Security-news

security-news@drupal.org

1 participants
1782 discussions

SA-CONTRIB-2009-081 - Abuse - Cross Site Scripting
by security-news＠drupal.org 21 Oct '09

21 Oct '09

* Advisory ID: DRUPAL-SA-CONTRIB-2009-081 * Project: Abuse (third-party module) * Version: 5.x, 6.x * Date: 2009 October 21 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Abuse module enables users to flag nodes and comments as offensive, bringing them to the attention of the site maintainer for review. The module suffers from a Cross Site Scripting (Cross Site Scripting [1]) vulnerability. Such an attack may lead to a malicious user gaining full administrative access. -------- VERSIONS AFFECTED --------------------------------------------------- * Abuse 6.x prior to 6.x-1.1-alpha1 * Abuse 5.x prior to 5.x-2.1 Drupal core is not affected. If you do not use the contributed Abuse module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Upgrade to the latest version: * If you use Abuse for Drupal 6.x upgrade to version 6.x-1.1-alpha1 [2] * If you use Abuse for Drupal 5.x upgrade to version 5.x-2.1 [3] -------- REPORTED BY --------------------------------------------------------- * Reported by Mustafa ULU [4]. -------- FIXED BY ------------------------------------------------------------ * Fixed by Ashok Modi [5]. -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/XSS [2] http://drupal.org/node/610900 [3] http://drupal.org/node/610784 [4] http://drupal.org/user/207559 [5] http://drupal.org/user/60422

1 0

SA-CONTRIB-2009-080 - Simplenews Statistics - Multiple vulnerabilities
by security-news＠drupal.org 21 Oct '09

21 Oct '09

* Advisory ID: DRUPAL-SA-CONTRIB-2009-080 * Project: Simplenews Statistics (third-party module) * Version: 6.x * Date: 2009 October 21 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Multiple vulnerabilities (XSS, CSRF, Open Redirect) -------- DESCRIPTION --------------------------------------------------------- The Simplenews Statistics module provides newsletter statistics such as the open rate and CTR (click-through rate). The module suffers multiple vulnerabilities, including Cross Site Request Forgeries (CSRF [1]), Cross Site Scripting problem (Cross Site Scripting [2]) and Open Redirect. This problem allows an attacker to hijack the account of a logged in user by tricking them into visiting a seemingly innocent page. -------- VERSIONS AFFECTED --------------------------------------------------- * Simplenews Statistics 6.x prior to 6.x-2.0 Drupal core is not affected. If you do not use the contributed Simplenews Statistics module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Upgrade to the latest version: * If you use Simplenews Statistics for Drupal 6.x upgrade to version 6.x-2.0 [3] -------- REPORTED BY --------------------------------------------------------- * Open redirect vulnerability reported by John Pettitt * XSS and CSRF vulnerability reported by Dylan Wilder-Tack [4] -------- FIXED BY ------------------------------------------------------------ * Fixed by Sjoerd Arendsen [5]. -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Csrf [2] http://en.wikipedia.org/wiki/XSS [3] http://drupal.org/node/590098 [4] http://drupal.org/user/96647 [5] http://drupal.org/user/310132

1 0

SA-CONTRIB-2009-079 - vCard - Cross Site Scripting
by security-news＠drupal.org 21 Oct '09

21 Oct '09

* Advisory ID: DRUPAL-SA-CONTRIB-2009-079 * Project: vCard module (third-party module) * Version: 6.x, 5.x * Date: 2009-October-21 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The vCard module adds a vCard download link to every user's profile. This link makes it easy to add users from a Drupal site to a local address book. When the theme_vcard() function is added to a theme and default content from the vCard module is output, the site will be vulnerable to Cross Site Scripting attack (XSS [1]) vulnerability. Such an attack may lead to a malicious user gaining full administrative access. -------- VERSIONS AFFECTED --------------------------------------------------- * vCard module versions 6.x prior to 6.x-1.3 * vCard module versions 5.x prior to 5.x-1.4 Drupal core is not affected. If you do not use the contributed vCard module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the vCard module for Drupal 6.x upgrade to vCard module 6.x-1.3 [2] * If you use the vCard module for Drupal 5.x upgrade to vCard module 5.x-1.4 [3] See also the vCard module project page [4]. -------- REPORTED BY --------------------------------------------------------- John Morahan [5] -------- FIXED BY ------------------------------------------------------------ sanduhrs [6], the module maintainer. -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross_Site_Scripting [2] http://drupal.org/node/610420 [3] http://drupal.org/node/610416 [4] http://drupal.org/project/vCard [5] http://drupal.org/user/58170 [6] http://drupal.org/user/28074

