* Advisory ID: DRUPAL-SA-CONTRIB-2012-055
* Project: Fusion [1] (third-party theme)
* Version: 6.x
* Date: 2012-March-28
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
Fusion is a base theme that provides a configurable grid system and modular
styling for common Drupal UI components.
The theme outputs a CSS class for the tag based on the current URL, but does
not provide sufficient filtering to prevent a Cross site scripting (XSS)
attack.
This vulnerability affects all sub-themes of Fusion.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Fusion 6.x-1.x versions prior to 6.x-1.13
Drupal core is not affected. If you do not use the contributed Fusion [3]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
If you utilize Fusion or a Fusion-based theme, you should upgrade to Fusion
6.x-1.13 [4].
* Most Fusion sub-themes will inherit this fix.
* If you copied code from Fusion core's template.php file into a custom
sub-theme's template.php file you should compare your code to the changes
made in this release to ensure the vulnerability has not been duplicated.
In YOURTHEME_preprocess_page() look for this code:
$vars['body_id'] = 'pid-' . strtolower(preg_replace('/[_+\/]/', '-',
drupal_get_path_alias($_GET['q'])));
If this code exists within your sub-theme, there are two possible
solutions:
1) *Recommended:* Delete the line of code. It is unnecessary in your
sub-theme since the sub-theme will inherit this functionality from
Fusion Core
2) Replace the code with the following:
$vars['body_id'] = 'pid-' .
strtolower(fusion_core_clean_css_identifier(drupal_get_path_alias($_GET['q'])));
fusion_core_clean_css_identifier() is a function added in this
security release of Fusion. Making this change to your sub-theme's
code without updating Fusion core will result in a WSOD.
Also see the Fusion [5] project page.
-------- REPORTED BY
---------------------------------------------------------
* Jakub Suchy [6], of the Drupal Security Team
* Justin Emond [7]
* Rick Manelius [8]
* Abhishek Nagar [9]
* Chris Lee [10]
-------- FIXED BY
------------------------------------------------------------
* Jason Yergeau [11], theme co-maintainer
* Sheena Donnelly [12], theme co-maintainer
-------- COORDINATED BY
------------------------------------------------------
* Derek Wright [13] of the Drupal Security Team
* Stéphane Corlosquet [14] of the Drupal Security Team
* Greg Knaddison [15] of the Drupal Security Team
* David Rothstein [16] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [17].
Learn more about the Drupal Security team and their policies [18], writing
secure code for Drupal [19], and securing your site [20].
[1] http://drupal.org/project/fusion
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/project/fusion
[4] http://drupal.org/node/1506600
[5] http://drupal.org/project/fusion
[6] http://drupal.org/user/31977
[7] http://drupal.org/user/186334
[8] http://drupal.org/user/680072
[9] http://drupal.org/user/259737
[10] http://drupal.org/user/1117072
[11] http://drupal.org/user/162308
[12] http://drupal.org/user/380305
[13] http://drupal.org/user/46549
[14] http://drupal.org/user/52142
[15] http://drupal.org/user/36762
[16] http://drupal.org/user/124982
[17] http://drupal.org/contact
[18] http://drupal.org/security-team
[19] http://drupal.org/writing-secure-code
[20] http://drupal.org/security/secure-configuration
* Advisory ID: DRUPAL-SA-CONTRIB-2012-054
* Project: Chaos tool suite (ctools) [1] (third-party module)
* Version: 7.x
* Date: 2012-March-28
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
This suite is primarily a set of APIs and tools to improve the developer
experience. It also contains a module called the Page Manager whose job is to
manage pages. In particular it manages panel pages, but as it grows it will
be able to manage far more than just Panels.
The module doesn't appropriate filter user signatures when rendering
comments.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "post comments" and a site must use Chaos tool suite to
render comments.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Chaos tool suite 7.x-1.x versions prior to 7.x-1.0.
Drupal core is not affected. If you do not use the contributed Chaos tool
suite (ctools) [3] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Chaos tool suite module for Drupal 7.x, upgrade to Chaos
tool suite 7.x-1.0 [4]
Also see the Chaos tool suite (ctools) [5] project page.
