Security-news

security-news@drupal.org

1 participants
1782 discussions

SA-CONTRIB-2010-082 - Print - Local file read access
by security-news＠drupal.org 11 Aug '10

11 Aug '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-082 * Project: Printer, e-mail and PDF versions (third-party module) * Version: 5.x, 6.x * Date: 2010-August-11 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Local file read access -------- DESCRIPTION --------------------------------------------------------- The Printer, e-mail and PDF versions ("print") module provides printer-friendly versions of content, including a PDF version that is generated by one of three supported generation tools (dompdf, TCPDF and wkhtmltopdf). When using the wkhtmltopdf PDF generation tool, that tool is able to access local files in the Drupal server environment. Users with the ability to create unfiltered HTML in the node content could trick the tool to access any file accessible by the Web server user and to display its contents inside the generated PDF. Sites should not grant the ability to post unfiltered HTML to untrusted roles. -------- VERSIONS AFFECTED --------------------------------------------------- * Printer, e-mail and PDF versions 6.x prior to 6.x-1.11 * Printer, e-mail and PDF versions 5.x prior to 5.x-4.10 Drupal core is not affected. If you do not use the contributed Printer, e-mail and PDF versions module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Printer, e-mail and PDF versions for Drupal 6.x upgrade to Printer, e-mail and PDF versions 6.x-1.11 [1] * If you use Printer, e-mail and PDF versions for Drupal 5.x upgrade to Printer, e-mail and PDF versions 5.x-4.10 [2] If you use the wkhtmltopdf PDF generation tool, and it's version is older than 0.9.6, please upgrade [3] to a more recent version, as the module now supports only versions 0.9.6 or higher. See also the Printer, e-mail and PDF versions project page [4]. -------- REPORTED BY --------------------------------------------------------- * Douglas Bagnall [5] -------- FIXED BY ------------------------------------------------------------ * João Ventura [6], module maintainer * James Gilliland [7], module maintainer -------- CONTACT ------------------------------------------------------------- The Drupal security team [8] can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/node/880280 [2] http://drupal.org/node/880276 [3] http://code.google.com/p/wkhtmltopdf [4] http://drupal.org/project/print [5] http://drupal.org/user/758786 [6] http://drupal.org/user/122464 [7] http://drupal.org/user/48673 [8] http://drupal.org/security-team

1 0

SA-CONTRIB-2010-081 - FileField Sources - Arbitrary Code Execution
by security-news＠drupal.org 11 Aug '10

11 Aug '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-081 * Project: FileField Sources (third-party module) * Version: 6.x * Date: 2010-May-19 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Arbitrary Code Execution -------- DESCRIPTION --------------------------------------------------------- The FileField Sources module expands on the abilities of FileField, allowing users to select new or existing files through additional means, including: Reuse of existing files through an autocomplete textfield or IMCE, or transfering files directly from remote servers. The module does not sanitize the file extemsions of files that have been transfered from remote servers, allowing for the transfering of files that match allowed extensions but actually contain malicious code. This could potentially allow an attacker to transfer scripts to the server and execute them. This vulerability is usually mitigated by Drupal core's built-in security mechanisms which prevent code execution of uploads that are within the Drupal files directory. This exploit should not affect the majority of Drupal sites. Users would also need the ability to use the FileField Sources module which requires permission to create or edit a node that has a FileField with FileField Sources configured for it. -------- VERSIONS AFFECTED --------------------------------------------------- * FileField Sources module for Drupal 6.x versions prior to 6.x-1.2 Drupal core is not affected. If you do not use the contributed FileField Sources [1] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the FileField Sources module for Drupal 6.x upgrade to FileField Sources 6.x-1.2 [2] See also the FileField Sources project page [3]. -------- REPORTED BY --------------------------------------------------------- * Apa Sajja -------- FIXED BY ------------------------------------------------------------ * Nathan Haug [4], module maintainer * Greg Knaddison [5] of the Drupal security team -------- CONTACT ------------------------------------------------------------- The Drupal security team [6] can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/project/filefield_sources [2] http://drupal.org/node/880248 [3] http://drupal.org/project/filefield_sources [4] http://drupal.org/user/35821 [5] http://drupal.org/user/36762 [6] http://drupal.org/security-team