1 0

SA-CONTRIB-2009-078 - Moodle Course List - SQL Injection
by security-news＠drupal.org 21 Oct '09

21 Oct '09

* Advisory ID: DRUPAL-SA-CONTRIB-2009-078 * Project: Moodle Course List module (third-party module) * Version: 6.x * Date: 2009-October-21 * Security risk: Critical * Exploitable from: Remote * Vulnerability: SQL Injection -------- DESCRIPTION --------------------------------------------------------- The Moodle Course List module provides a block which displays links to a user's Moodle courses. In some cases the module does not properly sanitize user input, leading to a SQL Injection (SQL Injection [1]) vulnerability. Such an attack may lead to a malicious user gaining full administrative access. -------- VERSIONS AFFECTED --------------------------------------------------- * Moodle Course List module versions 6.x prior to 6.x-1.2 Drupal core is not affected. If you do not use the contributed Moodle Course List module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Moodle Course List module for Drupal 6.x upgrade to Moodle Course List module 6.x-1.2 [2] See also the Moodle Course List module project page [3]. -------- REPORTED BY --------------------------------------------------------- Charlie Gordon [4] -------- FIXED BY ------------------------------------------------------------ Adam Gerson [5], the module maintainer. -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/SQL_Injection [2] http://drupal.org/node/569734 [3] http://drupal.org/project/moodle_courselist [4] http://drupal.org/user/157412 [5] http://drupal.org/user/293615

1 0

DRUPAL-SA-CONTRIB-2009-077 - Userpoints - Information disclosure
by security-news＠drupal.org 21 Oct '09

21 Oct '09

* Advisory ID: DRUPAL-SA-CONTRIB-2009-077 * Project: Userpoints (third party module) * Version: 6.x * Date: 2009-October-21 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Information disclosure -------- DESCRIPTION --------------------------------------------------------- The Userpoints module enables the users of a site to gain or lose points based on their activity. There is a vulnerability in the module which allows any user with the "View own userpoints" permission to view the userpoints data of any user, not just their own. -------- VERSIONS AFFECTED --------------------------------------------------- * Userponts module versions 6.x prior to 6.x-1.1 Drupal core is not affected. If you do not use the contributed Userpoints module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version. * If you use the Userpoints module for Drupal 6.x upgrade to Userpoints module 6.x-1.1 [1] See also the Userpoints module project page [2]. -------- REPORTED BY --------------------------------------------------------- mr.baileys [3]. -------- FIXED BY ------------------------------------------------------------ kbahey [4] the module maintainer. -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/node/610828 [2] http://drupal.org/project/userpoints [3] http://drupal.org/user/383424 [4] http://drupal.org/user/4063

1 0

DRUPAL-SA-CONTRIB-2009-076 - Flag Content Cross Site Scripting
by security-news＠drupal.org 21 Oct '09

21 Oct '09

* Advisory ID: DRUPAL-SA-CONTRIB-2009-076 * Project: Flag Content (third-party module) * Version: 5.x * Date: 2009-October-21 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Flag Content module enables users to flag nodes and users for the attention of a site maintainer (e.g. for abuse, spam, trolling, ...etc.). In some specific cases, the module does not sanitize before outputting the Reason field, resulting in a cross-site scripting (XSS [1]) vulnerability. Such an attack may lead to a malicious user gaining full administrative access. -------- VERSIONS AFFECTED --------------------------------------------------- * Flag Content 5.x-2.x prior to 5.x-2.10 Drupal core is not affected. If you do not use the contributed Flag Content module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Flag Content module for Drupal 5.x upgrade to Flag Content 5.x-2.10 [2] -------- REPORTED BY --------------------------------------------------------- patPrzybilla [3]. -------- FIXED BY ------------------------------------------------------------ kbahey [4], the module maintainer. -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/610870 [3] http://drupal.org/user/151965 [4] http://drupal.org/user/4063

