Security-news

security-news@drupal.org

1 participants
1782 discussions

SA-CONTRIB-2010-063 - Studio theme pack - Cross Site Scripting
by security-news＠drupal.org 16 Jun '10

16 Jun '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-063 * Project: Studio theme pack (third-party theme) * Version: 6.x * Date: 2010-June-16 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Studio theme pack is a set of themes for use as a base in creating a new theme. The Canvas-theme, part of Studio theme pack and used as base theme for the Workspace and Paint themes, also included in Studio theme pack, does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting (XSS [1]) vulnerability that may lead to a malicious user gaining full administrative access. -------- VERSIONS AFFECTED --------------------------------------------------- * Studio theme pack Drupal 6.x versions prior to 6.x-1.2 Drupal core is not affected. If you do not use the contributed Studio theme pack [2] theme, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Studio theme pack theme for Drupal 6.x upgrade to Studio theme pack 6.x-1.2 [3] See also the Studio theme pack project page [4]. -------- REPORTED BY --------------------------------------------------------- * Pelle Wessman -------- FIXED BY ------------------------------------------------------------ * Al Steffen (Zarabadoo [5]), theme maintainer -------- CONTACT ------------------------------------------------------------- The Drupal security team [6] can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/project/studio [3] http://drupal.org/node/829292 [4] http://drupal.org/project/studio [5] http://drupal.org/user/103935 [6] http://drupal.org/security-team

1 0

SA-CONTRIB-2010-062 - Ogone | Ubercart payment - Access Bypass
by security-news＠drupal.org 16 Jun '10

16 Jun '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-062 * Project: Ogone | Ubercart payment (third-party module) * Version: 5.x, 6.x * Date: 2010-June-16 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Access Bypass -------- DESCRIPTION --------------------------------------------------------- Ogone | Ubercart payment is a payment module for Ubercart that integrates Ogone PSP gateway as a checkout method for Ubercart. The module does not always correctly verify the order status returned by the Ogone gateway, potentially allowing unpaid orders to be processed. -------- VERSIONS AFFECTED --------------------------------------------------- * Ogone | Ubercart payment module for Drupal 5.x versions prior to 5.x-1.6 * Ogone | Ubercart payment module for Drupal 6.x versions prior to 6.x-1.5 Drupal core is not affected. If you do not use the contributed Ogone | Ubercart payment [1] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Ogone | Ubercart payment module for Drupal 5.x upgrade to Ogone | Ubercart payment 5.x-1.6 [2] * If you use the Ogone | Ubercart payment module for Drupal 6.x upgrade to Ogone | Ubercart payment 6.x-1.5 [3] See also the Ogone | Ubercart payment project page [4]. -------- REPORTED BY --------------------------------------------------------- * Arjean [5] -------- FIXED BY ------------------------------------------------------------ * Kees Kodde (kees@qrios [6]), module maintainer -------- CONTACT ------------------------------------------------------------- The Drupal security team [7] can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/project/uc_ogone [2] http://drupal.org/node/828320 [3] http://drupal.org/node/828318 [4] http://drupal.org/project/uc_ogone [5] http://drupal.org/user/331955 [6] http://drupal.org/user/48715 [7] http://drupal.org/security-team

1 0

SA-CONTRIB-2010-061 - AddonChat - Multiple Vulnerabilities
by security-news＠drupal.org 26 May '10