-------- REPORTED BY
---------------------------------------------------------
* Kristof De Jaeger [6]
-------- FIXED BY
------------------------------------------------------------
* Earl Miles [7] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Dylan Tack [8] of the Drupal Security Team
* Michael Hess [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
[1] http://drupal.org/project/ctools
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/project/ctools
[4] http://drupal.org/node/1507412
[5] http://drupal.org/project/ctools
[6] http://drupal.org/user/107403
[7] http://drupal.org/user/26979
[8] http://drupal.org/user/96647
[9] http://drupal.org/user/102818
[10] http://drupal.org/contact
[11] http://drupal.org/security-team
[12] http://drupal.org/writing-secure-code
[13] http://drupal.org/security/secure-configuration
* Advisory ID: DRUPAL-SA-CONTRIB-2012-053
* Project: Organic groups [1] (third-party module)
* Version: 6.x
* Date: 2012-March-28
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
Organic groups (OG) enables users to create and manage their own 'groups'.
Each group can have subscribers, and maintains a group home page where
subscribers communicate amongst themselves.
The module's Views integration does not filter out information from display
groups to which the current user does not have access, exposing private group
titles and the fact that the content is associated with the group.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Organic Groups 6.x-2.x versions prior to 6.x-2.3.
Drupal core is not affected. If you do not use the contributed Organic groups
[3] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Organic Groups module for Drupal 6.x, upgrade to Organic
Groups 6.x-2.3 [4]
Also see the Organic groups [5] project page.
-------- REPORTED BY
---------------------------------------------------------
* John f Galvin [6]
-------- FIXED BY
------------------------------------------------------------
* Adam Ross [7] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Ben Jeavons [8] of the Drupal Security Team
* Greg Knaddison [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
[1] http://drupal.org/project/og
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/project/og
[4] http://drupal.org/node/1507328
[5] http://drupal.org/project/og
[6] http://drupal.org/user/83305
[7] http://drupal.org/user/346868
[8] http://drupal.org/user/91990
[9] http://drupal.org/user/36762
[10] http://drupal.org/contact
[11] http://drupal.org/security-team
[12] http://drupal.org/writing-secure-code
[13] http://drupal.org/security/secure-configuration
* Advisory ID: DRUPAL-SA-CONTRIB-2012-052
* Project: Node Limit Number [1] (third-party module)
* Version: 6.x
* Date: 2012-March-28
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Cross Site Request Forgery
-------- DESCRIPTION
---------------------------------------------------------
The Node Limit Number module enables an administrator to place limits on how
many nodes may be created by each user.
Node Limit Number does not protect the delete URL against Cross Site Request
Forgery attacks, allowing a malicious user to trick someone with "administer
node limitnumber" permissions to unknowingly remove existing limits.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Node Limit Number 6.x-1.x versions prior to 6.x-1.2.
Drupal core is not affected. If you do not use the contributed Node Limit
Number [3] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Node Limit Number module for Drupal 6.x, upgrade to Node
Limit Number 6.x-1.2 [4]
Also see the Node Limit Number [5] project page.
-------- REPORTED BY
---------------------------------------------------------
* Ivo Van Geertruyen [6] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Joe Wheaton [7] the module maintainer
* Ivo Van Geertruyen [8] of the Drupal Security Team
-------- COORDINATED BY
------------------------------------------------------
* Michael Hess [9] of the Drupal Security Team
* Greg Knaddison [10] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
[1] http://drupal.org/project/node_limitnumber
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/project/node_limitnumber
[4] http://drupal.org/node/1506594
[5] http://drupal.org/project/node_limitnumber
[6] http://drupal.org/user/383424
[7] http://drupal.org/user/298179
[8] http://drupal.org/user/383424
[9] http://drupal.org/user/102818
[10] http://drupal.org/user/36762
[11] http://drupal.org/contact
[12] http://drupal.org/security-team
[13] http://drupal.org/writing-secure-code
[14] http://drupal.org/security/secure-configuration
* Advisory ID: DRUPAL-SA-CONTRIB-2012-051
* Project: Activity [1] (third-party module)
* Version: 6.x
* Date: 2012-March-28
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting, Cross Site Request Forgery
-------- DESCRIPTION
---------------------------------------------------------
The Activity module keeps track of the things people do on your site and
provides mini-feeds of these activities in blocks, in a specialized table,
and via RSS. The module is extensible so that any other module can integrate
with it. The messages that are produced are customizable via the admin
interface and are context sensitive.
The 6.x-1.x branch of the module does not filter output of the module
settings correctly leading to a cross site scripting vulnerability (XSS). It
also does not confirm user intent when removing a single activity resulting
in a cross site request forgery vulnerability.
The XSS vulnerability is mitigated by the fact that it requires the malicious
user to have a role with the "access administration pages" and "administer
activity" permissions.
-------- VERSIONS AFFECTED
---------------------------------------------------
* All releases of the 6.x-1.x branch
Drupal core is not affected. If you do not use the contributed Activity [3]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* The 6.x-1.x branch of this module is no longer supported. Upgrade to
6.x-2.0-alpha1 [4]
Note that there is currently no upgrade path. Users of the module are
encouraged to work in the module queue to help build an upgrade path. Also
see the Activity [5] project page.
