* Advisory ID: DRUPAL-SA-CONTRIB-2011-018
* Project: Node Reference URL Widget [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2011-April-27
* Security risk: Moderately critical (definition of risk levels) [2]
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
The Node Reference URL Widget module adds a new widget to the Node Reference
field type, allowing node reference fields to be auto-populated based on a
value from the URL.
The module does not sanitize some of the user-supplied data before displaying
it, leading to a Cross Site Scripting (XSS [3]) vulnerability that may lead
to a malicious user gaining full administrative access.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Node Reference URL Widget module for Drupal 6 prior to 6.x-1.10.
* Node Reference URL Widget module for Drupal 7 prior to 7.x-1.10.
Drupal core is not affected. If you do not use the contributed Node Reference
URL Widget [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Node Reference URL Widget module for Drupal 6.x upgrade to
Node Reference URL Widget 6.x-1.10 [5].
* If you use the Node Reference URL Widget module for Drupal 7.x upgrade to
Node Reference URL Widget 7.x-1.10 [6].
See also the Node Reference URL Widget [7] project page.
-------- REPORTED BY
---------------------------------------------------------
* Ralf Stamm [8]
-------- FIXED BY
------------------------------------------------------------
* Nathan Haug (quicksketch [9]), the module maintainer
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [10].
Learn more about the team and their policies [11], writing secure code for
Drupal [12], and secure configuration [13] of your site.
[1] http://www.drupal.org/project/nodereference_url
[2] http://drupal.org/security-team/risk-levels
[3] http://en.wikipedia.org/wiki/Cross-site_scripting
[4] http://drupal.org/project/nodereference_url
[5] http://drupal.org/node/1140310
[6] http://drupal.org/node/1140312
[7] http://drupal.org/project/nodereference_url
[8] http://drupal.org/user/43568
[9] http://drupal.org/user/35821
[10] http://drupal.org/contact
[11] http://drupal.org/security-team
[12] http://drupal.org/writing-secure-code
[13] http://drupal.org/security/secure-configuration
* Advisory ID: DRUPAL-SA-CONTRIB-2011-017
* Project: Save Draft [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2011-April-27
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Validation bypass
-------- DESCRIPTION
---------------------------------------------------------
The Save Draft module adds a "Save as draft" button to the node form, letting
content creators easily save a post in unpublished draft form.
The module adds validation to individual form actions, thereby bypassing any
form-wide validation that is normally performed before saving content. This
is a security vulnerability for sites where other modules are using node
validation for security purposes.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Save Draft module for Drupal 6.x versions prior to 6.x-1.8
* Save Draft module for Drupal 7.x versions prior to 7.x-1.4
Drupal core is not affected. If you do not use the contributed Save Draft [3]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Save Draft module for Drupal 6.x, upgrade to Save Draft
6.x-1.8 [4]. (Note that the 6.x-2.x branch of the module is not affected.
If you use that, you do not need to upgrade.)
* If you use the Save Draft module for Drupal 7.x, upgrade to Save Draft
7.x-1.4 [5].
See also the Save Draft project page [6].
-------- REPORTED BY
---------------------------------------------------------
* David Rothstein [7] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* David Rothstein [8] of the Drupal Security Team
* Katherine Senzee (ksenzee [9]), module co-maintainer
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [10].
Learn more about the team and their policies [11], writing secure code for
Drupal [12], and secure configuration [13] of your site.
[1] http://drupal.org/project/save_draft
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/project/save_draft
[4] http://drupal.org/node/1139378
[5] http://drupal.org/node/1139380
[6] http://drupal.org/project/save_draft
[7] http://drupal.org/user/124982
[8] http://drupal.org/user/124982
[9] http://drupal.org/user/139855
[10] http://drupal.org/contact
[11] http://drupal.org/security-team
[12] http://drupal.org/writing-secure-code
[13] http://drupal.org/security/secure-configuration
* Advisory ID: DRUPAL-SA-CONTRIB-2011-016
* Project: Node Quick Find [1] (third-party module)
* Version: 6.x
* Date: 2011-APRIL-06
* Security risk: Not critical (definition of risk levels) [2]
* Exploitable from: Remote
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
The Node Quick Find module provides a block to quickly access nodes by title
via an auto-completing text field.
The module does not use db_rewrite_sql when generating the list of node
titles, allowing users to see the titles of nodes to which they may not have
access. Access to the node itself is not compromised.
-------- VERSIONS AFFECTED
---------------------------------------------------
* 6.x-1.1
Drupal core is not affected. If you do not use the contributed Node Quick
Find module, there is nothing you need to do.
Drupal core is not affected. If you do not use the contributed Node Quick
Find [3] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Node Quick Find module for Drupal 6.x upgrade to Node Quick
Find 6.x-1.2 [4].
See also the Node Quick Find project page.
See also the Node Quick Find [5] project page.
-------- REPORTED BY
---------------------------------------------------------
* Jochen Meyer (derjochenmeyer [6])
-------- FIXED BY
------------------------------------------------------------
* Nicholas Thompson (nicholasThompson [7])
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [8].
Learn more about the team and their policies [9], writing secure code for
Drupal [10], and secure configuration [11] of your site.
[1] http://www.drupal.org/project/node_quick_find
[2] http://drupal.org/security-team/risk-levels
[3] http://www.drupal.org/project/node_quick_find
[4] http://drupal.org/node/1080114
[5] http://www.drupal.org/project/node_quick_find
[6] http://drupal.org/user/106134
[7] http://drupal.org/user/59351
[8] http://drupal.org/contact
[9] http://drupal.org/security-team
[10] http://drupal.org/writing-secure-code
[11] http://drupal.org/security/secure-configuration