Security-news

security-news@drupal.org

1 participants
1782 discussions

SA-CONTRIB-2011-008 - Chatroom - Cross Site Scripting (XSS) and Cross Site Request Forgery
by security-news＠drupal.org 02 Feb '11

02 Feb '11

* Advisory ID: DRUPAL-SA-CONTRIB-2011-008 * Project: Chatroom (third-party module) * Version: 6.x * Date: 2011-February-02 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting and Cross Site Request Forgery -------- DESCRIPTION --------------------------------------------------------- The Chatroom module provides real-time chat capabilities to Drupal. .... Vulnerability: Cross Site Scripting The module does not properly escape the contents of chat messages in pages listing the chats contained in a chatroom, leading to a Cross Site Scripting (XSS [1]) vulnerability. Any user with permission to view chatroom summary pages is vulnerable to attack. .... Vulnerability: Cross Site Request Forgery The module does not properly check for valid form tokens, leading to a Cross Site Request Forgery(XSS [2]) vulnerability. Users with administrative privileges are vulnerable to replay attacks. -------- VERSIONS AFFECTED --------------------------------------------------- * Chatroom module for Drupal 6.x versions prior to 6.x-2.13. Drupal core is not affected. If you do not use the contributed Chatroom [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * Upgrade to Chatroom 6.x-2.13 [4] See also the Chatroom project page [5]. -------- REPORTED BY --------------------------------------------------------- * XSS reported by Steffen Schüssler [6] * CSRF reported by Greg Knaddison [7] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Justin Randell [8], module maintainer -------- CONTACT ------------------------------------------------------------- The Drupal security team [9] can be reached at security at drupal.org [10] or via the form at http://drupal.org/contact [11]. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://en.wikipedia.org/wiki/Cross-site_request_forgery [3] http://drupal.org/project/chatroom [4] http://drupal.org/node/1045716 [5] http://drupal.org/project/chatroom [6] http://drupal.org/user/107190 [7] http://drupal.org/user/36762 [8] http://drupal.org/user/38580 [9] http://drupal.org/security-team [10] http://drupal.org [11] http://drupal.org/contact

1 0

SA-CONTRIB-2011-007 - Userpoints Cross Site Scripting
by security-news＠drupal.org 02 Feb '11

02 Feb '11

* Advisory ID: DRUPAL-SA-CONTRIB-2011-007 * Project: Userpoints (third-party module) * Version: 6.x * Date: 2011-February-02 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Userpoints module allows users to gain points through specific actions like contributing content. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting (XSS [1]) vulnerability that may lead to a malicious user gaining full administrative access. This vulnerability is mitigated by the fact that the attacker must have a role with the "administer userpoints" permission. -------- VERSIONS AFFECTED --------------------------------------------------- * Userpoints module for Drupal 6.x versions prior to 6.x-1.2 Drupal core is not affected. If you do not use the contributed Userpoints [2] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Userpoints module for Drupal 6.x upgrade to Userpoints 6.x-1.2 [3] See also the Userpoints project page [4]. -------- REPORTED BY --------------------------------------------------------- * Sascha Grossenbacher (Berdir) [5], Userpoints module maintainer -------- FIXED BY ------------------------------------------------------------ * Sascha Grossenbacher (Berdir) [6], Userpoints module maintainer -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org [7] or via the form at http://drupal.org/contact [8]. Learn more about the team and their policies [9], writing secure code for Drupal [10], and secure configuration [11] of your site. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/project/userpoints [3] http://drupal.org/node/1048946 [4] http://drupal.org/project/userpoints [5] http://drupal.org/user/214652 [6] http://drupal.org/user/214652 [7] http://drupal.org [8] http://drupal.org/contact [9] http://drupal.org/security-team [10] http://drupal.org/writing-secure-code [11] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2011-006 - Flag Page - Cross Site Scripting (XSS)
by security-news＠drupal.org 02 Feb '11

