 participants
3 discussions

SA-CONTRIB-2011-003 - Janrain Engage (RPX) - Multiple Vulnerabilities
by security-news＠drupal.org 19 Jan '11

19 Jan '11

* Advisory ID: DRUPAL-SA-CONTRIB-2011-003 * Project: Janrain Engage (formerly RPX) (third-party module) * Version: 6.x * Date: 2011-January-19 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting or Arbitrary Code Execution -------- DESCRIPTION --------------------------------------------------------- RPX (recently renamed Janrain Engage) is a service that acts as a middleman between a site and external login providers like Facebook, Yahoo, WindowsLive, etc. As part of this functionality it offers the ability to take a user's avatar on these services and download it for use as the user's profile photo. The module did not properly validate this file prior to saving it in the site. This could result in XSS or perhaps arbitrary code execution if a malicious user is able to insert an arbitrary file instead of the profile image. -------- VERSIONS AFFECTED --------------------------------------------------- * Janrain Engage / RPX module 6.x-1.3 only Drupal core is not affected. If you do not use the contributed Janrain Engage / RPX module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the 6.x-1.3 version of the Janrain Engage / RPX module upgrade to the 1.4 version [1] -------- REPORTED BY --------------------------------------------------------- * Greg Dunlap (heyrocker) [2] -------- FIXED BY ------------------------------------------------------------ * Greg Dunlap (heyrocker) [3] * George Katsitadze (geokat) [4] * Nathan Rambeck (nrambeck) [5] * Greg Knaddison (greggles) [6] -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact [7]. Learn more about the team and their policies [8], writing secure code for Drupal [9], and secure configuration [10] of your site. [1] http://drupal.org/node/1032622 [2] http://drupal.org/user/128537 [3] http://drupal.org/user/128537 [4] http://drupal.org/user/933066 [5] http://drupal.org/user/92967 [6] http://drupal.org/user/36762 [7] http://drupal.org/contact [8] http://drupal.org/security-team [9] http://drupal.org/writing-secure-code [10] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2011-002 - Panels - Cross Site Scripting (XSS)
by security-news＠drupal.org 13 Jan '11

13 Jan '11

* Advisory ID: DRUPAL-SA-CONTRIB-2011-002 * Project: Panels (third-party module) * Version: 6.x * Date: 2011-January-12 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Panels module allows a site administrator to create customized layouts for multiple uses. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting (XSS [1]) vulnerability that may lead to a malicious user gaining full administrative access. This vulnerability is mitigated by the fact that the attacker must have a role with the 'administer advanced pane settings' permission in addition to at least one permission allowing them to create or edit panels, such as 'use page manager', 'administer mini panels', 'create panel nodes' etc. -------- VERSIONS AFFECTED --------------------------------------------------- * Panels module for Drupal 6.x versions prior to 6.x-3.9 Drupal core is not affected. If you do not use the contributed Panels [2] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Panels module for Drupal 6.x upgrade to Panels 6.x-3.9 [3] See also the Panels project page [4]. -------- REPORTED BY --------------------------------------------------------- * Justin Klein Keane [5] -------- FIXED BY ------------------------------------------------------------ * Earl Miles (merlinofchaos) [6], Panels module maintainer * Justin Klein Keane [7] -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact. Learn more about the team and their policies [8], writing secure code for Drupal [9], and secure configuration [10] of your site. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/project/panels [3] http://drupal.org/node/1024918 [4] http://drupal.org/project/panels [5] http://drupal.org/user/302225 [6] http://drupal.org/user/26979 [7] http://drupal.org/user/302225 [8] http://drupal.org/security-team [9] http://drupal.org/writing-secure-code [10] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2011-001 - Webform - SQL Injection
by security-news＠drupal.org 10 Jan '11

10 Jan '11

* Advisory ID: DRUPAL-SA-CONTRIB-2011-001 * Project: Webform (third-party module) * Version: 6.x * Date: 2011-January-10 * Security risk: Highly critical * Exploitable from: Remote * Vulnerability: SQL Injection -------- DESCRIPTION --------------------------------------------------------- The contributed webform module provides a webform nodetype. Typical uses for webform are to create questionnaires, contact or request/register forms, surveys, polls or a front end to issues tracking systems. The module does not properly use the database API, leading to an SQL Injection [1] vulnerability that can easily lead to a malicious user gaining full administrative access. No permissions are required to exploit this issue. The vulnerability is exploited in the wild. -------- VERSIONS AFFECTED --------------------------------------------------- * Webform module 6.x-3.x versions prior to 6.x-3.5 Note: Webform 6.x-2.4 is not affected. Drupal core is not affected. If you do not use the contributed webform [2] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Webform module for Drupal 6.x upgrade to Webform 6.x-3.5 [3] See also the Webform project page [4]. -------- REPORTED BY --------------------------------------------------------- The vulnerability was reported publicly. -------- FIXED BY ------------------------------------------------------------ * Nathan Haug (quicksketch) [5] -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact. Learn more about the team and their policies [6], writing secure code for Drupal [7], and secure configuration [8] of your site. [1] http://en.wikipedia.org/wiki/SQL_injection [2] http://drupal.org/project/webform [3] http://drupal.org/node/1021180 [4] http://drupal.org/project/webform [5] http://drupal.org/user/35821 [6] http://drupal.org/security-team [7] http://drupal.org/writing-secure-code [8] http://drupal.org/security/secure-configuration

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news January 2011