February 2011 - Security-news

PSA-2011-001 - "Drupal security update" social engineering
by security-news＠drupal.org 17 Feb '11

17 Feb '11

* Advisory ID: PSA-2011-001 * Project: Drupal core and contrib * Versions: All versions * Date: 2011-February-17 * Security risk: Not critical -------- DESCRIPTION --------------------------------------------------------- This is a public service announcement regarding a recent social engineering attack via the following mail purporting to come from the Drupal security team. >Hello, I am a member of the Drupal security team. Our installation records >show that your site runs Drupal on PHP [version] and [server]. We have >recently found a security problem with that configuration which could allow >a hacker to get into the site and delete any posts they want. We have not >posted anything about this yet publicly as we want to get this patch out to >as many people as possible first. We have developed a patch for this bug - >all you need to do is upload this file to your site in the >sites/default/files/ folder (do not change the name of the file) and Drupal >will see it and install it for you. We recommend you do this as soon as >possible. Sincerely, James Drupal security team The mail was sent with Drupal Security <drupal_s(a)yahoo.com> as the (easily-forged) "From" address. It also contained an attachment that was said to be a patch that had to be uploaded and installed. Needless to say that this file contained code to make the system accessible from the outside. If you received a message like the above, do not upload the attached file. How the Drupal Security Team communicates: 1) The Security Team does not supply patches to sites. 2) The Security Team will never ask site administrators to upload random files to their site. We only recommend to update to latest core or contrib releases downloaded from drupal.org. 3) The Security Team officially uses three forms of communication for Drupal Security Advisories; the update report in your Drupal installation, the posts and RSS feed on http://drupal.org/security, and the newsletter available from your Drupal.org user page. The Drupal Security Team does not publish to a Twitter feed or provide any other official communication channel. 4) The Security Team will never ask for passwords for your host or your Drupal install. If you receive communications from someone saying they are a member of the Security Team and their request is questionable, please forward the email to the team at security(a)drupal.org. -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

1 0

SA-CONTRIB-2011-010 - Messaging - Cross Site Scripting
by security-news＠drupal.org 17 Feb '11

17 Feb '11

* Advisory ID: DRUPAL-SA-CONTRIB-2011-010 * Project: Messaging (third-party module) * Version: 6.x * Date: 2011-February-16 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting The Messaging module is a Framework to allow message sending in a channel independent way. It provides a common API for message composition and sending while allowing plug-ins for multiple messaging methods. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting (XSS [1]) vulnerability that may lead to a malicious user gaining full administrative access. This vulnerability is mitigated by the fact that the attacker must have a role with the 'administer messaging' permission which should generally only be granted to trusted roles. -------- VERSIONS AFFECTED --------------------------------------------------- * Messaging module for Drupal 6.x versions prior to 6.x-2.4 and 6.x-4.0-beta8 Drupal core is not affected. If you do not use the contributed Messaging [2] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Messaging module version 6.x-2.x upgrade to Messaging 6.x-2.4 [3] * If you use the Messaging module version 6.x-4.x upgrade to Messaging 6.x-4.0-beta8 [4] See also the Messaging project page [5]. -------- REPORTED BY --------------------------------------------------------- * Justin Klein Keane [6] -------- FIXED BY ------------------------------------------------------------ * Jose Reyero [7], module maintainer -------- CONTACT ------------------------------------------------------------- The Drupal security team [8] can be reached at security at drupal.org [9] or via the form at http://drupal.org/contact [10]. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/project/messaging [3] http://drupal.org/node/1064014 [4] http://drupal.org/node/1064026 [5] http://drupal.org/project/messaging [6] http://drupal.org/user/302225 [7] http://drupal.org/user/4299 [8] http://drupal.org/security-team [9] http://drupal.org [10] http://drupal.org/contact

1 0

SA-CONTRIB-2011-009 - Droptor - SQL Injection
by security-news＠drupal.org 02 Feb '11