26 May '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-061 * Project: AddonChat (third-party module) * Version: 6.x-1.x * Date: 2010-May-26 * Security risk: Highly Critical * Exploitable from: Remote * Vulnerability: Multiple (Privilege Escalation, Cross-site scripting) -------- DESCRIPTION --------------------------------------------------------- The AddonChat module provides Drupal integration with the AddonChat Java chat room. Due to unsafe handling of the global $user object, failed authentication at the custom addonchat_auth.php script will log in an attacker as the chosen user. Additionally, several configuration variables are not escaped correctly, leading to a cross-site scripting vulnerability. Users with "access administration pages" permission could add arbitrary HTML and javascript to pages. -------- VERSIONS AFFECTED --------------------------------------------------- * AddonChat module for Drupal 6.x versions prior to 6.x-1.2 Drupal core is not affected. If you do not use the contributed AddonChat [1] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version. * If you use the AddonChat module for Drupal 6.x upgrade to AddonChat 6.x-1.2 [2] -------- REPORTED BY --------------------------------------------------------- * Jonathan Hedstrom [3] * Dylan Tack [4] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Jonathan Hedstrom [5] and Chris Duerr [6], the module maintainer. -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact [7]. Read more about the Security Team and Security Advisories at http://drupal.org/security. [1] http://drupal.org/project/addonchat [2] http://drupal.org/node/810260 [3] http://drupal.org/user/208732 [4] http://drupal.org/user/96647 [5] http://drupal.org/user/208732 [6] http://drupal.org/user/602324 [7] http://drupal.org/contact

1 0

SA-CONTRIB-2010-060 - Scheduler - Cross Site Scripting
by security-news＠drupal.org 26 May '10

26 May '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-060 * Project: Scheduler (third-party module) * Version: 5.x, 6.x * Date: 2010-May-26 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Scheduler allows nodes to be published and unpublished on specified dates. Scheduler does not sanitize titles for unpublished nodes on the scheduled nodes overview list, leading to a Cross Site Scripting (XSS [1]) vulnerability that may lead to a malicious user gaining full administrative access. The risk is mitigated by the fact that an attacker must succeed in a) creating a node that is b) scheduled (requires "schedule (un)publishing of nodes" permission) and c) unpublished. -------- VERSIONS AFFECTED --------------------------------------------------- * Scheduler module for Drupal 5.x versions prior to 5.x-1-19 * Scheduler module for Drupal 6.x versions prior to 6.x-1.7 Drupal core is not affected. If you do not use the contributed Scheduler [2] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Scheduler module for Drupal 5.x upgrade to Scheduler 5.x-1-19 [3] * If you use the Scheduler module for Drupal 6.x upgrade to Scheduler 6.x-1.7 [4] See also the Scheduler project page [5]. -------- REPORTED BY --------------------------------------------------------- * mr.baileys [6] of the Drupal security team -------- FIXED BY ------------------------------------------------------------ * Eric Schaefer [7], module maintainer -------- CONTACT ------------------------------------------------------------- The Drupal security team [8] can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/project/scheduler [3] http://drupal.org/node/809136 [4] http://drupal.org/node/809134 [5] http://drupal.org/project/scheduler [6] http://drupal.org/user/383424 [7] http://drupal.org/user/20786 [8] http://drupal.org/security-team

1 0

SA-CONTRIB-2010-059: Panels - Arbitrary PHP code execution
by security-news＠drupal.org 20 May '10

20 May '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-059 * Project: Panels (third-party module) * Versions: 6.x * Date: 2010 May 19 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Arbitrary PHP code execution The Panels module allows a site administrator to create customized layouts for multiple uses. The "Mini panels" module, included with panels, was found to have an arbitrary PHP code execution vulnerability. Users with the 'create mini panels' permission could execute arbitrary PHP code on the server via the import functionality. An additional check for the permission 'use PHP for block visibility' has been added to ensure that the site administrator has already granted users of the import functionality the permission to execute PHP. -------- VERSIONS AFFECTED --------------------------------------------------- * Versions of Panels for Drupal 6.x prior to 6.x-3.4 Drupal core is not affected. If you do not use the contributed Panels module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Panels for Drupal 6.x upgrade to Panels 6.x-3.4 [1] -------- REPORTED BY --------------------------------------------------------- Sam Boyer [2], co-maintainer of the Panels module. -------- FIXED BY ------------------------------------------------------------ Sam Boyer. -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/node/803916 [2] http://drupal.org/user/146719

1 0

SA-CONTRIB-2010-058: Chaos tool suite - Multiple vulnerabilities
by security-news＠drupal.org 20 May '10

