Security-news May 2012

security-news@drupal.org

1 participants
24 discussions

SA-CONTRIB-2012-080 - Hostmaster (Aegir) - Access Bypass and Cross Site Scripting (XSS)
by security-news＠drupal.org 16 May '12

16 May '12

View online: http://drupal.org/node/1585678 * Advisory ID: DRUPAL-SA-CONTRIB-2012-080 * Project: Hostmaster (Aegir) [1] (third-party module) * Version: 6.x * Date: 2012-May-16 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- .... Cross Site Scripting CVE: Requested. Hostmaster displays a log from tasks executed in Aegir's backend component, provision. In certain circumstances these log messages were not escaped properly before being displayed to the user. This vulnerability is mitigated by the fact that people wishing to exploit this must have access to the PHP code of either provision itself or one of the sites hosted by Aegir. .... Access Bypass CVE: Requested. Hostmaster doesn't allow people to edit or create certain node types that are used for the internal representation of data. The implementation of this wasn't fully complete and would still allow privileged users to edit these nodes. This can cause some data corruption in the front-end, leading to tasks that would appear to never finish running. This vulnerability is mitigated by the fact that people wishing to exploit this must have the 'edit package' or 'administer nodes' permissions, which are not given to any roles by the default Aegir install. -------- VERSIONS AFFECTED --------------------------------------------------- * Hostmaster 6.x-1.x versions prior to 6.x-1.9. Drupal core is not affected. If you do not use the contributed Hostmaster (Aegir) [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Follow the upgrade instructions in the release notes for the Aegir 1.9 release which can be found at: http://community.aegirproject.org/1.9 [4] Also see the Hostmaster (Aegir) [5] project page. -------- REPORTED BY --------------------------------------------------------- * The Cross Site Scripting vulnerability was reported by Steven Jones [6] one of the module maintainers. * The Access Bypass vulnerability was reported by Ivo Van Geertruyen [7] of the Drupal Security Team. -------- FIXED BY ------------------------------------------------------------ * The Cross Site Scripting vulnerability was fixed by Steven Jones [8] one of the module maintainers. * The Access Bypass vulnerability was fixed by Ivo Van Geertruyen [9] of the Drupal Security Team and mig5 [10] one of the module maintainers. -------- COORDINATED BY ------------------------------------------------------ * Ivo Van Geertruyen [11] of the Drupal Security Team. * Greg Knaddison [12] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. [1] http://drupal.org/project/hostmaster [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/hostmaster [4] http://community.aegirproject.org/1.9 [5] http://drupal.org/project/hostmaster [6] http://drupal.org/user/99644 [7] http://drupal.org/user/383424 [8] http://drupal.org/user/99644 [9] http://drupal.org/user/383424 [10] http://drupal.org/user/153206 [11] http://drupal.org/user/383424 [12] http://drupal.org/user/36762 [13] http://drupal.org/contact [14] http://drupal.org/security-team [15] http://drupal.org/writing-secure-code [16] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-079 - Post Affiliate Pro - Cross Site Scripting (XSS) and Access Bypass - Unsupported
by security-news＠drupal.org 16 May '12

16 May '12

View online: http://drupal.org/node/1585648 * Advisory ID: DRUPAL-SA-CONTRIB-2012-079 * Project: Post Affiliate Pro [1] (third-party module) * Version: 6.x * Date: 2012-May-16 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting, Access bypass -------- DESCRIPTION --------------------------------------------------------- CVE: Requested. Post Affiliate Pro (PAP) is a module providing affiliate functionality for Ubercart and Post Affiliate Pro application. The module doesn't sufficiently filter user supplied text provided by users registering on the site and also allows unauthorized users to view other user's commission. -------- VERSIONS AFFECTED --------------------------------------------------- * All versions of the module. Drupal core is not affected. If you do not use the contributed Post Affiliate Pro [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ The module is no longer supported. Users should disable it. Users interested in continuing to use it should see the project page for more information. Also see the Post Affiliate Pro [4] project page. -------- REPORTED BY --------------------------------------------------------- * Lee Rowlands [5] -------- FIXED BY ------------------------------------------------------------ No fix was provided. -------- COORDINATED BY ------------------------------------------------------ * Michael Hess [6] of the Drupal Security Team * Greg Knaddison [7] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [8]. Learn more about the Drupal Security team and their policies [9], writing secure code for Drupal [10], and securing your site [11]. [1] http://drupal.org/project/uc_post_affiliate_pro [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/uc_post_affiliate_pro [4] http://drupal.org/project/uc_post_affiliate_pro [5] http://drupal.org/user/395439 [6] http://drupal.org/user/102818 [7] http://drupal.org/user/36762 [8] http://drupal.org/contact [9] http://drupal.org/security-team [10] http://drupal.org/writing-secure-code [11] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-078 - Smart Breadcrumb - Cross Site Scripting (XSS)
by security-news＠drupal.org 16 May '12