02 Feb '11

* Advisory ID: DRUPAL-SA-CONTRIB-2011-009 * Project: Droptor (third-party module) * Version: 6.x * Date: 2011-February-02 * Security risk: Critical * Exploitable from: Remote * Vulnerability: SQL Injection -------- DESCRIPTION --------------------------------------------------------- The Droptor module connects a Drupal site to Droptor.com, a Drupal monitoring and management solution. When capturing memory logging information the module does not filter the value input from the current page request variable. This vulnerability can be exploited to perform an SQL Injection attack [1]. This vulnerability is mitigated by the fact that memory monitoring must be enabled, which is not the default configuration. -------- VERSIONS AFFECTED --------------------------------------------------- * Droptor module for Drupal 6.x before version 6.x-2.8 Only sites that have "memory monitoring" enabled in their Droptor settings page are affected. The Drupal 7 version of this module is not affected. Drupal core is not affected. If you do not use the contributed Droptor [2] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Droptor module for Drupal 6.x before version 6.x-2.8 upgrade to Droptor 6.x-2.8 [3]. See also the Droptor project page [4]. -------- REPORTED BY --------------------------------------------------------- * Heine Deelstra [5] and Peter Wolanin [6], of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Justin Emond (jemond [7]), module maintainer -------- CONTACT ------------------------------------------------------------- The Drupal security team [8] can be reached at security at drupal.org [9] or via the form at http://drupal.org/contact [10]. [1] http://en.wikipedia.org/wiki/Sql_injection [2] http://drupal.org/project/droptor [3] http://drupal.org/node/1049098 [4] http://drupal.org/project/droptor [5] http://drupal.org/user/17943 [6] http://drupal.org/user/ [7] http://drupal.org/user/186334 [8] http://drupal.org/security-team [9] http://drupal.org [10] http://drupal.org/contact

1 0

SA-CONTRIB-2011-008 - Chatroom - Cross Site Scripting (XSS) and Cross Site Request Forgery
by security-news＠drupal.org 02 Feb '11

02 Feb '11

* Advisory ID: DRUPAL-SA-CONTRIB-2011-008 * Project: Chatroom (third-party module) * Version: 6.x * Date: 2011-February-02 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting and Cross Site Request Forgery -------- DESCRIPTION --------------------------------------------------------- The Chatroom module provides real-time chat capabilities to Drupal. .... Vulnerability: Cross Site Scripting The module does not properly escape the contents of chat messages in pages listing the chats contained in a chatroom, leading to a Cross Site Scripting (XSS [1]) vulnerability. Any user with permission to view chatroom summary pages is vulnerable to attack. .... Vulnerability: Cross Site Request Forgery The module does not properly check for valid form tokens, leading to a Cross Site Request Forgery(XSS [2]) vulnerability. Users with administrative privileges are vulnerable to replay attacks. -------- VERSIONS AFFECTED --------------------------------------------------- * Chatroom module for Drupal 6.x versions prior to 6.x-2.13. Drupal core is not affected. If you do not use the contributed Chatroom [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * Upgrade to Chatroom 6.x-2.13 [4] See also the Chatroom project page [5]. -------- REPORTED BY --------------------------------------------------------- * XSS reported by Steffen Schüssler [6] * CSRF reported by Greg Knaddison [7] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Justin Randell [8], module maintainer -------- CONTACT ------------------------------------------------------------- The Drupal security team [9] can be reached at security at drupal.org [10] or via the form at http://drupal.org/contact [11]. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://en.wikipedia.org/wiki/Cross-site_request_forgery [3] http://drupal.org/project/chatroom [4] http://drupal.org/node/1045716 [5] http://drupal.org/project/chatroom [6] http://drupal.org/user/107190 [7] http://drupal.org/user/36762 [8] http://drupal.org/user/38580 [9] http://drupal.org/security-team [10] http://drupal.org [11] http://drupal.org/contact

1 0

SA-CONTRIB-2011-007 - Userpoints Cross Site Scripting
by security-news＠drupal.org 02 Feb '11

