Security-news January 2012

security-news@drupal.org

1 participants
16 discussions

SA-CONTRIB-2012-006 XSS and CSRF in Multiple Modules - Supercron, Taxotouch, Admin:hover, Taxonomy Navigator no longer supported
by security-news＠drupal.org 11 Jan '12

11 Jan '12

* Advisory ID: DRUPAL-SA-CONTRIB-2012-006 * Projects: SuperCron [1], Taxotouch [2], Taxonomy Navigator [3], Admin:hover [4] (third-party modules) * Version: 6.x, 7.x * Date: 2012-January-11 * Security risk: Critical [5] * Exploitable from: Remote * Vulnerability: Cross Site Scripting, Cross Site Request Forgery -------- DESCRIPTION --------------------------------------------------------- SuperCron [6] is a complete replacement for Drupal's built-in Cron functionality. The module is vulnerable to Cross Site Scripting. The vulnerability is mitigated by an attacker needing to gain an account with "access administration pages" permission. Taxotouch [7] helps you navigate taxonomy. The module is vulnerable to Cross Site Scripting. The vulnerability is mitigated by an attacker needing to gain an account with the ability to create a vocabulary or taxonomy terms. Taxonomy Navigator [8]shows terms from a vocabulary. The module is vulnerable to Cross Site Scripting. The vulnerability is mitigated by an attacker needing to gain an account with the ability to create a vocabulary or taxonomy terms. Admin:hover [9] allows admins to easily publish/unpublish nodes. The module is vulnerable to Cross Site Request Forgeries which would allow an attacker to trick an admin into executing enabled actions such as unpublishing all nodes. -------- VERSIONS AFFECTED --------------------------------------------------- All versions of all four modules are affected by vulnerabilities. Drupal core is not affected. If you do not use one of the contributed modules listed above, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Users of these modules are encouraged to disable the modules and search for similar alternatives. Users of the module who wish to take over maintainership should post patches to the issue queue to fix the security issues and request maintenance following the Abandoned project process [10] -------- REPORTED BY --------------------------------------------------------- * The Supercron issue was prematurely disclosed publicly outside of the security issue reporting process [11] * Admin:hover issue reported by Ivo Van Geertruyen [12] of the Drupal Security Team * Taxotouch issue reported by Dylan Tack [13] of the Drupal Security Team * Taxonomy Navigator issue reported by Dylan Tack [14] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ No fixes created. -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [15]. Learn more about the Drupal Security team and their policies [16], writing secure code for Drupal [17], and securing your site [18]. [1] http://drupal.org/project/supercron [2] http://drupal.org/project/taxotouch [3] http://drupal.org/project/taxonomy_navigator [4] http://drupal.org/project/admin_hover [5] http://drupal.org/security-team/risk-levels [6] http://drupal.org/project/supercron [7] http://drupal.org/project/taxotouch [8] http://drupal.org/project/taxonomy_navigator [9] http://drupal.org/project/admin_hover [10] http://drupal.org/node/251466 [11] http://drupal.org/node/101494 [12] http://drupal.org/user/383424 [13] http://drupal.org/user/96647 [14] http://drupal.org/user/96647 [15] http://drupal.org/contact [16] http://drupal.org/security-team [17] http://drupal.org/writing-secure-code [18] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-005 - Vote up/down - Cross Site Scripting
by security-news＠drupal.org 11 Jan '12