16 May '12

View online: http://drupal.org/node/1585564 * Advisory ID: DRUPAL-SA-CONTRIB-2012-078 * Project: Smart Breadcrumb [1] (third-party module) * Version: 6.x * Date: 2012-May-16 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- CVE: Requested. The function filter_titles() incorrectly attempts to set a title to plain-text, but does not properly filter user supplied text. This vulnerability is mitigated by the fact that an attacker must have the permission to create or edit a node to exploit the issue. -------- VERSIONS AFFECTED --------------------------------------------------- * Smart Breadcrumb 6.x-2.x versions prior to 6.x-1.3. Drupal core is not affected. If you do not use the contributed Smart Breadcrumb [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Smart Breadcrumb module for Drupal 6.x, upgrade to Smart Breadcrumb 6.x-1.3 [4] Also see the Smart Breadcrumb [5] project page. -------- REPORTED BY --------------------------------------------------------- * coltrane [6] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * divThis [7] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Michael Hess [8] of the Drupal Security Team * Mori Sugimoto [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/smart_breadcrumb [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/smart_breadcrumb [4] http://drupal.org/node/1568216 [5] http://drupal.org/project/smart_breadcrumb [6] http://drupal.org/user/60 [7] http://drupal.org/user/489334 [8] http://drupal.org/user/102818 [9] http://drupal.org/user/82971 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-77 - Advertisement - Cross Site Scripting & Information Disclosure
by security-news＠drupal.org 16 May '12

16 May '12

View online: http://drupal.org/node/1585544 * Advisory ID: DRUPAL-SA-CONTRIB-2012-077 * Project: Advertisement [1] (third-party module) * Version: 6.x * Date: 2012-May-16 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting, Information Disclosure, Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- CVE: Requested. This module enables you to serve advertisements, define pools of ads and show certain ads on certain pages. The module could, under certain conditions, expose limited site configuration information and a debugging mode did not sufficiently sanitize input, allowing for potential cross-site scripting (XSS). This vulnerability is mitigated by the fact that exposed data must have been explicitly set in the $conf variable in settings.php. -------- VERSIONS AFFECTED --------------------------------------------------- * Advertisement 6.x-2.x versions prior to 6.x-2.2. Drupal core is not affected. If you do not use the contributed Advertisement [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Advertisement module for Drupal 6.x, upgrade to Advertisement 6.x-2.3 [4] Also see the Advertisement [5] project page. -------- REPORTED BY --------------------------------------------------------- * Andrew Berry [6] -------- FIXED BY ------------------------------------------------------------ * Andrew Berry [7] * John Franklin [8], module maintainer -------- COORDINATED BY ------------------------------------------------------ * Matt Kleve [9] of the Drupal Security Team * Michael Hess [10] of the Drupal Security Team * Ivo Van Geertruyen [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/ad [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/ad [4] https://drupal.org/node/1580376 [5] http://drupal.org/project/ad [6] http://drupal.org/user/3734 [7] http://drupal.org/user/3734 [8] http://drupal.org/user/20938 [9] http://drupal.org/user/8264 [10] http://drupal.org/user/102818 [11] http://drupal.org/user/67 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-076 - Ubercart Product Keys Access Bypass
by security-news＠drupal.org 16 May '12