1 0

SA-CONTRIB-2010-080 - Privatemsg - Cross Site Scripting
by security-news＠drupal.org 11 Aug '10

11 Aug '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-080 * Project: Privatemsg (third-party module) * Version: 6.x * Date: 2010-August-11 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross-Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Privatemsg module allows to send private messages between users. The module does not properly escape user-supplied data before displaying it, leading to a Cross Site Scripting (XSS [1]) vulnerability. Any user with permission to write private messages is vulnerable to attack. -------- VERSIONS AFFECTED --------------------------------------------------- * Privatemsg module for Drupal 6.x versions prior to 6.x-1.3 Drupal core is not affected. If you do not use the contributed Privatemsg [2] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Privatemsg module for Drupal 6.x upgrade to Privatemsg 6.x-1.3 [3] See also the Privatemsg project page [4]. -------- REPORTED BY --------------------------------------------------------- * Ben Durbin (bdurbin) [5] -------- FIXED BY ------------------------------------------------------------ * Ben Durbin (bdurbin) [6] * Sascha Grossenbacher (Berdir) [7], module maintainer -------- CONTACT ------------------------------------------------------------- The Drupal security team [8] can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/project/privatemsg [3] http://drupal.org/node/880036 [4] http://drupal.org/project/privatemsg [5] http://drupal.org/user/165644 [6] http://drupal.org/user/165644 [7] http://drupal.org/user/214652 [8] http://drupal.org/security-team

1 0

SA-CONTRIB-2010-079 - Devel (Performance logging) - Cross Site Scripting
by security-news＠drupal.org 04 Aug '10

04 Aug '10

* Advisory ID: SA-CONTRIB-2010-079 * Project: Devel (third-party module) * Version: 5.x, 6.x * Date: 2010-Aug-04 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION: -------------------------------------------------------- The devel project is a suite of modules for developers and themers. Within the devel project, there is the performance logging module. The module does not escape URLs comprised of node paths, leading to a Cross Site Scripting (XSS) vulnerability. Users with the permission to access the reports that the performance module produces are vulnerable to attack. A malicious user needs the ability to add url aliases to create and exploit the vulnerability. -------- VERSIONS AFFECTED: -------------------------------------------------- * Devel module for Drupal 5.x versions prior to 5.x-1.3 * Devel module for Drupal 6.x versions prior to 6.x-1.21 Drupal core is not affected. If you do not use the contributed performance logging module, there is nothing you need to do. -------- SOLUTION: ----------------------------------------------------------- Install the latest version: * For Drupal 5.x, upgrade to Devel 5.x-1.3 [1] * For Drupal 6.x, upgrade to Devel 6.x-1.21 [2] See also the Devel [3] project page. -------- REPORTED BY: -------------------------------------------------------- * Justin James Grevich -------- FIXED BY: ----------------------------------------------------------- * Khalid Baheyeldin (kbahey [4]), the performance logging module maintainer The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/node/874130 [2] http://drupal.org/node/874116 [3] http://drupal.org/project/devel [4] http://drupal.org/user/4063

1 0

SA-CONTRIB-2010-078 - Kaltura - Information disclosure
by security-news＠drupal.org 28 Jul '10