11 Jan '12

* Advisory ID: DRUPAL-SA-CONTRIB-2012-005 * Project: Vote Up/Down [1] (third-party module) * Version: 6.x * Date: 2012-January-11 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- This module enables you to add voting widgets to nodes, terms and comments. The vud_term sub-module doesn't sufficiently sanitize taxonomy terms before display. In order to execute arbitrary script injection malicious users must have the ability to create or edit taxonomy terms. -------- VERSIONS AFFECTED --------------------------------------------------- * Vote up/down 6.x-2.x versions prior to 6.x-2.8 [3]. * Vote up/down 6.x-3.x versions prior to 6.x-3.1 [4]. Drupal core is not affected. If you do not use the contributed Vote Up/Down [5] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use a 6.x-2.x version of Vote up/down module for Drupal 6.x, upgrade to Vote up/down 6.x-2.8 [6]. * If you use a 6.x-3.x version of Vote up/down module for Drupal 6.x, upgrade to Vote up/down 6.x-3.1 [7]. See also the Vote Up/Down [8] project page. -------- REPORTED BY --------------------------------------------------------- * Justin C. Klein Keane [9] -------- FIXED BY ------------------------------------------------------------ * Marco Villegas [10] the module maintainer * Greg Knaddison [11] of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [12], Drupal security team member -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. [1] http://drupal.org/project/vote_up_down [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/node/1400528 [4] http://drupal.org/node/1400530 [5] http://drupal.org/project/vote_up_down [6] http://drupal.org/node/1400528 [7] http://drupal.org/node/1400530 [8] http://drupal.org/project/vote_up_down [9] http://drupal.org/user/302225 [10] http://drupal.org/user/132175 [11] http://drupal.org/user/36762 [12] http://drupal.org/user/36762 [13] http://drupal.org/contact [14] http://drupal.org/security-team [15] http://drupal.org/writing-secure-code [16] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-004 - Date - SQL injection
by security-news＠drupal.org 11 Jan '12

11 Jan '12

* Advisory ID: DRUPAL-SA-CONTRIB-2012-004 * Project: Date [1] (third-party module) * Version: 6.x * Date: 2012-January-11 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: SQL Injection -------- DESCRIPTION --------------------------------------------------------- This module enables you to add and administer date fields to nodes. It includes Date Tools, that allows users to convert nodes created with the Event module into Date fields. The conversion form for Events is vulnerable to SQL injection. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer Date Tools", and the option is only available on sites which have used the Event module in the past and have the Event table in the database. -------- VERSIONS AFFECTED --------------------------------------------------- * Date 6.x-2.x versions prior to 6.x-2.8. Drupal core is not affected. If you do not use the contributed Date [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Date module for Drupal 6.x, upgrade to Date 6.x-2.8 [4] See also the Date [5] project page. -------- REPORTED BY --------------------------------------------------------- * Greg Knaddison [6], Drupal security team member -------- FIXED BY ------------------------------------------------------------ * Karen Stevenson [7], the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Michael Hess [8], Drupal security team member -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/date [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/date [4] http://drupal.org/node/1401026 [5] http://drupal.org/project/date [6] http://drupal.org/user/36762 [7] http://drupal.org/user/45874 [8] http://drupal.org/user/102818 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-003 - Fill PDF - Multiple Vulnerabilities
by security-news＠drupal.org 04 Jan '12

04 Jan '12

* Advisory ID: DRUPAL-SA-CONTRIB-2012-003 * Project: Fill PDF [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-JANUARY-04 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass, Arbitrary code execution -------- DESCRIPTION --------------------------------------------------------- This module enables you to populate fillable PDF templates with data from nodes and webforms. .... Access bypass (7.x only) Incorrectly-ordered arguments in a call to the function that handles the main functionality of the module makes it possible for an attacker to trigger /any/ PDF to be filled, regardless of whether they have access to the node/webform or not, by passing an appropriately-formed query string argument. This vulnerability is mitigated by the fact that an attacker can only access configured PDF templates, that the attacker must know (or brute-force) the node or webform IDs, and that only information that is configured to be filled into the PDFs (and the filled PDF templates themselves) can be obtained through this exploit. .... Arbitrary code execution (6.x and 7.x) The template importing and exporting used serialized PHP which required the use of an unsafe PHP function to evaluate and import templates, which could lead to execution of unwanted and untrusted code. This vulnerability is mitigated by the fact that the attacker must have the 'administer PDFs' permission. -------- VERSIONS AFFECTED --------------------------------------------------- * Fill PDF 6.x-1.x versions prior to 6.x-1.16. * Fill PDF 7.x-1.x versions prior to 7.x-1.2. Drupal core is not affected. If you do not use the contributed Fill PDF [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Fill PDF module for Drupal 6.x, upgrade to Fill PDF 6.x-1.16 [4]. * If you use the Fill PDF module for Drupal 7.x, upgrade to Fill PDF 7.x-1.2 [5]. See also the Fill PDF [6] project page. -------- REPORTED BY --------------------------------------------------------- * Access bypass reported by Christian Johansson [7] * Arbitrary code execution reported by Liam Morland [8] -------- FIXED BY ------------------------------------------------------------ * Kevin Kaland (wizonesolutions) [9], module maintainer * Arbitrary code execution fixed by Liam Morland [10] -------- COORDINATED BY ------------------------------------------------------ * Dave Reid [11], Drupal Security team member -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/fillpdf [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/fillpdf [4] http://drupal.org/node/1394070 [5] http://drupal.org/node/1394066 [6] http://drupal.org/project/fillpdf [7] http://drupal.org/user/204187 [8] http://drupal.org/user/493050 [9] http://drupal.org/user/739994 [10] http://drupal.org/user/493050 [11] http://drupal.org/user/53892 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-002 - Lingotek Cross Site Scripting
by security-news＠drupal.org 04 Jan '12