02 Feb '11

* Advisory ID: DRUPAL-SA-CONTRIB-2011-006 * Project: Flag page (third-party module) * Version: 6.x * Date: 2011-February-02 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The contributed flag page module provides an additional flag type to allow you to flag pages so you can bookmark any URL on your site including views, panels, administration pages or site contact page. The module does not sanitize the flag titles when displayed in blocks, leading to a Cross-Site Scripting (XSS [1]) vulnerability that may lead to a malicious user gaining full administrative access. This vulnerability is mitigated by the fact that the user must have the "administer flags" permission in order to create and edit flags and enter the XSS. -------- VERSIONS AFFECTED --------------------------------------------------- * Flag page module 6.x-2.x versions prior to 6.x-2.2 * Flag page module 6.x-1.x versions prior to 6.x-1.3 Note: If you do not use the contributed flag_page [2] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Flag page module for Drupal 6.x-2.x upgrade to Flag Page 6.x-2.2 [3] * If you use the Flag page module for Drupal 6.x-1.x upgrade to Flag Page 6.x-1.3 [4] See also the Flag page project page [5]. -------- REPORTED BY --------------------------------------------------------- * Balazs Dianiska (snufkin) [6] -------- FIXED BY ------------------------------------------------------------ * Balazs Dianiska (snufkin) [7] * Alex Pott [8], module maintainer -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact. Learn more about the team and their policies [9], writing secure code for Drupal [10], and secure configuration [11] of your site. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/project/flag_page [3] http://drupal.org/node/1046704 [4] http://drupal.org/node/1046706 [5] http://drupal.org/project/flag_page [6] http://drupal.org/user/58645 [7] http://drupal.org/user/58645 [8] http://drupal.org/user/157725 [9] http://drupal.org/security-team [10] http://drupal.org/writing-secure-code [11] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2011-005 - AES encryption - Information disclosure
by security-news＠drupal.org 02 Feb '11

02 Feb '11

* Advisory ID: SA-CONTRIB-2011-005 * Project: AES (third-party module) * Version: 7.x * Date: 2011-February-02 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Information Disclosure -------- DESCRIPTION --------------------------------------------------------- Due to a piece of code used for debugging mistakenly left in the release, the plain text password of the user who last logged in is written to a text file in the Drupal root directory. This file is remotely accessible, thus an attacker with the knowledge of which user last logged in may access that user's account. -------- VERSIONS AFFECTED --------------------------------------------------- * AES module for Drupal 7.x-1.4 Drupal core is not affected. If you do not use the contributed AES [1] module there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the AES module for Drupal 7.x upgrade to AES 7.x-1.5 [2] See also the AES project page. [3] -------- REPORTED BY --------------------------------------------------------- * Shawn Smiley [4] -------- FIXED BY ------------------------------------------------------------ * Johan Lindskog [5], module maintainer -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact [6]. Learn more about the team and their policies [7], writing secure code for Drupal [8], and secure configuration [9] of your site. [1] http://drupal.org/project/aes [2] http://drupal.org/node/1040728 [3] http://drupal.org/project/aes [4] http://drupal.org/user/317704 [5] http://drupal.org/user/123038 [6] http://drupal.org/contact [7] http://drupal.org/security-team [8] http://drupal.org/writing-secure-code [9] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2011-004 - Multiple Vulnerabilities In Multiple Contributed Modules
by security-news＠drupal.org 02 Feb '11

02 Feb '11

* Advisory ID: DRUPAL-SA-CONTRIB-2011-004 * Projects: Multiple third party modules - OG Forum, Open Legislation, PowerSQL * Version: 6.x * Date: 2011-February-02 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Multiple (Information disclosure, Cross Site Scripting, Cross Site Request Forgery, SQL injection) -------- VERSIONS AFFECTED AND PROPOSED SOLUTIONS ---------------------------- OG Forum [1] for Drupal 6.x OG Forum creates a forum per organic group and restricts viewing forum nodes by group membership. OG Forum does not properly implement access controls on private forums it creates, which can lead to a private group's forums becoming public via Cross Site Request Forgeries (CSRF [2]). Additionally, OG Forum stores private group and forum information in a global vocabulary, which can lead to information such as group and forum names being disclosed to members not part of the private group. *Solution:* Disable the module. There is no safe version of the module to use. Open Legislation [3] for Drupal 6.x This module provides integation for OpenLegislation, the open legislation database and web service of the New York State Senate. The module is vulnerable to a Cross Site Scripting [4] (XSS) attack via content consumed from remote web services. *Solution:* Disable the module. There is no safe version of the module to use. PowerSQL [5] for Drupal 6.x This module provides implements additional database API functions which are not secure. Use of this module may make your site vulnerable to a SQL Injection attack [6] *Solution:* Disable the module. There is no safe version of the module to use. Drupal core is not affected. If you do not use any of the module releases above there is nothing you need to do. -------- ONGOING MAINTENANCE OF THESE MODULES -------------------------------- If you are interested in taking over maintenance of a module, or branch of a module, that is no longer supported, and are capable of fixing security vulnerabilities, you may apply to do so using the abandoned project takeover process [7]. -------- REPORTED BY --------------------------------------------------------- * OG Forum issues: * The information disclosure vulnerability was reported by Tim_O [8] * The access bypass vulnerability was reported by Michael Hao (qmhao99 [9]) * Open Legislation issue reported by Stéphane Corlosquet [10] of the Drupal Security Team * PowerSQL issue reported by Jakub Suchy [11] of the Drupal Security Team -------- CONTACT ------------------------------------------------------------- The security team for Drupal [12] can be reached at security at drupal.org or via the form at http://drupal.org/contact. Read more about the Security Team and Security Advisories at http://drupal.org/security. [1] http://drupal.org/project/og_forum [2] http://en.wikipedia.org/wiki/Csrf [3] http://drupal.org/project/openleg [4] http://en.wikipedia.org/wiki/Cross_Site_Scripting [5] http://drupal.org/project/vitzo_powersql [6] http://en.wikipedia.org/wiki/Sql_injection [7] http://drupal.org/node/251466 [8] http://drupal.org/user/111066 [9] http://drupal.org/user/855110 [10] http://drupal.org/user/52142 [11] http://drupal.org/user/31977 [12] http://drupal.org/security-team