1 0

SA-CONTRIB-2009-075 - OG Vocabulary 5.x
by security-news＠drupal.org 21 Oct '09

21 Oct '09

* Advisory ID: DRUPAL-SA-CONTRIB-2009-075 * Project: Organic Groups Vocabulary (third-party module) * Version: 5.x * Date: 2009-October-21 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Organic Groups Vocabulary module enables an organic group to have a group specific vocabulary. In some specific cases, the module does not sanitize before outputting the group title, resulting in a cross-site scripting (XSS [1]) vulnerability. Such an attack may lead to a malicious user gaining full administrative access. -------- VERSIONS AFFECTED --------------------------------------------------- * Organic Groups Vocabulary versions for Drupal 5.x before Organic Groups Vocabulary 5.x-1.1 [2] Drupal core is not affected. If you do not use the contributed Organic Groups Vocabulary module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Upgrade to the latest version: * If you use Organic Groups Vocabulary for Drupal 5.x upgrade to version 5.x-1.1 [3] See also the Organic Groups Vocabulary module project page [4]. -------- REPORTED BY --------------------------------------------------------- Stéphane Corlosquet [5] of the Drupal Security Team. -------- FIXED BY ------------------------------------------------------------ Amitaibu [6], the module maintainer. -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/605094 [3] http://drupal.org/node/605094 [4] http://drupal.org/project/og_vocab [5] http://drupal.org/user/52142 [6] http://drupal.org/user/57511

1 0

SA-CONTRIB-2009-074- Webform - Multiple vulnerabilities
by security-news＠drupal.org 15 Oct '09

15 Oct '09

* Advisory ID: DRUPAL-SA-CONTRIB-2009-074 * Project: Webform (third-party module) * Version: 5.x, 6.x * Date: 2009-October-14 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- .... Cross-site scripting The Webform module enables the creation of custom forms for collecting data from users. The Webform module does not properly escape field labels in certain situations. A malicious user with permission to create webforms could attempt a cross-site scripting (XSS [1]) attack when viewing the result, leading to the user gaining full administrative access. .... Session data disclosure The Webform module fails to prevent the page from being cached when a default value uses token placeholders. This leads to disclosure of session variables to anonymous users when caching is enabled. -------- VERSIONS AFFECTED --------------------------------------------------- * Webform for Drupal 6.x prior to 6.x-2.8 * Webform for Drupal 5.x prior to 5.x-2.8 Drupal core is not affected. If you do not use the contributed Webform module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Upgrade to the latest version: * If you use Webform for Drupal 6.x upgrade to Webform 6.x-2.8 [2] * If you use Webform for Drupal 5.x upgrade to Webform 5.x-2.8 [3] See also the Webform project page [4]. -------- REPORTED BY --------------------------------------------------------- The XSS issue was reported by Justine Klein Keane [5]. The session disclosure issue was reported by seattlehimay [6]. -------- FIXED BY ------------------------------------------------------------ The XSS issue was fixed by Greg Knaddison [7] of the Drupal Security Team. The session disclosure issue was fixed by Nathan Haug [8], the module maintainer. -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/604920 [3] http://drupal.org/node/604922 [4] http://drupal.org/project/webform [5] http://drupal.org/user/302225 [6] http://druFpal.org/user/348366 [7] http://drupal.org/user/36762 [8] http://drupal.org/user/35821

1 0

DRUPAL-SA-CONTRIB-2009-073 - Printer, e-mail and PDF versions multiple vulnerabilities
by security-news＠drupal.org 14 Oct '09

