SA-CONTRIB-2009-084 - LDAP Integration - Multiple Vulnerabilities - Security-news

28 Oct 2009


      * Advisory ID: DRUPAL-SA-CONTRIB-2009-084
  * Project: LDAP Integration (third-party module)
  * Version: 6.x, 5.x
  * Date: 2009-October-28
  * Security risk: Critical
  * Exploitable from: Remote
  * Vulnerability: Multiple vulnerabilities
-------- DESCRIPTION  
---------------------------------------------------------
The LDAP Integration module enables users to authenticate against LDAP
servers. The module does not properly implement confirmation pages for the
LDAP server activation/deactivation which could lead to a Cross Site Request
Forgery (CSRF [1]) attack. The user defined server name is not properly
escaped on the administration pages making it vulnerable to a cross site
scripting (XSS [2]) attack. User LDAP data can be viewed by un-authorized
users, as it is not properly access controlled before being displayed on user
profile pages. Additionally some user management access rules were ignored
during the authentication process.
-------- VERSIONS AFFECTED  
---------------------------------------------------
* LDAP Integration module versions for Drupal 6.x prior to LDAP Integration
    6.x-1.0-beta2 [3]
  * LDAP Integration module versions for Drupal 5.x prior to LDAP Integration
    5.x-1.5 [4]
  * LDAP Integration module versions for Drupal 4.7.x are now unsupported.
Drupal core is not affected. If you do not use the contributed LDAP
Integration [5] module, there is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------
Install the latest version.
  * If you use the LDAP Integration module for Drupal 6.x upgrade to LDAP
    Integration 6.x-1.0-beta2 [6]
  * If you use the LDAP Integration module for Drupal 5.x upgrade to LDAP
    Integration 5.x-1.5 [7]
  * If you use the LDAP Integration module for Drupal 4.7.x, disable the
    module.
-------- REPORTED BY  
---------------------------------------------------------
* The XSS vulnerability was reported by Jakub Suchy [8] of the Drupal
    Security Team.
  * The CSRF vulnerability was reported by Stéphane Corlosquet [9] of the
    Drupal Security Team.
  * The Access Bypass vulnerabilities were reported by Christian A. Reiter
    [10] and Matt Vance [11].
  * The User management access rules vulnerability was reported by Kevin
    Murphy [12].
-------- FIXED BY  
------------------------------------------------------------
* Miglius Alaburda [13], the module maintainer
-------- CONTACT  
-------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/en/Cross_Site_Request_Forgery
[2] http://en.wikipedia.org/en/Cross_Site_Scripting
[3] http://drupal.org/node/615898
[4] http://drupal.org/node/615900
[5] http://drupal.org/project/ldap_integration
[6] http://drupal.org/node/615898
[7] http://drupal.org/node/615900
[8] http://drupal.org/user/31977
[9] http://drupal.org/user/52142
[10] http://drupal.org/user/116783
[11] http://drupal.org/user/88338
[12] http://drupal.org/user/60619
[13] http://drupal.org/user/18741