1 0

SA-CONTRIB-2011-003 - Janrain Engage (RPX) - Multiple Vulnerabilities
by security-news＠drupal.org 19 Jan '11

19 Jan '11

* Advisory ID: DRUPAL-SA-CONTRIB-2011-003 * Project: Janrain Engage (formerly RPX) (third-party module) * Version: 6.x * Date: 2011-January-19 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting or Arbitrary Code Execution -------- DESCRIPTION --------------------------------------------------------- RPX (recently renamed Janrain Engage) is a service that acts as a middleman between a site and external login providers like Facebook, Yahoo, WindowsLive, etc. As part of this functionality it offers the ability to take a user's avatar on these services and download it for use as the user's profile photo. The module did not properly validate this file prior to saving it in the site. This could result in XSS or perhaps arbitrary code execution if a malicious user is able to insert an arbitrary file instead of the profile image. -------- VERSIONS AFFECTED --------------------------------------------------- * Janrain Engage / RPX module 6.x-1.3 only Drupal core is not affected. If you do not use the contributed Janrain Engage / RPX module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the 6.x-1.3 version of the Janrain Engage / RPX module upgrade to the 1.4 version [1] -------- REPORTED BY --------------------------------------------------------- * Greg Dunlap (heyrocker) [2] -------- FIXED BY ------------------------------------------------------------ * Greg Dunlap (heyrocker) [3] * George Katsitadze (geokat) [4] * Nathan Rambeck (nrambeck) [5] * Greg Knaddison (greggles) [6] -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact [7]. Learn more about the team and their policies [8], writing secure code for Drupal [9], and secure configuration [10] of your site. [1] http://drupal.org/node/1032622 [2] http://drupal.org/user/128537 [3] http://drupal.org/user/128537 [4] http://drupal.org/user/933066 [5] http://drupal.org/user/92967 [6] http://drupal.org/user/36762 [7] http://drupal.org/contact [8] http://drupal.org/security-team [9] http://drupal.org/writing-secure-code [10] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2011-002 - Panels - Cross Site Scripting (XSS)
by security-news＠drupal.org 13 Jan '11

13 Jan '11

* Advisory ID: DRUPAL-SA-CONTRIB-2011-002 * Project: Panels (third-party module) * Version: 6.x * Date: 2011-January-12 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Panels module allows a site administrator to create customized layouts for multiple uses. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting (XSS [1]) vulnerability that may lead to a malicious user gaining full administrative access. This vulnerability is mitigated by the fact that the attacker must have a role with the 'administer advanced pane settings' permission in addition to at least one permission allowing them to create or edit panels, such as 'use page manager', 'administer mini panels', 'create panel nodes' etc. -------- VERSIONS AFFECTED --------------------------------------------------- * Panels module for Drupal 6.x versions prior to 6.x-3.9 Drupal core is not affected. If you do not use the contributed Panels [2] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Panels module for Drupal 6.x upgrade to Panels 6.x-3.9 [3] See also the Panels project page [4]. -------- REPORTED BY --------------------------------------------------------- * Justin Klein Keane [5] -------- FIXED BY ------------------------------------------------------------ * Earl Miles (merlinofchaos) [6], Panels module maintainer * Justin Klein Keane [7] -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact. Learn more about the team and their policies [8], writing secure code for Drupal [9], and secure configuration [10] of your site. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/project/panels [3] http://drupal.org/node/1024918 [4] http://drupal.org/project/panels [5] http://drupal.org/user/302225 [6] http://drupal.org/user/26979 [7] http://drupal.org/user/302225 [8] http://drupal.org/security-team [9] http://drupal.org/writing-secure-code [10] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2011-001 - Webform - SQL Injection
by security-news＠drupal.org 10 Jan '11