04 Jan '12

* Advisory ID: DRUPAL-SA-CONTRIB-2012-002 * Project: Lingotek Collaborative Translation [1] (third-party module) * Version: 6.x * Date: 2012-January-04 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- This module enables you to translate a website's content using tools provided by the Lingotek Collaborative Translation Network. The module doesn't sufficiently sanitize user input when creating or editing page content. This allows a malicious content editor to potentially input malicious code (e.g. Javascript) to create a persistent Cross Site Scripting (XSS) attack. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to edit or create node content types. -------- VERSIONS AFFECTED --------------------------------------------------- * Lingotek [3] 6.x-1.x versions prior to 6.x-1.4. Drupal core is not affected. If you do not use the contributed Lingotek Collaborative Translation [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Lingotek module for Drupal 6.x, upgrade to Lingotek 6.x-1.4 [5]. See also the Lingotek Collaborative Translation [6] project page. -------- REPORTED BY --------------------------------------------------------- * Ezra Barnett Gildesgame [7] -------- FIXED BY ------------------------------------------------------------ * Steven Blatnick [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Forest Monsen [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/lingotek [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/lingotek [4] http://drupal.org/project/lingotek [5] http://drupal.org/node/1394186 [6] http://drupal.org/project/lingotek [7] http://drupal.org/user/69959 [8] http://drupal.org/user/1525084 [9] http://drupal.org/user/181798 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-001 - Registration Codes - Access bypass
by security-news＠drupal.org 04 Jan '12

04 Jan '12

* Advisory ID: DRUPAL-SA-CONTRIB-2012-001 * Project: Registration Codes (third-party module) * Version: 6.x * Date: 2012-January-04 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- The Registration Codes module enables site administrators to restrict registration for new accounts to only users who provide a valid registration code. The default module installation provides no access check for the registration code list, leading to a vulnerability that allows unauthenticated members to easily view the registration code list. -------- VERSIONS AFFECTED --------------------------------------------------- * Registration Codes module for Drupal 6.x versions prior to 6.x-2.4 Drupal core is not affected. If you do not use the contributed Registration Codes [1] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Registration Codes module for Drupal 6.x upgrade to Registration codes 6.x-2.4 [2] or later. -------- REPORTED BY --------------------------------------------------------- * Thomas Bonte (toemaz) [3] -------- FIXED BY ------------------------------------------------------------ * Aidan Lister (aidanlis) [4], module maintainer -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact. Learn more about the team and their policies [5], writing secure code for Drupal [6], and secure configuration [7] of your site. [1] http://drupal.org/project/regcode [2] http://drupal.org/node/877992 [3] http://drupal.org/user/19502 [4] http://drupal.org/user/502018 [5] http://drupal.org/security-team [6] http://drupal.org/writing-secure-code [7] http://drupal.org/security/secure-configuration

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news January 2012