Security-news

security-news@drupal.org

1 participants
1782 discussions

SA-CORE-2010-001 - Drupal core - Multiple vulnerabilities
by security-news＠drupal.org 04 Mar '10

04 Mar '10

* Advisory ID: DRUPAL-SA-CORE-2010-001 * Project: Drupal core * Version: 5.x, 6.x * Date: 2010-March-03 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- Multiple vulnerabilities and weaknesses were discovered in Drupal. .... Installation cross site scripting A user-supplied value is directly output during installation allowing a malicious user to craft a URL and perform a cross-site scripting attack. The exploit can only be conducted on sites not yet installed. This issue affects Drupal 6.x only. .... Open redirection The API function drupal_goto() is susceptible to a phishing attack. An attacker could formulate a redirect in a way that gets the Drupal site to send the user to an arbitrarily provided URL. No user submitted data will be sent to that URL. This issue affects Drupal 5.x and 6.x. .... Locale module cross site scripting Locale module and dependent contributed modules do not sanitize the display of language codes, native and English language names properly. While these usually come from a preselected list, arbitrary administrator input is allowed. This vulnerability is mitigated by the fact that the attacker must have a role with the 'administer languages' permission. This issue affects Drupal 5.x and 6.x. .... Blocked user session regeneration Under certain circumstances, a user with an open session that is blocked can maintain his/her session on the Drupal site, despite being blocked. This issue affects Drupal 5.x and 6.x. -------- VERSIONS AFFECTED --------------------------------------------------- * Drupal 6.x before version 6.16. * Drupal 5.x before version 5.22. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you are running Drupal 6.x then upgrade to Drupal 6.16 [1]. * If you are running Drupal 5.x then upgrade to Drupal 5.22 [2]. Drupal 5 will no longer be maintained when Drupal 7 is released [3]. Upgrading to Drupal 6 [4] is recommended. If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. These patches fix the security vulnerabilities, but do not contain other fixes which were released in Drupal 6.16 or Drupal 5.22. * To patch Drupal 6.15 use SA-CORE-2010-001-6.15.patch [5]. * To patch Drupal 5.21 use SA-CORE-2010-001-5.21.patch [6]. -------- REPORTED BY --------------------------------------------------------- The installation cross site scripting issue was reported by David Rothstein [7] (*). The open redirection was reported by Martin Barbella [8]. The locale module cross site scripting was reported by Justin Klein Keane [9]. The blocked user session regeneration issue was reported by Craig A. Hancock [10]. (*) Member of the Drupal security team. -------- FIXED BY ------------------------------------------------------------ The installation cross site scripting issue was fixed by Heine Deelstra [11]. The open redirection was fixed by Gerhard Killesreiter [12] and Heine Deelstra [13]. The locale module cross site scripting was fixed by Stéphane Corlosquet [14], Peter Wolanin [15], Heine Deelstra [16] and Neil Drumm [17]. The blocked user session regeneration issue was fixed by Gerhard Killesreiter [18]. All the fixes were done by members of the Drupal security team. -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://ftp.drupal.org/files/projects/drupal-6.16.tar.gz [2] http://ftp.drupal.org/files/projects/drupal-5.22.tar.gz [3] http://drupal.org/node/725382 [4] http://drupal.org/upgrade [5] http://drupal.org/files/sa-core-2010-001/SA-CORE-2010-001-6.15.patch [6] http://drupal.org/files/sa-core-2010-001/SA-CORE-2010-001-5.21.patch [7] http://drupal.org/user/124982 [8] http://drupal.org/user/633600 [9] http://drupal.org/user/302225 [10] http://drupal.org/user/62850 [11] http://drupal.org/user/17943 [12] http://drupal.org/user/227 [13] http://drupal.org/user/17943 [14] http://drupal.org/user/52142 [15] http://drupal.org/user/49851 [16] http://drupal.org/user/17943 [17] http://drupal.org/user/3064 [18] http://drupal.org/user/227

1 0

SA-CONTRIB-2010-024 - eTracker - Cross Site Scripting
by security-news＠drupal.org 03 Mar '10

03 Mar '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-024 * Project: eTracker (third-party module) * Version: 6.x-1.1 * Date: 2010-March-03 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The eTracker module provides integration of a Drupal site with the eTracker web traffic analysis service and takes the current URL as a parameter to track what pages have been visited. The URL from the browser is forwarded to JavaScript in the current page, and because the URL wasn't sanitised, it could have allowed cross-site scripting attacks by appending malicious code to the URL. -------- VERSIONS AFFECTED --------------------------------------------------- * eTracker prior to 6.x-1.2. Drupal core is not affected. If you do not use the contributed eTracker module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use eTracker for Drupal 6.x upgrade to eTracker 6.x-1.2 [1] See also the eTracker project page [2]. -------- REPORTED BY --------------------------------------------------------- * Andreas Harder -------- FIXED BY ------------------------------------------------------------ * Jürgen Haas (jurgenhaas [3]), the module maintainer. -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/node/731018 [2] http://drupal.org/project/eTracker [3] http://drupal.org/user/168924