14 Oct '09

* Advisory ID: DRUPAL-SA-CONTRIB-2009-073 * Project: Printer, e-mail and PDF versions (third-party module) * Version: 5.x, 6.x * Date: 2009-October-14 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- The Printer, e-mail and PDF versions [1] ("print") module provides printer-friendly versions of content. When displaying the list of links in a page, the module does not properly escape this data, leading to a cross site scripting [2] (XSS) vulnerability. In addition, the "Send by e-mail" sub-module does not properly check for access permissions before displaying the "Send to friend" form, and may display the page title for pages to which the user does not have access (usually as they are unpublished or unauthorized for his role), even though the user is not actually allowed to send them by e-mail. -------- VERSIONS AFFECTED --------------------------------------------------- * Printer, e-mail and PDF versions 6.x prior to 6.x-1.9 * Printer, e-mail and PDF versions 5.x prior to 5.x-4.9 Drupal core is not affected. If you do not use the contributed Printer, e-mail and PDF versions module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Printer, e-mail and PDF versions for Drupal 6.x upgrade to Printer, e-mail and PDF versions 6.x-1.9 [3] * If you use Printer, e-mail and PDF versions for Drupal 5.x upgrade to Printer, e-mail and PDF versions 5.x-4.9 [4] Or Alternatively: Disable the "Printer-friendly URLs list" in 'admin/settings/print/common' and disable the "Send by e-mail" ("print_mail") module. See also the Printer, e-mail and PDF versions project page [5]. -------- REPORTED BY: -------------------------------------------------------- mcarbone [6] -------- FIXED BY ------------------------------------------------------------ jcnventura [7], the module maintainer -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. -------- DESCRIPTION --------------------------------------------------------- The Printer, e-mail and PDF versions [8] ("print") module provides printer-friendly versions of content. When displaying the list of links in a page, the module does not properly escape this data, leading to a cross site scripting [9] (XSS) vulnerability. In addition, the "Send by e-mail" sub-module does not properly check for access permissions before displaying the "Send to friend" form, and may display the page title for pages to which the user does not have access (usually as they are unpublished or unauthorized for his role), even though the user is not actually allowed to send them by e-mail. -------- VERSIONS AFFECTED --------------------------------------------------- * Printer, e-mail and PDF versions 6.x prior to 6.x-1.9 * Printer, e-mail and PDF versions 5.x prior to 5.x-4.9 Drupal core is not affected. If you do not use the contributed Printer, e-mail and PDF versions module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Printer, e-mail and PDF versions for Drupal 6.x upgrade to Printer, e-mail and PDF versions 6.x-1.9 [10] * If you use Printer, e-mail and PDF versions for Drupal 5.x upgrade to Printer, e-mail and PDF versions 5.x-4.9 [11] Or Alternatively: Disable the "Printer-friendly URLs list" in 'admin/settings/print/common' and disable the "Send by e-mail" ("print_mail") module. See also the Printer, e-mail and PDF versions project page [12]. -------- REPORTED BY: -------------------------------------------------------- mcarbone [13] -------- FIXED BY ------------------------------------------------------------ jcnventura [14], the module maintainer -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/project/print [2] http://en.wikipedia.org/wiki/Cross-site_scripting [3] http://drupal.org/node/604806 [4] http://drupal.org/node/604804 [5] http://drupal.org/project/print [6] http://drupal.org/user/68488 [7] http://drupal.org/user/122464 [8] [9] http://en.wikipedia.org/wiki/Cross-site_scripting [10] http://drupal.org/node/604806 [11] http://drupal.org/node/604804 [12] http://drupal.org/project/print [13] http://drupal.org/user/68488 [14] http://drupal.org/user/122464

1 0

SA-CONTRIB-2009-072 - RealName - Cross Site Scripting
by security-news＠drupal.org 14 Oct '09

14 Oct '09

* Advisory ID: DRUPAL-SA-CONTRIB-2009-072 * Project: RealName (third-party module) * Version: 6.x * Date: 2009-October-14 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The RealName module allows the administrator to choose fields from the user profile that will be used to add a "real name" element (method) to a user object. In some specific cases, the module does not sanitize before outputting the realname, resulting in a cross-site scripting (XSS [1]) vulnerability. Such an attack may lead to a malicious user gaining full administrative access. -------- VERSIONS AFFECTED --------------------------------------------------- * RealName 6.x-1.x prior to 6.x-1.3 Drupal core is not affected. If you do not use the contributed RealName module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the RealName for Drupal 6.x-1.x upgrade to RealName 6.x-1.3 [2] See also the RealName module project page . -------- REPORTED BY --------------------------------------------------------- mr.baileys [3] -------- FIXED BY ------------------------------------------------------------ NancyDru [4], the module maintainer -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/603512 [3] http://drupal.org/user/383424 [4] http://drupal.org/user/101412

1 0

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news