[Security-news] SA-CONTRIB-2009-044 - Bubbletimer - Multiple vulnerabilities

* Advisory ID: DRUPAL-SA-CONTRIB-2009-044 * Project: Bubbletimer (third-party module) * Version: 6.x * Date: 2009-July-22 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Multiple vulnerabilities

-------- DESCRIPTION ---------------------------------------------------------

Bubbletimer allows users to create timesheets based on nodes. It suffers from a cross-site scripting [1] (XSS) vulnerability due to not properly sanitizing node titles before they are displayed. It is also vulnerable to cross-site request forgeries [2] (CSRF) making it possible for users to unknowingly add nodes to, or remove nodes from, their timesheets. Together, these vulnerabilities could lead to an attacker gaining administrator access. Additionally, the module does not respect node access restrictions when displaying node listings. -------- VERSIONS AFFECTED ---------------------------------------------------

* Bubbletimer for Drupal 6.x prior to Bubbletimer 6.x-1.5

Drupal core is not affected. If you do not use the contributed Bubbletimer module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------

Upgrade to the latest version:

* If you use Bubbletimer for Drupal 6.x upgrade to Bubbletimer 6.x-1.5 [3]

See also the Bubbletimer project page [4]. -------- REPORTED BY ---------------------------------------------------------

* The CSRF issue was reported by Andrew Berry [5]. * The XSS issue was reported by Stéphane Corlosquet [6] of the Drupal Security Team. * The access bypass issue was reported by John Morahan [7] of the Drupal Security Team.

-------- FIXED BY ------------------------------------------------------------

* Peter Arato [8], the Bubbletimer module maintainer.

-------- CONTACT -------------------------------------------------------------

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

[1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://en.wikipedia.org/wiki/Cross-site_request_forgery [3] http://drupal.org/node/527372 [4] http://drupal.org/project/bubbletimer [5] http://drupal.org/user/71291 [6] http://drupal.org/user/52142 [7] http://drupal.org/user/58170 [8] http://drupal.org/user/428960