20 May '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-058 * Project: Chaos tool suite (third-party module) * Versions: 6.x * Date: 2010 May 19 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Multiple vulnerabilities The Chaos tool suite (ctools) is primarily a set of APIs and tools to improve the developer experience. This module was found to have multiple vulnerabilities. -------- CROSS SITE SCRIPTING (XSS) ------------------------------------------ The module did not properly sanitize node titles under certain circumstances, resulting in multiple cross-site scripting [1] vulnerabilities which could lead to a malicious user gaining full administrative access. -------- CROSS-SITE REQUEST FORGERY ------------------------------------------ The module did not use the form API or tokens to protect certain administrative actions, allowing an attacker to trick an administrator into unintentionally enabling or disabling pages (cross-site request forgery [2]). -------- ARBITRARY PHP CODE EXECUTION ---------------------------------------- Users with the 'administer page manager' permission could execute arbitrary PHP code on the server via the import functionality. An additional check for the permission 'use PHP for block visibility' has been added to ensure that the site administrator has already granted users of the import functionality the permission to execute PHP. -------- ACCESS BYPASS ------------------------------------------------------- Users with 'access content' permission were able to view the titles of unpublished nodes under certain circumstances. -------- VERSIONS AFFECTED --------------------------------------------------- * Versions of "Chaos tool suite" for Drupal 6.x prior to 6.x-1.4 Drupal core is not affected. If you do not use the contributed "Chaos tool suite" module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use "Chaos tool suite" for Drupal 6.x upgrade to Chaos tool suite 6.x-1.4 [3] -------- REPORTED BY --------------------------------------------------------- The cross-site scripting issue was reported by Martin Barbella [4]. The cross-site request forgery, arbitrary PHP code execution, and access bypass issues were reported by Justin Klein Keane [5]. -------- FIXED BY ------------------------------------------------------------ The cross-site scripting issue was fixed by Earl Miles [6]. The cross-site request forgery, arbitrary PHP code execution, and access bypass issues were fixed by Sam Boyer [7]. -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://en.wikipedia.org/wiki/Cross-site_request_forgery [3] http://drupal.org/node/803912 [4] http://drupal.org/user/633600 [5] http://drupal.org/user/302225 [6] http://drupal.org/user/26979 [7] http://drupal.org/user/146719

1 0

SA-CONTRIB-2010-057 - Rotor Banner - Cross Site Scripting (XSS)
by security-news＠drupal.org 20 May '10

20 May '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-057 * Project: Rotor Banner (third-party module) * Versions: 6.x-2.x, 5.x-1.x * Date: 2010-March-27 * Security risk: Less Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Rotor Banner module allows users to upload images which can then be displayed in a block and rotated through using jQuery. However, when these images are displayed, the values for the various image attributes (srs, title, alt) are not properly sanitized, leading to a cross site scripting [1] (XSS) vulnerability. XSS vulnerabilities may expose site administrative accounts which could lead to a variety of additional compromises. This vulnerability is mitigated by the fact that an attacker must have the "create rotor item" or "edit any rotor item" permissions, which should generally only be granted to trusted roles. -------- VERSIONS AFFECTED --------------------------------------------------- * Rotor Banner module for Drupal 5.x versions prior to 5.x-1.8, and for Drupal 6.x versions prior to 6.x-2.5. Drupal core is not affected. If you do not use the contributed Rotor Banner module, there is nothing you need to do. Solution Install the latest version. * If you use the Rotor Banner module for Drupal 6.x-2.x upgrade to Rotor Banner 6.x-2.5 * If you use the Rotor Banner module for Drupal 5.x-1.x upgrade to Rotor Banner 5.x-1.8 Reported by * Martin Barbella (http://drupal.org/user/633600) Fixed by * mrfelton the module maintainer. Contact The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting

1 0

SA-CONTRIB-2010-056 - User Queue - Cross Site Request Forgery
by security-news＠drupal.org 20 May '10

