* Advisory ID: DRUPAL-SA-CONTRIB-2010-052 * Projects: Multiple third party modules - Privatemsg, Weather Underground, Tellafriend, Menu Block Split, osCommerce, Download Count, Comment Page, False Account Detector, User Queue * Version: 5.x, 6.x * Date: 2010-05-19 * Security risks: Critical * Exploitable from: Remote * Vulnerability: Multiple (Cross-site Request Forgery, Cross-site scripting, Email header injection, SQL Injection)
-------- VERSIONS AFFECTED AND PROPOSED SOLUTIONS ----------------------------
Private Message [1] versions for the 5.x versions of Drupal The Privatemsg (also known as Private Message) module enables messages to be sent internally on a site. The module is vulnerable to cross-site request forgeries [2] (CSRF) via it's message delete form. This would allow a malicious user to trick an admin into deleting arbitrary message content by directing them to the url via a link or image src, etc. or trick a user into deleting their own messages. *Solution:* Disable the module or upgrade to the latest 6.x versions of Drupal core and the Private message module. Weather Underground [3] 6.x-2.0 The Weather Underground module retrieves and displays weather information from Weather Underground (http://www.wunderground.com). The block subject can be configured on the wunderground settings page but is not sanitized before display, allowing for a cross site scripting [4] (XSS) attack that may lead to a malicious user gaining full administrative access. This vulnerability is mitigated by the fact that an attacker must have the "access administration pages" permission which should generally only be granted to trusted roles. *Solution:* Disable the module. There is no safe version of the module to use. Tellafriend [5] version 6.x-2.10 and 5.x-2.7 The Tellafriend module enables site visitors to send e-mails about the site to their contacts via a form. The module is vulnerable to email header injection and could be exploited to send spam. *Solution:* Disable the module. There is no safe version of the module to use. Menu Block Split [6] version 6.x-2.1 and 5.x-2.1 The Menu Block Split module enables any menu block to be split into two different blocks: a first block with the first level menu entries only, and a second block with any second level and sub level menu entries. The block subject can be configured on the Menu Block Split settings page, but is not sanitized before display, allowing for a cross site scripting [7] (XSS) attack that may lead to a malicious user gaining full administrative access. *Solution:* Disable the module. There is no safe version of the module to use. osCommerce [8] version 6.x-1.0 The osCommerce module provides a front end to the osCommerce application. The module's 'Title for manufacturers block' configuration field is not sanitized before display, allowing for a cross site scripting [9] (XSS) attack that may lead to a malicious user gaining full administrative access. *Solution:* Disable the module. There is no safe version of the module to use. download_count [10] version 6.x-1.3 and 5.x-1.0 The download_count module increments a download counter each time an attached file is successfully downloaded. This module is vulnerable to cross site scripting [11] (XSS) attack that may lead to a malicious user gaining full administrative access. *Solution:* Disable the module. There is no safe version of the module to use. Comment Page [12] version 6.x-1.1 and 5.x-1.1 The Comment Page module displays each comments on it's own page, with an optional thread review that links to other comments in a comment thread. The module does not properly sanitize some content before outputting it, exposing multiple cross site scripting [13] (XSS) vulnerabilities and allowing malicious users with the permission "post comments" to inject scripts. Additionally, Comment Page incorrectly uses drupal_access_denied (not stopping the flow after calling this function) and uses a non-existing permission ("admin comments") as access argument to it's administration page.. *Solution:* Disable the module. There is no safe version of the module to use. False Account Detector [14] versions for the 5.x and 6.x versions of Drupal The False Account Detector module helps administrators to find out which users have more than one account on a Drupal system and can block them from creating new accounts. The module does not properly sanitize received cookies, exposing multiple cross site scripting [15] (XSS) and SQL Injection vulnerabilities and allowing malicious authenticated users to block other user accounts. *Solution:* Disable the module. There is no safe version of the module to use. User Queue [16] version 6.x-1.0 The Userqueue module enables site builders to create a queue (or list) of users on a site. The modules is vulnerable to a CSRF vulnerability which would allow a malicious user to trick a site builder into deleting a user from a queue. *Solution:* Disable the module. There is no safe version of the module to use. Drupal core is not affected. If you do not use any of the module releases above there is nothing you need to do. -------- ONGOING MAINTENANCE OF THESE MODULES --------------------------------
If you are interested in taking over maintenance of a module, or branch of a module, that is no longer supported, and are capable of fixing security vulnerabilities, you may apply to do so using the abandoned project takeover process [17]. -------- REPORTED BY ---------------------------------------------------------
Peter Wolanin [18] of the Drupal Security Team John Morahan [19] of the Drupal Security Team Dylan Tack [20] of the Drupal Security Team Kieran Lal [21] of the Drupal Security Team Ivo Van Geertruyen [22] of the Drupal Security Team Martin Barbella [23] Brandon Bergren [24] George Gongadze [25] -------- CONTACT -------------------------------------------------------------
The security team for Drupal [26] can be reached at security at drupal.org or via the form at http://drupal.org/contact. Read more about the Security Team and Security Advisories at http://drupal.org/security.
[1] http://drupal.org/project/privatemsg [2] http://en.wikipedia.org/wiki/Csrf [3] http://drupal.org/project/wunderground [4] http://en.wikipedia.org/wiki/Cross-site_scripting [5] http://drupal.org/project/tellafriend [6] http://drupal.org/project/menu_block_split [7] http://en.wikipedia.org/wiki/Cross-site_scripting [8] http://drupal.org/project/oscommerce [9] http://en.wikipedia.org/wiki/Cross-site_scripting [10] http://drupal.org/project/download_count [11] http://en.wikipedia.org/wiki/Cross-site_scripting [12] http://drupal.org/project/comment_page [13] http://en.wikipedia.org/wiki/Cross-site_scripting [14] http://drupal.org/project/false_account [15] http://en.wikipedia.org/wiki/Cross-site_scripting [16] http://drupal.org/project/userqueue [17] http://drupal.org/node/251466 [18] http://drupal.org/user/49851 [19] http://drupal.org/user/58170 [20] http://drupal.org/user/96647 [21] http://drupal.org/user/18703 [22] http://drupal.org/user/383424 [23] http://drupal.org/user/633600 [24] http://drupal.org/user/53081 [25] http://drupal.org/user/322910 [26] http://drupal.org/security-team