1 0

SA-CONTRIB-2010-023 - Workflow - Cross Site Scripting
by security-news＠drupal.org 03 Mar '10

03 Mar '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-023 * Project: Workflow (third-party module) * Version: 6.x, 5.x * Date: 2010-March-03 * Security risk: Less Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- When used in combination with the Token module, the Workflow module does not escape the text entered into the Comment field of the workflow fieldset on the node form. This allows a user with the permission to change the workflow state of a node to perform a Cross Site Scripting (XSS [1]) attack if a workflow has been assigned to that content type and the option to "Show a comment field in the workflow section of the editing form" or "Show a comment field in the workflow section of the workflow tab form" is checked in the workflow settings. Both are checked by default. -------- VERSIONS AFFECTED --------------------------------------------------- * Workflow 6.x-1.x prior to 6.x-1.4 [2] * Workflow 5.x-2.x prior to 5.x-2.6 [3] Drupal core is not affected. If you do not use the contributed Workflow module and the contributed Token module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Workflow 6.x-1.x, upgrade to Workflow 6.x-1.4 [4] * If you use Workflow 5.x-2.x, upgrade to Workflow 5.x-2.6 [5] See also the Workflow project page [6]. -------- REPORTED BY --------------------------------------------------------- * George Cassie (gcassie [7]) -------- FIXED BY ------------------------------------------------------------ * John VanDyk (jvandyk [8]), module maintainer -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/731648 [3] http://drupal.org/node/731644 [4] http://drupal.org/node/731648 [5] http://drupal.org/node/731644 [6] http://drupal.org/project/workflow [7] http://drupal.org/user/80260 [8] http://drupal.org/user/2375

1 0

SA-CONTRIB-2010-022 - Internationalization - Arbitrary code execution
by security-news＠drupal.org 03 Mar '10

03 Mar '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-022 * Project: Internationalization (third-party module) * Version: 6.x-1.x 5.x-2.x * Date: 2010-March-03 * Security risk: Highly Critical * Exploitable from: Remote * Vulnerability: Arbitrary code execution -------- DESCRIPTION --------------------------------------------------------- The Internationalization module enables translation of user defined strings using Drupal's locale interface. Some of these user defined strings have Input formats associated with them. As translators can translate texts before they go through the Input filters, using some filters like the PHP filter for such strings allows translators to add arbitrary PHP code as part of the translated string, which will be executed by the filters. Other filters besides PHP filter may be dangerous too and as a general rule translators shouldn't be allowed to translate text with Input filters they're not allowed to use. -------- VERSIONS AFFECTED --------------------------------------------------- * Internationalization 6.x-2.x prior to 6.x-1.3 [1] * Internationalization 5.x-2.x prior to 5.x-2.6 [2] Drupal core is not affected. If you do not use the contributed Internationalization module, there is nothing you need to do. Also if you are not using Internationalization's 'String translation' (i18nstrings) module together with 'Views translation' (i18nviews) or 'Block translation' (i18nblocks) you don't need to update, though it is advisable to run the latest version. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Internationalization for Drupal 6.x upgrade to Internationalization 6.x-1.3 [3] and follow these steps: * Visit the /Administer > Site configuration > Languages > Configure > String translation/ page * Check the Input formats that are safe for translators and the Safe text groups if you are using other contributed modules that rely on Internationalization's String translation features. Note: Checking all of them will cause the module to work as previous versions overriding all security checks, which may be useful if you are not using dangerous Input filters or translators are trusted users. * Go to /Administer > Site building > Translate interface > Refresh/ and refresh strings for all the text groups. This will remove dangerous texts from the translation system. They cannot be translated anymore. * If you use Internationalization for Drupal 5.x upgrade to Internationalization 5.x-2.6 [4]. The new version will just drop the 'Views translation' feature. There are no plans to update this feature to work safely with Internationalization 5.x See also the Internationalization project page [5]. -------- REPORTED BY --------------------------------------------------------- * sinasquax [6] * Antonio Ospite [7] -------- FIXED BY ------------------------------------------------------------ * Jose Reyero [8], the module maintainer. -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact [1] http://drupal.org/node/731590 [2] http://drupal.org/node/731586 [3] http://drupal.org/node/731590 [4] http://drupal.org/node/731586 [5] http://drupal.org/project/i18n [6] http://drupal.org/user/460020 [7] http://drupal.org/user/234884 [8] http://drupal.org/user/4299