28 Jul '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-078 * Project: Kaltura (third-party module) * Versions: 5.x, 6.x * Date: 2010-July-28 * Security risk: Less Critical * Exploitable from: Remote * Vulnerability: Information disclosure -------- DESCRIPTION --------------------------------------------------------- The Kaltura module integrates the Kaltura open source video platform with Drupal. When installing, uninstalling, or configuring the module, it would surreptitiously inject a hidden iframe into the messages displayed to the administrator with the source pointing to corp.kaltura.com/stats/drupal. These requests were made without prior knowledge or authorization of site administrators. The iframe also included information such as the site's Kaltura partner ID, registration ID, or registration error code. Because most browsers also include the referring site when dispalying an iframe, information such as the URL or IP address of the Drupal site could also have been obtained. -------- RESPONSIBLE COLLECTION OF USAGE STATISTICS FOR DRUPAL MODULES ------- The popularity of modules hosted on drupal.org is already tracked based on data in the request when a Drupal installation checks to see if any of its modules have new releases (see the Kaltura usage page [1] for example). This information is gathered with privacy in mind: an open discussion [2] occurred before including private information in the requests; the data is not shared outside of Drupal.org server administrators (approximately 10 people); site administrators are alerted to this system during installation of their site and they can opt in or out at any time. -------- VERSIONS AFFECTED --------------------------------------------------- * Kaltura module for Drupal 6.x prior to 6.x-1.5, and all 6.x-2.x versions * Kaltura module for Drupal 5.x prior to 5.x-1.4 Drupal core is not affected. If you do not use the Kaltura module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Kaltura module for Drupal 5.x upgrade to Kaltura 5.x-1.4 [3] * If you use Kaltura module for Drupal 6.x upgrade to Kaltura 6.x-1.5 [4] * If you use Kaltura module for Drupal version 6.x-2.0 or 6.x-2.x-dev, downgrade to Kaltura 6.x-1.5 [5] Also see the Kaltura project page [6]. -------- REPORTED BY --------------------------------------------------------- * Denis Slepichev [7] * Chris Burgess [8] -------- FIXED BY ------------------------------------------------------------ * Chris Burgess [9], the new module maintainer -------- CONTACT ------------------------------------------------------------- The Drupal security team [10] can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/project/usage/kaltura [2] http://lists.drupal.org/pipermail/development/2007-December/027921.html [3] http://drupal.org/node/867754 [4] http://drupal.org/node/848996 [5] http://drupal.org/node/848996 [6] http://drupal.org/project/kaltura [7] http://drupal.org/user/399704 [8] http://drupal.org/user/76026 [9] http://drupal.org/user/76026 [10] http://drupal.org/security-team

1 0

SA-CONTRIB-2010-077 - Sage Pay (former Protx) Direct Payment Gateway for Ubercart - Information Disclosure
by security-news＠drupal.org 28 Jul '10

28 Jul '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-077 * Project: Sage Pay Direct Payment Gateway for Ubercart (third-party module) * Version: 5.x, 6.x * Date: 2010-July-28 * Security risk: Less Critical * Exploitable from: Remote * Vulnerability: Information Disclosure -------- DESCRIPTION --------------------------------------------------------- The Sage Pay Direct Payment Gateway for Ubercart (uc_protx_vsp_direct) processes credit card transactions in Ubercart stores using the Sage Pay Direct service. The module may show remote 3-D Secure pages to the user in an iframe when their bank supports the Verified by Visa or MasterCard SecureCode verification schemes. These pages can include sensitive information relating to the user's credit card. In some configurations, the page containing the iframe may be stored in the Drupal cache and incorrectly shown to a subsequent anonymous user. -------- VERSIONS AFFECTED --------------------------------------------------- * Sage Pay Direct Payment Gateway for Ubercart module for Drupal 5.x versions prior to 5.x-1.9 * Sage Pay Direct Payment Gateway for Ubercart for Drupal 6.x versions prior to 6.x-1.4 Drupal core is not affected. If you do not use the contributed Sage Pay Direct Payment Gateway for Ubercart there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Sage Pay Direct Payment Gateway for Ubercart module for Drupal 5.x upgrade to the 5.x-1.9 version [1] * If you use the Sage Pay Direct Payment Gateway for Ubercart module for Drupal 6.x upgrade to the 6.x-1.4 version [2] See also the Sage Pay Direct Payment Gateway for Ubercart project page [3]. -------- REPORTED BY --------------------------------------------------------- * David Long (longwave) [4], module co-maintainer -------- FIXED BY ------------------------------------------------------------ * David Long (longwave) [5], module co-maintainer -------- CONTACT ------------------------------------------------------------- The Drupal security team [6] can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/node/867454 [2] http://drupal.org/node/867456 [3] http://drupal.org/project/uc_protx_vsp_direct [4] http://drupal.org/user/246492 [5] http://drupal.org/user/246492 [6] http://drupal.org/security-team