16 May '12

View online: http://drupal.org/node/1585532 * Advisory ID: DRUPAL-SA-CONTRIB-2012-076 * Project: Ubercart Product Keys [1] (third-party module) * Version: 6.x * Date: 2012-May-16 * Security risk: Moderately Critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- CVE: Requested. This module enables you to sell product keys from an Ubercart store. Under certain circumstances, a user can view all unassigned product keys which could grant them access to the software circumventing the process of selling the key. -------- VERSIONS AFFECTED --------------------------------------------------- * Ubercart Product Keys 6.x-1.x versions prior to 6.x-1.1. Drupal core is not affected. If you do not use the contributed Ubercart Product Keys [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the uc_product_keys module for Drupal 6.x upgrade to uc_products_key 6.x-1.1 [4]. Also see the Ubercart Product Keys [5] project page. -------- REPORTED BY --------------------------------------------------------- * Daniel Glucksman -------- FIXED BY ------------------------------------------------------------ * Daniel Glucksman * Tony Freixas [6] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [7] of the Drupal Security Team * Michael Hess [8] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/uc_product_keys [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/uc_product_keys [4] http://drupal.org/node/1580752 [5] http://drupal.org/project/uc_product_keys [6] http://drupal.org/user/131274 [7] http://drupal.org/user/36762 [8] http://drupal.org/user/102818 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-075 - Take Control - Cross Site Request Forgery (CSRF)
by security-news＠drupal.org 09 May '12

09 May '12

View online: http://drupal.org/node/1569512 * Advisory ID: DRUPAL-SA-CONTRIB-2012-075 * Project: Take Control [1] (third-party module) * Version: 6.x * Date: 2012-May-09 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Request Forgery -------- DESCRIPTION --------------------------------------------------------- This module enables you to manage your Drupal file-system from within Drupal itself. The module does not sufficiently validate Ajax calls leading to possibility of a Cross Site Request Forgery CSRF attack. This vulnerability is mitigated by the fact that the attacker must be able to guess your Drupal file-system root path exactly. Further, if your site follows the secure file-system permissions recommendations [3] and the web-server account does not have write access to Drupal root, only files/folders in Drupal's "files" directory are open to manipulation. -------- VERSIONS AFFECTED --------------------------------------------------- * Take Control 6.x-2.x versions prior to 6.x-2.2. Drupal core is not affected. If you do not use the contributed Take Control [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Take Control module for Drupal 6.x, upgrade to Take Control 6.x-2.2 [5] Also see the Take Control [6] project page. -------- REPORTED BY --------------------------------------------------------- * Carl Wiedemann [7] -------- FIXED BY ------------------------------------------------------------ * Rahul Singla [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] of the Drupal Security Team * Michael Hess [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/take_control [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/node/244924 [4] http://drupal.org/project/take_control [5] http://drupal.org/node/1243604 [6] http://drupal.org/project/take_control [7] http://drupal.org/user/235047 [8] http://drupal.org/user/473356 [9] http://drupal.org/user/36762 [10] http://drupal.org/user/102818 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-074 - Contact Forms - Access Bypass
by security-news＠drupal.org 09 May '12

09 May '12

View online: http://drupal.org/node/1569508 * Advisory ID: DRUPAL-SA-CONTRIB-2012-074 * Project: Contact Forms [1] (third-party module) * Version: 7.x * Date: 2012-May-09 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This module expands the features of the site wide contact form. It eliminates the drop down category menu by generating a clean looking contact form (without a drop down menu) with a unique path for each of the contact form categories. The module allowed users to edit the Contact Form settings if they have permission to 'access the site-wide contact form' instead of more appropriate 'Administer contact forms and contact form settings' permission. This vulnerability is only mitigated by the fact that an attacker must know the correct url to access the Contact Forms settings page (though it is the same on all Drupal sites). -------- VERSIONS AFFECTED --------------------------------------------------- * Contact Forms 7.x-1.x versions prior to 7.x-1.2. Drupal core is not affected. If you do not use the contributed Contact Forms [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Contact Forms module for Drupal 7.x, upgrade to Contact Forms 7.x-1.3 [4] Also see the Contact Forms [5] project page. -------- REPORTED BY --------------------------------------------------------- * Vlad D. [6] -------- FIXED BY ------------------------------------------------------------ * Geoff Davies [7] the module maintainer * Greg Knaddison [8] of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/contact_forms [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/contact_forms [4] http://drupal.org/node/1569352 [5] http://drupal.org/project/contact_forms [6] http://drupal.org/user/1105838 [7] http://drupal.org/user/29262 [8] http://drupal.org/user/36762 [9] http://drupal.org/user/36762 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-073 - Glossary - Cross-Site Scripting (XSS)
by security-news＠drupal.org 09 May '12