02 Feb '11

* Advisory ID: DRUPAL-SA-CONTRIB-2011-007 * Project: Userpoints (third-party module) * Version: 6.x * Date: 2011-February-02 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Userpoints module allows users to gain points through specific actions like contributing content. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting (XSS [1]) vulnerability that may lead to a malicious user gaining full administrative access. This vulnerability is mitigated by the fact that the attacker must have a role with the "administer userpoints" permission. -------- VERSIONS AFFECTED --------------------------------------------------- * Userpoints module for Drupal 6.x versions prior to 6.x-1.2 Drupal core is not affected. If you do not use the contributed Userpoints [2] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Userpoints module for Drupal 6.x upgrade to Userpoints 6.x-1.2 [3] See also the Userpoints project page [4]. -------- REPORTED BY --------------------------------------------------------- * Sascha Grossenbacher (Berdir) [5], Userpoints module maintainer -------- FIXED BY ------------------------------------------------------------ * Sascha Grossenbacher (Berdir) [6], Userpoints module maintainer -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org [7] or via the form at http://drupal.org/contact [8]. Learn more about the team and their policies [9], writing secure code for Drupal [10], and secure configuration [11] of your site. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/project/userpoints [3] http://drupal.org/node/1048946 [4] http://drupal.org/project/userpoints [5] http://drupal.org/user/214652 [6] http://drupal.org/user/214652 [7] http://drupal.org [8] http://drupal.org/contact [9] http://drupal.org/security-team [10] http://drupal.org/writing-secure-code [11] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2011-006 - Flag Page - Cross Site Scripting (XSS)
by security-news＠drupal.org 02 Feb '11

02 Feb '11

* Advisory ID: DRUPAL-SA-CONTRIB-2011-006 * Project: Flag page (third-party module) * Version: 6.x * Date: 2011-February-02 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The contributed flag page module provides an additional flag type to allow you to flag pages so you can bookmark any URL on your site including views, panels, administration pages or site contact page. The module does not sanitize the flag titles when displayed in blocks, leading to a Cross-Site Scripting (XSS [1]) vulnerability that may lead to a malicious user gaining full administrative access. This vulnerability is mitigated by the fact that the user must have the "administer flags" permission in order to create and edit flags and enter the XSS. -------- VERSIONS AFFECTED --------------------------------------------------- * Flag page module 6.x-2.x versions prior to 6.x-2.2 * Flag page module 6.x-1.x versions prior to 6.x-1.3 Note: If you do not use the contributed flag_page [2] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Flag page module for Drupal 6.x-2.x upgrade to Flag Page 6.x-2.2 [3] * If you use the Flag page module for Drupal 6.x-1.x upgrade to Flag Page 6.x-1.3 [4] See also the Flag page project page [5]. -------- REPORTED BY --------------------------------------------------------- * Balazs Dianiska (snufkin) [6] -------- FIXED BY ------------------------------------------------------------ * Balazs Dianiska (snufkin) [7] * Alex Pott [8], module maintainer -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact. Learn more about the team and their policies [9], writing secure code for Drupal [10], and secure configuration [11] of your site. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/project/flag_page [3] http://drupal.org/node/1046704 [4] http://drupal.org/node/1046706 [5] http://drupal.org/project/flag_page [6] http://drupal.org/user/58645 [7] http://drupal.org/user/58645 [8] http://drupal.org/user/157725 [9] http://drupal.org/security-team [10] http://drupal.org/writing-secure-code [11] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2011-005 - AES encryption - Information disclosure
by security-news＠drupal.org 02 Feb '11