1 0

SA-CONTRIB-2010-076 - Dashboard - Cross Site Scripting (CSS)
by security-news＠drupal.org 28 Jul '10

28 Jul '10

* Advisory ID: SA-CONTRIB-2010-076 * Project: Dashboard (third-party module) * Version: 6.x * Date: 2010-July-28 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION: -------------------------------------------------------- The dashboard module allows users to create a personalized set of pages of widgets created from existing blocks and nodes (like iGoogle). The module does not escape user generated names for tags & titles associated with default widgets that are added to a user dashboard page, leading to a Cross Site Scripting (XSS [1]) vulnerability. Users with the permission to access or create default dashboard widgets is vulnerable to attack. A malicious user needs the permission "administer dashboard defaults" to exploit the vulnerability. -------- VERSIONS AFFECTED: -------------------------------------------------- * Dashboard module for Drupal 6.x versions prior to 6.x-2.1 [2] Drupal core is not affected. If you do not use the contributed Dashboard [3] module, there is nothing you need to do. -------- SOLUTION: ----------------------------------------------------------- Install the latest version: * Upgrade to Dashboard 6.x-2.1 [4] See also the Dashboard project page [5]. -------- REPORTED BY: -------------------------------------------------------- * Greg Knaddison (greggles) [6] a member of the Drupal Security Team -------- FIXED BY: ----------------------------------------------------------- * Chris Miller [7], module maintainer * Greg Knaddison (greggles) [8] a member of the Drupal Security Team The Drupal security team [9] can be reached at security at drupal.org [10] or via the form at http://drupal.org/contact [11]. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/866628 [3] http://drupal.org/project/dashboard [4] http://drupal.org/node/866628 [5] http://drupal.org/project/dashboard [6] http://drupal.org/user/36762 [7] http://drupal.org/user/274027 [8] http://drupal.org/user/36762 [9] http://drupal.org/security-team [10] http://drupal.org [11] http://drupal.org/contact

1 0

SA-CONTRIB 2010-075 - Tagging - Cross Site Scripting
by security-news＠drupal.org 21 Jul '10

21 Jul '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-075 * Project: Tagging (third-party module) * Version: 6.x * Date: 2010-July 21 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Tagging module provides an alternative input widget and other features for taxonomy terms. The module does not properly escape user-provided content submitted to free-tagging vocabularies displayed on node previews, leading to a Cross Site Scripting (XSS [1]) vulnerability. Any user with permission to create or edit a node containing a free-tagging vocabulary is vulnerable to attack. -------- VERSIONS AFFECTED --------------------------------------------------- * Tagging module for Drupal 6.x versions prior to 6.x-2.4. Drupal core is not affected. If you do not use the contributed Tagging [2] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * Upgrade to Tagging 6.x-2.4 [3] See also the Tagging project page [4]. -------- REPORTED BY --------------------------------------------------------- * Mike Stefanello [5] * Barry Jaspan [6] of the Drupal security team -------- FIXED BY ------------------------------------------------------------ * Eugen Mayer [7], module maintainer * Mike Stefanello [8] -------- CONTACT ------------------------------------------------------------- The Drupal security team [9] can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/project/tagging [3] http://drupal.org/node/857494 [4] http://drupal.org/project/tagging [5] http://drupal.org/user/107190 [6] http://drupal.org/user/46413 [7] http://drupal.org/user/108406 [8] http://drupal.org/user/107190 [9] http://drupal.org/security-team

1 0

SA-CONTRIB-2010-074 - Drupad - Cross-site request forgery
by security-news＠drupal.org 14 Jul '10