1 0

SA-CONTRIB-2010-021 - AddThis Button - Cross Site Scripting
by security-news＠drupal.org 03 Mar '10

03 Mar '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-021 * Project: AddThis Button (third-party module) * Version: 6.x, 5.x * Date: 2010-March-03 * Security risk: Less Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The AddThis module provides an easy way to share content to over 230 supported services such as Facebook, Email and Twitter. The module did not sanitize some user-supplied data before displaying it, leading to a Cross Site Scripting (XSS [1]) vulnerability. Only users with the 'administer addthis' permission were able to exploit this vulnerability. -------- VERSIONS AFFECTED --------------------------------------------------- * AddThis Button module prior to 6.x-2.9 [2] * AddThis Button module prior to 5.x-2.2 [3] Drupal core is not affected. If you do not use the contributed AddThis Button module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use AddThis Button for Drupal 5.x upgrade to AddThis Button 6.x-2.9 [4]. * If you use AddThis Button for Drupal 6.x upgrade to AddThis Button 5.x-2.2 [5]. See also the AddThis Button project page [6]. -------- REPORTED BY --------------------------------------------------------- * Vesa Palmu (wesku [7]), the module maintainer * Dave Hansen-Lange (dalin [8]) -------- FIXED BY ------------------------------------------------------------ * Vesa Palmu (wesku [9]), the module maintainer. -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/731576 [3] http://drupal.org/node/731578 [4] http://drupal.org/node/731576 [5] http://drupal.org/node/731578 [6] http://drupal.org/project/addthis [7] http://drupal.org/user/75070 [8] http://drupal.org/user/18981 [9] http://drupal.org/user/75070

1 0

SA-CONTRIB-2010-020 - Facebook-style Statuses (Microblog) - Access bypass
by security-news＠drupal.org 24 Feb '10

24 Feb '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-020 * Project: Facebook-style Statuses (Microblog) (third-party module) * Version: 6.x-2.x * Date: 2010-February-24 * Security risk: Not Critical * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- The Facebook-style Statuses (Microblog) module enables each user to have a stream of messages ("statuses") like on Facebook. Users can update their own status as well as write messages to other users by visiting the other user's profile. When a user updates his own status and then updates it again within the next 10 seconds, the module assumes that the first was a mistake, and overwrites the older status with the newer one. However, a bug allowed one user's message to overwrite a second user's status if posted within 10 seconds of the second user having updated her status. -------- VERSIONS AFFECTED --------------------------------------------------- * Facebook-style Statuses (Microblog) 6.x-2.x prior to 6.x-2.1 Drupal core is not affected. If you do not use the contributed Facebook-style Statuses (Microblog) module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Facebook-style Statuses (Microblog) for Drupal 6.x upgrade to Facebook-style Statuses (Microblog) 6.x-2.1 [1] See also the Facebook-style Statuses (Microblog) project page [2]. -------- REPORTED BY --------------------------------------------------------- * Hiroaki [3] -------- FIXED BY ------------------------------------------------------------ * Isaac Sukin (IceCreamYou [4]), the module maintainer. -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/node/724806 [2] http://drupal.org/project/facebook_status [3] http://drupal.org/user/709086 [4] http://drupal.org/user/201425

1 0

SA-CONTRIB-2010-019 - Weekly Archive by Node Type - Access Bypass
by security-news＠drupal.org 24 Feb '10

24 Feb '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-019 * Project: Weekly Archive by Node Type (third-party module) * Version: 6.x-2.x * Date: 2010-February-24 * Security risk: Less Critical * Exploitable from: Remote * Vulnerability: Access Bypass -------- DESCRIPTION --------------------------------------------------------- The Weekly Archive by Node Type module generates weekly archive pages and a block with links to the pages. You can specify the node types that will be included in the archive pages. In weekly summaries listings, the Weekly Archive by Node Type module does not construct its SQL query to respect node access restrictions, thus users can see listings of nodes which are restricted by a node access module and which should not be accessible. -------- VERSIONS AFFECTED --------------------------------------------------- * Weekly Archive by Node Type module for Drupal 6.x versions prior to 6.x-2.7 Drupal core is not affected. If you do not use the contributed Weekly Archive by Node Type [1] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version. * If you use the Weekly Archive by Node Type module for Drupal 6.x upgrade to Weekly Archive by Node Type 6.x-2.7 [2] -------- REPORTED BY --------------------------------------------------------- * Aron Hsiao. -------- FIXED BY ------------------------------------------------------------ * Prometheus6 [3], the module maintainer. -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/project/week [2] http://drupal.org/node/723776 [3] http://drupal.org/user/10137