-------- REPORTED BY
---------------------------------------------------------
* Ivo Van Geertruyen [6] of the Drupal Security Team
-------- COORDINATED BY
------------------------------------------------------
* Michael Hess [7] of the Drupal Security Team
* Greg Knaddison [8] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [9].
Learn more about the Drupal Security team and their policies [10], writing
secure code for Drupal [11], and securing your site [12].
[1] http://drupal.org/project/activity
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/project/activity
[4] http://drupal.org/node/944146
[5] http://drupal.org/project/activity
[6] http://drupal.org/user/383424
[7] http://drupal.org/user/102818
[8] http://drupal.org/user/36762
[9] http://drupal.org/contact
[10] http://drupal.org/security-team
[11] http://drupal.org/writing-secure-code
[12] http://drupal.org/security/secure-configuration
* Advisory ID: DRUPAL-SA-CONTRIB-2012-050
* Project: CDN2 Video [1] (third-party module)
* Version: 6.x
* Date: 2012-March-28
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Multiple vulnerabilities
-------- DESCRIPTION
---------------------------------------------------------
CDN2 is a plug and play module and video management service for Drupal.
The module does not sanitize output correctly, allowing for a cross-site
scripting (XSS) vulnerability. Additionally, the Form API is not correctly
utilized allowing for cross-site request forgery (CSRF) attempts.
This module relies on a backend service that is no longer active therefore
the project is unsupported.
-------- VERSIONS AFFECTED
---------------------------------------------------
All versions are affected.
Drupal core is not affected. If you do not use the contributed CDN2 Video [3]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Uninstall the module. This module is no longer supported.
Also see the CDN2 Video [4] project page.
-------- REPORTED BY
---------------------------------------------------------
* Michael Hess [5] of the Drupal Security Team
-------- COORDINATED BY
------------------------------------------------------
* Michael Hess [6] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [7].
Learn more about the Drupal Security team and their policies [8], writing
secure code for Drupal [9], and securing your site [10].
[1] http://drupal.org/project/cdn2
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/project/cdn2
[4] http://drupal.org/project/cdn2
[5] http://drupal.org/user/102818
[6] http://drupal.org/user/102818
[7] http://drupal.org/contact
[8] http://drupal.org/security-team
[9] http://drupal.org/writing-secure-code
[10] http://drupal.org/security/secure-configuration
* Advisory ID: DRUPAL-SA-CONTRIB-2012-049
* Project: ShareThis [1] (third-party module)
* Version: 7.x
* Date: 2012-March-28
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting, Cross Site Request Forgery
-------- DESCRIPTION
---------------------------------------------------------
The ShareThis module allows you to display social networking tools to users.
The administration forms of the module do not properly use the Form API
allowing a malicious user to inject unexpected settings, allowing for
cross-site scripting attacks (XSS). Additionally, the module had an
incomplete feature for updating these settings outside of the Form API which
was vulnerable to a cross site request forgery attack.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "administer sharethis".
-------- VERSIONS AFFECTED
---------------------------------------------------
* ShareThis 7.x-2.x versions prior to 7.x-2.2.
Drupal core is not affected. If you do not use the contributed ShareThis [3]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the ShareThis module for Drupal 7.x, upgrade to ShareThis
7.x-2.3 [4]
Also see the ShareThis [5] project page.
-------- REPORTED BY
---------------------------------------------------------
* Travis Tomka [6]
-------- FIXED BY
------------------------------------------------------------
* Greg Knaddison [7] of the Drupal Security Team
* Rob Loach [8], the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [9] of the Drupal Security Team
* Michael Hess [10] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
[1] http://drupal.org/project/sharethis
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/project/sharethis
[4] http://drupal.org/node/1504746
[5] http://drupal.org/project/sharethis
[6] http://drupal.org/user/718562
[7] http://drupal.org/user/36762
[8] http://drupal.org/user/61114
[9] http://drupal.org/user/36762
[10] http://drupal.org/user/102818
[11] http://drupal.org/contact
[12] http://drupal.org/security-team
[13] http://drupal.org/writing-secure-code
[14] http://drupal.org/security/secure-configuration
* Advisory ID: DRUPAL-SA-CONTRIB-2012-048
* Project: Contact Save [1] (third-party module)
* Version: 6.x
* Date: 2012-March-28
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
This module stores in the database all messages submitted through the core
contact forms, and provides a way to respond to these messages through the
website.
