* Advisory ID: DRUPAL-SA-CONTRIB-2012-006 * Projects: SuperCron [1], Taxotouch [2], Taxonomy Navigator [3], Admin:hover [4] (third-party modules) * Version: 6.x, 7.x * Date: 2012-January-11 * Security risk: Critical [5] * Exploitable from: Remote * Vulnerability: Cross Site Scripting, Cross Site Request Forgery

-------- DESCRIPTION ---------------------------------------------------------

SuperCron [6] is a complete replacement for Drupal's built-in Cron functionality. The module is vulnerable to Cross Site Scripting. The vulnerability is mitigated by an attacker needing to gain an account with "access administration pages" permission.

Taxotouch [7] helps you navigate taxonomy. The module is vulnerable to Cross Site Scripting. The vulnerability is mitigated by an attacker needing to gain an account with the ability to create a vocabulary or taxonomy terms.

Taxonomy Navigator [8]shows terms from a vocabulary. The module is vulnerable to Cross Site Scripting. The vulnerability is mitigated by an attacker needing to gain an account with the ability to create a vocabulary or taxonomy terms.

Admin:hover [9] allows admins to easily publish/unpublish nodes. The module is vulnerable to Cross Site Request Forgeries which would allow an attacker to trick an admin into executing enabled actions such as unpublishing all nodes.

-------- VERSIONS AFFECTED ---------------------------------------------------

All versions of all four modules are affected by vulnerabilities.

Drupal core is not affected. If you do not use one of the contributed modules listed above, there is nothing you need to do.

-------- SOLUTION ------------------------------------------------------------

Users of these modules are encouraged to disable the modules and search for similar alternatives. Users of the module who wish to take over maintainership should post patches to the issue queue to fix the security issues and request maintenance following the Abandoned project process [10]

-------- REPORTED BY ---------------------------------------------------------

* The Supercron issue was prematurely disclosed publicly outside of the security issue reporting process [11] * Admin:hover issue reported by Ivo Van Geertruyen [12] of the Drupal Security Team * Taxotouch issue reported by Dylan Tack [13] of the Drupal Security Team * Taxonomy Navigator issue reported by Dylan Tack [14] of the Drupal Security Team

-------- FIXED BY ------------------------------------------------------------

No fixes created.

-------- CONTACT AND MORE INFORMATION ----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [15].

Learn more about the Drupal Security team and their policies [16], writing secure code for Drupal [17], and securing your site [18].

[1] http://drupal.org/project/supercron [2] http://drupal.org/project/taxotouch [3] http://drupal.org/project/taxonomy_navigator [4] http://drupal.org/project/admin_hover [5] http://drupal.org/security-team/risk-levels [6] http://drupal.org/project/supercron [7] http://drupal.org/project/taxotouch [8] http://drupal.org/project/taxonomy_navigator [9] http://drupal.org/project/admin_hover [10] http://drupal.org/node/251466 [11] http://drupal.org/node/101494 [12] http://drupal.org/user/383424 [13] http://drupal.org/user/96647 [14] http://drupal.org/user/96647 [15] http://drupal.org/contact [16] http://drupal.org/security-team [17] http://drupal.org/writing-secure-code [18] http://drupal.org/security/secure-configuration