1 0

SA-CONTRIB-2010-018 - Content Distribution - Multiple Vulnerabilities
by security-news＠drupal.org 17 Feb '10

17 Feb '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-018 * Project: Content Distribution (third-party module) * Version: 6.x * Date: 2010 February 17 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Mulitple Vulnerabilities -------- DESCRIPTION --------------------------------------------------------- Content Distribution module allows calling a method to delete particular nodes using a XML-RPC call. When this method is allowed to be called by anonymous users in user permissions, an attacker might delete a random node. In addition, certain actions require Content Distribution to temporarily switch users. This is being done without properly disabling session saving. -------- VERSIONS AFFECTED --------------------------------------------------- * Content Distribution prior to 6.x-1.3 Drupal core is not affected. If you do not use the contributed Content Distribution module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Content Distribution for Drupal 6.x upgrade to Content Distribution 6.x-1.3 [1]. See also the Content Distribution project page [2]. -------- REPORTED BY --------------------------------------------------------- * Joachim Noreiko (joachim [3]), the module co-maintainer. -------- FIXED BY ------------------------------------------------------------ * Joachim Noreiko (joachim [4]), the module co-maintainer. -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/node/716400 [2] http://drupal.org/project/content_distribution [3] http://drupal.org/user/107701 [4] http://drupal.org/user/107701

1 0

SA-CONTRIB-2010-017 - iTweak Upload - Cross Site Scripting
by security-news＠drupal.org 17 Feb '10

17 Feb '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-017 * Project: iTweak Upload (third-party module) * Version: 6.x * Date: 2010 February 17 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- iTweak Upload does not escape file names when displaying uploaded files. This allows a malicious user with the permission to create content and upload files to perform a Cross Site Scripting [1] (XSS) attack. -------- VERSIONS AFFECTED --------------------------------------------------- * iTweak Upload 6.x-2.x prior to 6.x-2.3 * iTweak Upload 6.x-1.x prior to 6.x-1.2 Drupal core is not affected. If you do not use the contributed iTweak Upload module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use iTweak Upload 6.x-1.x, upgrade to iTweak Upload 6.x-1.2 [2] * If you use iTweak Upload 6.x-2.x, upgrade to iTweak Upload 6.x-2.3 [3] See also the iTweak Upload project page [4]. -------- REPORTED BY --------------------------------------------------------- * Mark Piper -------- FIXED BY ------------------------------------------------------------ * Ilya Ivanchenko [5], the iTweak Upload module maintainer. -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross_Site_Scripting [2] http://drupal.org/node/711072 [3] http://drupal.org/node/711074 [4] http://drupal.org/project/itweak_upload [5] http://drupal.org/user/87708

1 0

SA-CONTRIB-2010-016 - Graphviz Filter - arbitrary code execution
by security-news＠drupal.org 10 Feb '10

10 Feb '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-016 * Project: Graphviz Filter (third-party module) * Version: 6.x, 5.x * Date: 2010 February 10 * Security risk: Highly critical * Exploitable from: Remote * Vulnerability: Arbitrary code execution -------- DESCRIPTION --------------------------------------------------------- Graphviz Filter does not properly filter user input via @command option in node body, leading to a possible Arbitrary Shell Code Execution [1] vulnerability. This vulnerability allows a remote attacker with the ability to create content using a Graphviz input filter to execute an arbitrary shell code on affected system. -------- VERSIONS AFFECTED --------------------------------------------------- * Graphviz 6.x-1.x prior to 6.x-1.6 * Graphviz 5.x-1.x prior to 5.x-1.3 Drupal core is not affected. If you do not use the contributed Graphviz Filter module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Graphviz Filter 6.x-1.x, upgrade to Graphviz Filter 6.x-1.6 [2]. * If you use Graphviz Filter 5.x-1.x, upgrade to Graphviz Filter 5.x-1.3 [3]. See also the Graphviz Filter project page [4]. -------- REPORTED BY --------------------------------------------------------- * Clemens Tolboom [5]. -------- FIXED BY ------------------------------------------------------------ * Karim Ratib [6], the Graphviz Filter module maintainer. -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Arbitrary_code_execution [2] http://drupal.org/node/710798 [3] http://drupal.org/node/710804 [4] http://drupal.org/project/graphviz_filter [5] http://drupal.org/user/125814 [6] http://drupal.org/user/48424

1 0

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news