14 Jul '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-074 * Projects: Drupad (third-party module) * Version: 6.x * Date: 2010-07-14 * Security risks: Critical * Exploitable from: Remote * Vulnerability: CSRF -------- DESCRIPTION --------------------------------------------------------- The Drupad module is the companion module of the iPhone / iPodTouch application also called Drupad. The module doesn't check if the incoming request is made from the application, leading to a CSRF vulneraby. This vulnerability can be used to delete users and content, or set the site in offline mode when a privileged user visits a malicious site. -------- VERSIONS AFFECTED --------------------------------------------------- * Drupad for Drupal 6.x versions prior to 6.x-1.1 Drupal core is not affected. If you do not use the contributed Drupad [1] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * Upgrade to Drupad 6.x-1.1 [2] See also the Drupad project page [3]. -------- REPORTED BY --------------------------------------------------------- * Heine Deelstra [4] of the Drupal security team -------- FIXED BY ------------------------------------------------------------ * Jérémy Chatard [5], module maintainer -------- CONTACT ------------------------------------------------------------- The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/project/drupad [2] http://drupal.org/node/854034 [3] http://drupal.org/project/drupad [4] http://drupal.org/user/17943 [5] http://drupal.org/user/130002

1 0

SA-CONTRIB-2010-073 - Multiple Vulnerabilities In Multiple Contributed Modules
by security-news＠drupal.org 14 Jul '10

14 Jul '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-073 * Projects: Multiple third party modules - Simple Gallery, OG Menu, Tell A Friend Node, JsMath For Displaying Mathematics With TeX * Version: 5.x, 6.x * Date: 2010-July-14 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Multiple (Cross Site Scripting, Email Header Injection) -------- VERSIONS AFFECTED AND PROPOSED SOLUTIONS ---------------------------- Simple Gallery [1] for Drupal 6.x This module creates a simple gallery using taxonomy and CCK imagefields. The module is vulnerable to a Cross Site Scripting [2] (XSS) attack. This can be exploited by users with the ability to add taxonomy terms or tag content. *Solution:* Disable the module. There is no safe version of the module to use. OG Menu [3] for Drupal 6.x Enables users to manage menus by Organic Groups. The module is vulnerable to a Cross Site Scripting [4] (XSS) attack which can be exploited by users with the "administer og menu" permission . *Solution:* Disable the module. There is no safe version of the module to use. Tell A Friend Node [5] for Drupal 6.x This module provides a Tell A Friend node type for creating multiple tell a friend pages on a site. The module is vulnerable to email header injection attacks by spam bots and can be abused by any user with the "access tellafriend nodes" permission. *Solution:* Disable the module. There is no safe version of the module to use. JsMath For Displaying Mathematics With TeX [6] for Drupal 5.x and 6.x This module enables the jsMath script for displaying mathematical expressions. The module is vulnerable to a Cross Site Scripting [7] (XSS) attack. This vulnerability can only be exploited by users with the "access administration pages" permission. *Solution:* Disable the module. There is no safe version of the module to use. Drupal core is not affected. If you do not use any of the module releases above there is nothing you need to do. -------- ONGOING MAINTENANCE OF THESE MODULES -------------------------------- If you are interested in taking over maintenance of a module, or branch of a module, that is no longer supported, and are capable of fixing security vulnerabilities, you may apply to do so using the abandoned project takeover process [8]. -------- REPORTED BY --------------------------------------------------------- * Simple Gallery issue reported by Owen Barton [9] of the Drupal Security Team * OG Menu issue reported by Justin C. Klein Keane [10] * Tell A Friend Node issue reported by James McDonald [11] * JsMath For Displaying Mathematics With TeX issue reported by Kyle Small [12] -------- CONTACT ------------------------------------------------------------- The security team for Drupal [13] can be reached at security at drupal.org or via the form at http://drupal.org/contact. Read more about the Security Team and Security Advisories at http://drupal.org/security. [1] http://drupal.org/project/simplegallery [2] http://en.wikipedia.org/wiki/Cross_Site_Scripting [3] http://drupal.org/project/og_menu [4] http://en.wikipedia.org/wiki/Cross_Site_Scripting [5] http://drupal.org/project/tellafriend_node [6] http://drupal.org/project/jsmath [7] http://en.wikipedia.org/wiki/Cross_Site_Scripting [8] http://drupal.org/node/251466 [9] http://drupal.org/user/19668 [10] http://drupal.org/user/302225 [11] http://drupal.org/user/418221 [12] http://drupal.org/user/832278 [13] http://drupal.org/security-team

1 0

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news