09 May '12

View online: http://drupal.org/node/1569482 * Advisory ID: DRUPAL-SA-CONTRIB-2012-073 * Project: Glossary [1] (third-party module) * Version: 6.x * Date: 2012-May-09 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The glossary module scans posts for glossary terms, adding an indicator. By hovering over the indicator, users may learn the definition of that term. The module does not sufficiently sanitize the taxonomy information. This leaves sites vulnerable to Cross-Site Scripting attacks. This vulnerability is mitigated by the fact that an attacker must have a role with permissions to create or edit taxonomy terms. -------- VERSIONS AFFECTED --------------------------------------------------- * Glossary 6.x-1.x versions prior to 6.x-1.8. Drupal core is not affected. If you do not use the contributed Glossary [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Glossary module for Drupal 6.x, upgrade to Glossary 6.x-1.8 [4]. Also see the Glossary [5] project page. -------- REPORTED BY --------------------------------------------------------- * Dylan Wilder-Tack [6] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Nancy Wichmann [7] the module maintainer * Chris Hales [8] -------- COORDINATED BY ------------------------------------------------------ * Forest Monsen [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/glossary [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/glossary [4] http://drupal.org/node/1568156 [5] http://drupal.org/project/glossary [6] http://drupal.org/user/96647 [7] http://drupal.org/user/101412 [8] http://drupal.org/user/347249 [9] http://drupal.org/user/181798 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

SA-CORE-2012-002 - Drupal core multiple vulnerabilities
by security-news＠drupal.org 02 May '12

02 May '12

View online: http://drupal.org/node/1557938 * Advisory ID: DRUPAL-SA-CORE-2012-002 * Project: Drupal core [1] * Version: 7.x * Date: 2012-May-2 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Denial of Service, Access bypass -------- DESCRIPTION --------------------------------------------------------- .... Denial of Service CVE: CVE-2012-1588 Drupal core's text filtering system provides several features including removing inappropriate HTML tags and automatically linking content that appears to be a link. A pattern in Drupal's text matching was found to be inefficient with certain specially crafted strings. This vulnerability is mitigated by the fact that users must have the ability to post content sent to the filter system such as a role with the "post comments" or "Forum topic: Create new content" permission. .... Unvalidated form redirect CVE: CVE-2012-1589 Drupal core's Form API allows users to set a destination, but failed to validate that the URL was internal to the site. This weakness could be abused to redirect the login from to a remote site with a malicious script that harvests the login credentials and redirects to the live site. This vulnerability is mitigated only by the end user's ability to recognize a URL with malicious query parameters to avoid the social engineering required to exploit the problem. .... Access bypass - forum listing CVE: CVE-2012-1590 Drupal core's forum lists fail to check user access to nodes when displaying them in the forum overview page. If an unpublished node was the most recently updated in a forum then users who should not have access to unpublished forum posts were still be able to see meta-data about the forum post such as the post title. .... Access bypass - private images CVE: CVE-2012-1591 Drupal core provides the ability to have private files, including images, and Image Styles which create derivative images from an original image that may differ, for example, in size or saturation. Drupal core failed to properly terminate the page request for cached image styles allowing users to access image derivatives for images they should not be able to view. Furthermore, Drupal didn't set the right headers to prevent image styles from being cached in the browser. .... Access bypass - content administration CVE: Requested. Drupal core provides the ability to list nodes on a site at admin/content. Drupal core failed to confirm a user viewing that page had access to each node in the list. This vulnerability only concerns sites running a contributed node access module and is mitigated by the fact that users must have a role with the "view content overview" permission. Unpublished nodes were not displayed to users who only had the "view content overview" permission. -------- VERSIONS AFFECTED --------------------------------------------------- * Drupal core 7.x versions prior to 7.13. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Drupal 7.x, upgrade to Drupal core 7.13 [3] Also see the Drupal core [4] project page. -------- REPORTED BY --------------------------------------------------------- * The Denial of Service vulnerability was reported by Jay Wineinger [5] and Lin Clark [6]. * The unvalidated form redirect vulnerability was reported by Károly Négyesi [7] of the Drupal Security Team. * The access bypass in forum listing vulnerability was reported by Glen W [8]. * The access bypass for private images vulnerability was reported by frega [9], Andreas Gonell [10], Jeremy Meier [11] and Xenza [12]. * The access bypass for the content administration vulnerability was reported by Jennifer Hodgdon [13]. -------- FIXED BY ------------------------------------------------------------ * The Denial of Service was fixed by Károly Négyesi [14] of the Drupal Security Team. * The unvalidated form redirect was fixed by Wolfgang Ziegler [15] and Stéphane Corlosquet [16] of the Drupal Security Team. * The access bypass in forum listing was fixed by Michael Hess [17] of the Drupal Security Team, Ben Jeavons [18] of the Drupal Security Team and xjm [19]. * The Access bypass for private images was fixed by Károly Négyesi [20] of the Drupal Security Team, Damien Tournoud [21] of the Drupal Security Team, Greg Knaddison [22] of the Drupal Security Team, Stéphane Corlosquet [23] of the Drupal Security Team, Xenza [24] and frega [25]. * The Access bypass for content administration was fixed by Jennifer Hodgdon [26]. -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [27]. Learn more about the Drupal Security team and their policies [28], writing secure code for Drupal [29], and securing your site [30]. [1] http://drupal.org/project/drupal [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/node/1558412 [4] http://drupal.org/project/drupal [5] http://drupal.org/user/923254 [6] http://drupal.org/user/396253 [7] http://drupal.org/user/9446 [8] http://drupal.org/user/170314 [9] http://drupal.org/user/243377 [10] http://drupal.org/user/414525 [11] http://drupal.org/user/1271628 [12] http://drupal.org/user/1792496 [13] http://drupal.org/user/155601 [14] http://drupal.org/user/9446 [15] http://drupal.org/user/16747 [16] http://drupal.org/user/52142 [17] http://drupal.org/user/102818 [18] http://drupal.org/user/91990 [19] http://drupal.org/user/65776 [20] http://drupal.org/user/9446 [21] http://drupal.org/user/22211 [22] http://drupal.org/user/36762 [23] http://drupal.org/user/52142 [24] http://drupal.org/user/1792496 [25] http://drupal.org/user/243377 [26] http://drupal.org/user/155601 [27] http://drupal.org/contact [28] http://drupal.org/security-team [29] http://drupal.org/writing-secure-code [30] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-072 - cctags - Cross Site Scripting (XSS)
by security-news＠drupal.org 02 May '12