The module doesn't sufficiently filter user supplied text, leading to a
cross-site scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role
with either the "access site-wide contact form".
-------- VERSIONS AFFECTED
---------------------------------------------------
* Contact Save 6.x-1.x versions prior to 6.x-1.5.
Drupal core is not affected. If you do not use the contributed Contact Save
[3] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Contact Save module for Drupal 6.x, upgrade to Contact Save
6.x-1.5 [4].
Also see the Contact Save [5] project page.
-------- REPORTED BY
---------------------------------------------------------
* Stella Power [6] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Joel Stein [7] the module maintainer
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [8].
Learn more about the Drupal Security team and their policies [9], writing
secure code for Drupal [10], and securing your site [11].
[1] http://drupal.org/project/contact_save
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/project/contact_save
[4] http://drupal.org/node/953788
[5] http://drupal.org/project/contact_save
[6] http://drupal.org/user/66894
[7] http://drupal.org/user/36598
[8] http://drupal.org/contact
[9] http://drupal.org/security-team
[10] http://drupal.org/writing-secure-code
[11] http://drupal.org/security/secure-configuration
* Advisory ID: DRUPAL-SA-CONTRIB-2012-047
* Project: Ubercart Views [1] (third-party module)
* Version: 6.x
* Date: 2012-March-28
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
Ubercart Views provides Views integration for the Ubercart shopping cart
module, and includes default views that contain a critical information
disclosure bug. In some versions, these views are disabled by default, but
still disclose information if you enable them.
-------- VERSIONS AFFECTED
---------------------------------------------------
All versions of Ubercart Views for Drupal 6.x prior to 6.x-3.2.
Drupal core is not affected. If you do not use the contributed Ubercart Views
[3] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Ubercart Views module for Drupal 6.x upgrade to Ubercart
Views 6.x-3.2 [4]
After installing, if you have enabled or previously edited the "orders" or
"order_management" views, you must either revert these views to their default
settings, or edit the "access" settings for these views and ensure that all
displays require the "view all orders" permission.
Also see the Ubercart Views [5] project page.
-------- REPORTED BY
---------------------------------------------------------
* Derek Wright [6] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* David Long [7] the module maintainer
* Derek Wright [8] of the Drupal Security Team
-------- COORDINATED BY
------------------------------------------------------
* Gerhard Killesreiter [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
[1] http://drupal.org/project/uc_views
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/project/uc_views
[4] http://drupal.org/node/1505210
[5] http://drupal.org/project/uc_views
[6] http://drupal.org/user/46549
[7] http://drupal.org/user/246492
[8] http://drupal.org/user/46549
[9] http://drupal.org/user/227
[10] http://drupal.org/contact
[11] http://drupal.org/security-team
[12] http://drupal.org/writing-secure-code
[13] http://drupal.org/security/secure-configuration
* Advisory ID: DRUPAL-SA-CONTRIB-2012-046
* Project: Bundle copy [1] (third-party module)
* Version: 7.x
* Date: 2012-March-28
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Arbitrary PHP code execution
-------- DESCRIPTION
---------------------------------------------------------
Bundle copy is a replacement for the Content copy module which lives in the
CCK project for Drupal 6. Besides the ability to import and export content
types, taxonomy and user entities are also supported. Field groups can be
exported easily as well.
The module doesn't sufficiently check whether the user has the "use PHP for
settings" permission, allowing to execute arbitrary PHP code while importing
settings.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "administer taxonomy", "administer content types" or
"administer users".
-------- VERSIONS AFFECTED
---------------------------------------------------
* Bundle copy 7.x-1.x versions prior to 7.x-1.0.
Drupal core is not affected. If you do not use the contributed Bundle copy
[3] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Bundle copy module for Drupal 7.x, upgrade to Bundle copy
7.x-1.1 [4]
Also see the Bundle copy [5] project page.
-------- REPORTED BY
---------------------------------------------------------
* David Rothstein [6] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Kristof De Jaeger [7] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Ivo Van Geertruyen [8] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [9].
Learn more about the Drupal Security team and their policies [10], writing
secure code for Drupal [11], and securing your site [12].
[1] http://drupal.org/project/bundle_copy
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/project/bundle_copy
[4] http://drupal.org/node/1506166
[5] http://drupal.org/project/bundle_copy
[6] http://drupal.org/user/124982
[7] http://drupal.org/user/107403
[8] http://drupal.org/user/383424
[9] http://drupal.org/contact
[10] http://drupal.org/security-team
[11] http://drupal.org/writing-secure-code
[12] http://drupal.org/security/secure-configuration