20 May '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-056 * Project: User Queue (third-party module) * Versions: 6.x * Date: 2010-May-19 * Security risk: Less Critical * Exploitable from: Remote * Vulnerability: Cross-site Request Forgery -------- DESCRIPTION --------------------------------------------------------- The User Queue module allows you to create multiple queues, add users to them, and order the users within the queue. The module is vulnerable to cross-site request forgeries (CSRF [1]) via the URL used to delete users from the queue. A user with "administer user queues" permission could be manipulated into requesting this URL and removing any user from the queue. -------- VERSIONS AFFECTED --------------------------------------------------- * User Queue module for Drupal 6.x version prior to 6.x-1.1. Drupal core is not affected. If you do not use the contributed User Queue module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version. * If you use the User Queue module for Drupal 6.x upgrade to User Queue 6.x-1.1 [2] See also the User Queue project page [3]. -------- REPORTED BY --------------------------------------------------------- * George Gongadze [4] -------- FIXED BY ------------------------------------------------------------ * Matt Johnson [5], the module maintainer -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact [6]. [1] http://en.wikipedia.org/wiki/Csrf [2] http://drupal.org/node/803842 [3] http://drupal.org/project/userqueue [4] http://drupal.org/user/322910 [5] http://drupal.org/user/169600 [6] http://drupal.org/contact

1 0

SA-CONTRIB-2010-055 - Simplenews - Access bypass
by security-news＠drupal.org 19 May '10

19 May '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-055 * Project: Simplenews (third-party module) * Version: 6.x * Date: 2010-May-19 * Security risk: Less Critical * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- Simplenews publishes and sends email newsletters to lists of subscribers, with both anonymous and authenticated users being able to opt-in to mailing lists. The user subscription form does not use the correct access permission resulting in any user with the permission 'subscribe to newsletters' being able to edit other user subscriptions. -------- VERSIONS AFFECTED --------------------------------------------------- * Simplenews module for Drupal 6.x versions prior to 6.x-1.2 Drupal core is not affected. If you do not use the contributed Simplenews [1] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Simplenews module for Drupal 6.x upgrade to Simplenews 6.x-1.2 [2] -------- REPORTED BY --------------------------------------------------------- * rpk [3] * Opengl [4] * Miro Dietiker [5] -------- FIXED BY ------------------------------------------------------------ * Erik Stielstra [6], module maintainer * Miro Dietiker [7] -------- CONTACT ------------------------------------------------------------- The security team for Drupal [8] can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/project/simplenews [2] http://drupal.org/node/803254 [3] http://drupal.org/user/254717 [4] http://drupal.org/user/474706 [5] http://drupal.org/user/227761 [6] http://drupal.org/user/73854 [7] http://drupal.org/user/227761 [8] http://drupal.org/security-team

1 0

SA-CONTRIB-2010-054 - Storm - Cross Site Scripting (XSS)
by security-news＠drupal.org 19 May '10

19 May '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-054 * Project: Storm (third-party module) * Version: 6.x * Date: 2010-May-19 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting (XSS) -------- DESCRIPTION --------------------------------------------------------- The Storm project provides a group of modules for project management and billing. The module displays data entered by users without sanitising it, allowing for a cross site scripting [1] (XSS) attack that may lead to a malicious user gaining full administrative access. -------- VERSIONS AFFECTED --------------------------------------------------- * Storm project for Drupal 5.x (all versions). This branch is unsupported and has not been fixed. It is recommended not to use Storm for Drupal 5.x. * Storm project for Drupal 6.x versions prior to 6.x-1.33 Drupal core is not affected. If you do not use the contributed Storm module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ * If you use the Storm module for Drupal 5.x, uninstall this module * If you use the Storm module for Drupal 6.x, upgrade to Storm 6.x-1.33 [2] -------- REPORTED BY --------------------------------------------------------- Disclosed outside the Drupal Security Team process. [3] -------- FIXED BY ------------------------------------------------------------ * juliangb [4], the module maintainer -------- CONTACT ------------------------------------------------------------- The security team for Drupal [5] can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://ftp.drupal.org/files/projects/storm-6.x-1.33.tar.gz [3] http://drupal.org/security-team#report-issue [4] http://drupal.org/user/719472 [5] http://drupal.org/security-team

1 0

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news