* Advisory ID: DRUPAL-SA-CONTRIB-2009-084 * Project: LDAP Integration (third-party module) * Version: 6.x, 5.x * Date: 2009-October-28 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Multiple vulnerabilities
-------- DESCRIPTION ---------------------------------------------------------
The LDAP Integration module enables users to authenticate against LDAP servers. The module does not properly implement confirmation pages for the LDAP server activation/deactivation which could lead to a Cross Site Request Forgery (CSRF [1]) attack. The user defined server name is not properly escaped on the administration pages making it vulnerable to a cross site scripting (XSS [2]) attack. User LDAP data can be viewed by un-authorized users, as it is not properly access controlled before being displayed on user profile pages. Additionally some user management access rules were ignored during the authentication process. -------- VERSIONS AFFECTED ---------------------------------------------------
* LDAP Integration module versions for Drupal 6.x prior to LDAP Integration 6.x-1.0-beta2 [3] * LDAP Integration module versions for Drupal 5.x prior to LDAP Integration 5.x-1.5 [4] * LDAP Integration module versions for Drupal 4.7.x are now unsupported.
Drupal core is not affected. If you do not use the contributed LDAP Integration [5] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------
Install the latest version. * If you use the LDAP Integration module for Drupal 6.x upgrade to LDAP Integration 6.x-1.0-beta2 [6] * If you use the LDAP Integration module for Drupal 5.x upgrade to LDAP Integration 5.x-1.5 [7] * If you use the LDAP Integration module for Drupal 4.7.x, disable the module.
-------- REPORTED BY ---------------------------------------------------------
* The XSS vulnerability was reported by Jakub Suchy [8] of the Drupal Security Team. * The CSRF vulnerability was reported by Stéphane Corlosquet [9] of the Drupal Security Team. * The Access Bypass vulnerabilities were reported by Christian A. Reiter [10] and Matt Vance [11]. * The User management access rules vulnerability was reported by Kevin Murphy [12].
-------- FIXED BY ------------------------------------------------------------
* Miglius Alaburda [13], the module maintainer
-------- CONTACT -------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/en/Cross_Site_Request_Forgery [2] http://en.wikipedia.org/en/Cross_Site_Scripting [3] http://drupal.org/node/615898 [4] http://drupal.org/node/615900 [5] http://drupal.org/project/ldap_integration [6] http://drupal.org/node/615898 [7] http://drupal.org/node/615900 [8] http://drupal.org/user/31977 [9] http://drupal.org/user/52142 [10] http://drupal.org/user/116783 [11] http://drupal.org/user/88338 [12] http://drupal.org/user/60619 [13] http://drupal.org/user/18741