10 Jan '11

* Advisory ID: DRUPAL-SA-CONTRIB-2011-001 * Project: Webform (third-party module) * Version: 6.x * Date: 2011-January-10 * Security risk: Highly critical * Exploitable from: Remote * Vulnerability: SQL Injection -------- DESCRIPTION --------------------------------------------------------- The contributed webform module provides a webform nodetype. Typical uses for webform are to create questionnaires, contact or request/register forms, surveys, polls or a front end to issues tracking systems. The module does not properly use the database API, leading to an SQL Injection [1] vulnerability that can easily lead to a malicious user gaining full administrative access. No permissions are required to exploit this issue. The vulnerability is exploited in the wild. -------- VERSIONS AFFECTED --------------------------------------------------- * Webform module 6.x-3.x versions prior to 6.x-3.5 Note: Webform 6.x-2.4 is not affected. Drupal core is not affected. If you do not use the contributed webform [2] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Webform module for Drupal 6.x upgrade to Webform 6.x-3.5 [3] See also the Webform project page [4]. -------- REPORTED BY --------------------------------------------------------- The vulnerability was reported publicly. -------- FIXED BY ------------------------------------------------------------ * Nathan Haug (quicksketch) [5] -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact. Learn more about the team and their policies [6], writing secure code for Drupal [7], and secure configuration [8] of your site. [1] http://en.wikipedia.org/wiki/SQL_injection [2] http://drupal.org/project/webform [3] http://drupal.org/node/1021180 [4] http://drupal.org/project/webform [5] http://drupal.org/user/35821 [6] http://drupal.org/security-team [7] http://drupal.org/writing-secure-code [8] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2010-113 - Image - Cross Site Scripting
by security-news＠drupal.org 22 Dec '10

22 Dec '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-113 * Project: Image (third-party module) * Version: 5.x, 6.x * Date: 2010-December-22 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Image module project contains supplemental modules, one of which, Image gallery, allows users to create and maintain galleries of image nodes using taxonomy terms. The Image gallery module does not sanitize some user-supplied data before displaying it, leading to a Cross Site Scripting (XSS [1]) vulnerability which can be used by a malicious user to gain full administrative access. *Mitigating factors*: In order to exploit this vulnerability the Image gallery module must be enabled and the attacker must have the ability to edit or create image galleries. -------- VERSIONS AFFECTED --------------------------------------------------- * Image module for Drupal 6.x prior to 6.x-1.1 * Image module for Drupal 5.x prior to 5.x-2.0 * Image module for Drupal 5.x prior to 5.x-1.10 Drupal core is not affected. If you do not use the contributed Image module there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Image for Drupal 6.x upgrade to Image 6.x-1.1 [2]. * If you use Image 5.x-2.0-alpha5 or lower for Drupal 5.x upgrade to Image 5.x-2.0 [3]. * If you use Image 5.x-1.9 or lower for Drupal 5.x upgrade to Image 5.x-1.10 [4]. See also the Image project page [5]. -------- REPORTED BY --------------------------------------------------------- Justin Klein Keane [6] -------- FIXED BY ------------------------------------------------------------ * sun [7], module maintainer * joachim [8], module maintainer * Justin Klein Keane [9] -------- CONTACT ------------------------------------------------------------- The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact [10]. Learn more about the team and their policies [11], writing secure code for Drupal [12], and secure configuration [13] of your site. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/1004800 [3] http://drupal.org/node/1004802 [4] http://drupal.org/node/1004804 [5] http://drupal.org/project/image [6] http://drupal.org/user/302225 [7] http://drupal.org/user/54136 [8] http://drupal.org/user/107701 [9] http://drupal.org/user/302225 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2010-112 - oEmbed - Access Bypass
by security-news＠drupal.org 22 Dec '10

22 Dec '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-112 * Project: oEmbed (third-party module) * Version: 6.x * Date: 2010-December-22 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Access Bypass -------- DESCRIPTION --------------------------------------------------------- The oEmbed module allows a Drupal site to embed content from oEmbed-providers as well as for a site to become an oEmbed-provider itself so that other oEmbed-enabled websites can embed its content. If an external site requested to embed a node, the oEmbed provider did not check node access, resulting in content not otherwise accessable by a user to be embeddable. This only affects sites that are using the oEmbed Provider sub-module. -------- VERSIONS AFFECTED --------------------------------------------------- * oEmbed module for Drupal 6.x versions prior to 6.x-0.8 Drupal core is not affected. If you do not use the contributed oEmbed [1] module, together with its oEmbed provider module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the oEmbed module for Drupal 6.x upgrade to oEmbed 6.x-0.8 [2]. See also the oEmbed project page [3]. -------- REPORTED BY --------------------------------------------------------- * Benjamin Doherty [4] -------- FIXED BY ------------------------------------------------------------ * Pelle Wessman [5], module co-maintainer -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact. Learn more about the team and their policies [6], writing secure code for Drupal [7], and secure configuration [8] of your site. [1] http://drupal.org/project/oembed [2] http://drupal.org/node/998376 [3] http://drupal.org/project/oembed [4] http://drupal.org/user/100456 [5] http://drupal.org/user/341713 [6] http://drupal.org/security-team [7] http://drupal.org/writing-secure-code [8] http://drupal.org/security/secure-configuration

1 0

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news