02 Feb '11

* Advisory ID: SA-CONTRIB-2011-005 * Project: AES (third-party module) * Version: 7.x * Date: 2011-February-02 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Information Disclosure -------- DESCRIPTION --------------------------------------------------------- Due to a piece of code used for debugging mistakenly left in the release, the plain text password of the user who last logged in is written to a text file in the Drupal root directory. This file is remotely accessible, thus an attacker with the knowledge of which user last logged in may access that user's account. -------- VERSIONS AFFECTED --------------------------------------------------- * AES module for Drupal 7.x-1.4 Drupal core is not affected. If you do not use the contributed AES [1] module there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the AES module for Drupal 7.x upgrade to AES 7.x-1.5 [2] See also the AES project page. [3] -------- REPORTED BY --------------------------------------------------------- * Shawn Smiley [4] -------- FIXED BY ------------------------------------------------------------ * Johan Lindskog [5], module maintainer -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact [6]. Learn more about the team and their policies [7], writing secure code for Drupal [8], and secure configuration [9] of your site. [1] http://drupal.org/project/aes [2] http://drupal.org/node/1040728 [3] http://drupal.org/project/aes [4] http://drupal.org/user/317704 [5] http://drupal.org/user/123038 [6] http://drupal.org/contact [7] http://drupal.org/security-team [8] http://drupal.org/writing-secure-code [9] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2011-004 - Multiple Vulnerabilities In Multiple Contributed Modules
by security-news＠drupal.org 02 Feb '11

02 Feb '11

* Advisory ID: DRUPAL-SA-CONTRIB-2011-004 * Projects: Multiple third party modules - OG Forum, Open Legislation, PowerSQL * Version: 6.x * Date: 2011-February-02 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Multiple (Information disclosure, Cross Site Scripting, Cross Site Request Forgery, SQL injection) -------- VERSIONS AFFECTED AND PROPOSED SOLUTIONS ---------------------------- OG Forum [1] for Drupal 6.x OG Forum creates a forum per organic group and restricts viewing forum nodes by group membership. OG Forum does not properly implement access controls on private forums it creates, which can lead to a private group's forums becoming public via Cross Site Request Forgeries (CSRF [2]). Additionally, OG Forum stores private group and forum information in a global vocabulary, which can lead to information such as group and forum names being disclosed to members not part of the private group. *Solution:* Disable the module. There is no safe version of the module to use. Open Legislation [3] for Drupal 6.x This module provides integation for OpenLegislation, the open legislation database and web service of the New York State Senate. The module is vulnerable to a Cross Site Scripting [4] (XSS) attack via content consumed from remote web services. *Solution:* Disable the module. There is no safe version of the module to use. PowerSQL [5] for Drupal 6.x This module provides implements additional database API functions which are not secure. Use of this module may make your site vulnerable to a SQL Injection attack [6] *Solution:* Disable the module. There is no safe version of the module to use. Drupal core is not affected. If you do not use any of the module releases above there is nothing you need to do. -------- ONGOING MAINTENANCE OF THESE MODULES -------------------------------- If you are interested in taking over maintenance of a module, or branch of a module, that is no longer supported, and are capable of fixing security vulnerabilities, you may apply to do so using the abandoned project takeover process [7]. -------- REPORTED BY --------------------------------------------------------- * OG Forum issues: * The information disclosure vulnerability was reported by Tim_O [8] * The access bypass vulnerability was reported by Michael Hao (qmhao99 [9]) * Open Legislation issue reported by Stéphane Corlosquet [10] of the Drupal Security Team * PowerSQL issue reported by Jakub Suchy [11] of the Drupal Security Team -------- CONTACT ------------------------------------------------------------- The security team for Drupal [12] can be reached at security at drupal.org or via the form at http://drupal.org/contact. Read more about the Security Team and Security Advisories at http://drupal.org/security. [1] http://drupal.org/project/og_forum [2] http://en.wikipedia.org/wiki/Csrf [3] http://drupal.org/project/openleg [4] http://en.wikipedia.org/wiki/Cross_Site_Scripting [5] http://drupal.org/project/vitzo_powersql [6] http://en.wikipedia.org/wiki/Sql_injection [7] http://drupal.org/node/251466 [8] http://drupal.org/user/111066 [9] http://drupal.org/user/855110 [10] http://drupal.org/user/52142 [11] http://drupal.org/user/31977 [12] http://drupal.org/security-team

1 0