02 May '12

View online: http://drupal.org/node/1558248 * Advisory ID: DRUPAL-SA-CONTRIB-2012-072 * Project: cctags [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-May-02 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- This module enables you to create "tag clouds" with taxonomy terms displayed in different sizes depending on how frequently they are used on a site. The module doesn't sufficiently filter user supplied text leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the ability to create or edit vocabularies or terms. -------- VERSIONS AFFECTED --------------------------------------------------- * cctags 6.x-1.x versions prior to 6.x-1.10. * cctags 7.x-1.x versions prior to 7.x-1.10. Drupal core is not affected. If you do not use the contributed cctags [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the cctags module for Drupal 6.x, upgrade to cctags 6.x-1.10 [4] * If you use the cctags module for Drupal 7.x, upgrade to cctags 7.x-1.10 [5] Also see the cctags [6] project page. -------- REPORTED BY --------------------------------------------------------- * Michael Hess [7] of the Drupal Security Team * Greg Knaddison [8] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Oleg Kovalchuk [9] the module maintainer * Greg Knaddison [10] of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Michael Hess [11] of the Drupal Security Team * Greg Knaddison [12] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. [1] http://drupal.org/project/cctags [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/cctags [4] http://drupal.org/node/1508098 [5] http://drupal.org/node/1508100 [6] http://drupal.org/project/cctags [7] http://drupal.org/user/102818 [8] http://drupal.org/user/36762 [9] http://drupal.org/user/338442 [10] http://drupal.org/user/36762 [11] http://drupal.org/user/102818 [12] http://drupal.org/user/36762 [13] http://drupal.org/contact [14] http://drupal.org/security-team [15] http://drupal.org/writing-secure-code [16] http://drupal.org/security/secure-configuration

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news May 2012