SA-CONTRIB-2012-017 - Finder - Multiple vulnerabilities - Security-news

8 Feb 2012


      * Advisory ID: DRUPAL-SA-CONTRIB-2012-017
  * Project: Finder [1] (third-party module)
  * Version: 6.x, 7.x
  * Date: 2012-February-08
  * Security risk: Moderately critical [2]
  * Exploitable from: Remote
  * Vulnerability: Cross Site Scripting, Arbitrary PHP code execution,
    Multiple vulnerabilities
-------- DESCRIPTION  
---------------------------------------------------------
Finder is a Drupal module that allows users to create faceted search forms.
The module's autocomplete, checkbox, and radio button functionalities
previously did not sanitize the output of fields and raw database values.
In addition, users with the "administer finder" permission were able to
execute arbitrary code through a PHP import interface; specific PHP execution
permissions were not required.
-------- VERSIONS AFFECTED  
---------------------------------------------------
* Finder 6.x-1.x prior to 6.x-1.26
  * Finder 7.x-1.x versions (all)
  * Finder 7.x-2.x versions prior to 7.x-2.0-alpha8
Drupal core is not affected. If you do not use the contributed Finder [3]
module, there is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------
Install the latest version:
* If you use the Finder module for Drupal 6.x, upgrade to Finder 6.x-1.26
    [4].
  * If you use the Finder module for Drupal 7.x, upgrade to Finder
    7.x-2.0-alpha8 [5].
See also the Finder [6] project page.
-------- REPORTED BY  
---------------------------------------------------------
* Justin C. Klein-Keane [7]
-------- FIXED BY  
------------------------------------------------------------
* Daniel Braksator [8] the module maintainer
-------- COORDINATED BY  
------------------------------------------------------
* Greg Knaddison [9] and Forest Monsen [10] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION  
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
[1] http://drupal.org/project/finder
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/project/finder
[4] http://drupal.org/node/1432318
[5] http://drupal.org/node/1432320
[6] http://drupal.org/project/finder
[7] http://drupal.org/user/302225
[8] http://drupal.org/user/134005
[9] http://drupal.org/user/36762
[10] http://drupal.org/user/181798
[11] http://drupal.org/contact
[12] http://drupal.org/security-team
[13] http://drupal.org/writing-secure-code
[14] http://drupal.org/security/secure-configuration