SA-CONTRIB-2010-096 - Domain access - Multiple Vulnerabilities - Security-news

22 Sep 2010


      * Advisory ID: DRUPAL-SA-CONTRIB-2010-096
  * Project: Domain access (third-party module)
  * Version: 5.x, 6.x, 7.x
  * Date: 2010-September-22
  * Security risk: Less critical
  * Exploitable from: Remote
  * Vulnerability: Cross-Site Scripting, Priviledge Escalation
-------- DESCRIPTION  
---------------------------------------------------------
The Domain Access module suite allows users to maintain content shared across
multiple domains running from a single Drupal installation. In several
instances, the module does not sanitize the user-supplied domain name before
displaying it, leading to a Cross-Site Scripting (XSS [1]) vulnerability that
may lead to a malicious user gaining full administrative access. This
vulnerability is mitigated by the fact that user must have the "administer
domains" permission in order to create and edit domain names. The Domain
Configuration sub-module allows certain site information settings to be
configured per domain. Users with the "administer domains" permission could
change these settings, even if they lacked the permission to edit the
settings on the primary domain.
-------- VERSIONS AFFECTED  
---------------------------------------------------
* Domain access module for Drupal 5.x versions prior to 5.x-1.15
  * Domain access module for Drupal 6.x versions prior to 6.x.2.6
  * Domain access module for Drupal 7.x versions prior to 7.x.2.4
Drupal core is not affected. If you do not use the contributed Domain access
[2] module, there is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------
Install the latest version:
  * If you use the Domain access module for Drupal 5.x upgrade to Domain
    access 5.x-1.15 [3]
  * If you use the Domain access module for Drupal 6.x upgrade to Domain
    access 6.x.2.6 [4]
  * If you use the Domain access module for Drupal 7.x upgrade to Domain
    access 7.x.2.4 [5]
See also the Domain access project page [6].
-------- REPORTED BY  
---------------------------------------------------------
* Sam Oldak [7] (Cross-Site Scripting)
  * brt [8] (Privilege escalation)
  * Nirbhasa Magee [9] (Privilege escalation)
-------- FIXED BY  
------------------------------------------------------------
* Sam Oldak [10]
  * Ken Rickard [11], the module maintainer
-------- CONTACT  
-------------------------------------------------------------
The Drupal security team [12] can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/project/domain
[3] http://drupal.org/node/919890
[4] http://drupal.org/node/919896
[5] http://drupal.org/node/919900
[6] http://drupal.org/project/domain
[7] http://drupal.org/user/366337
[8] http://drupal.org/user/26752
[9] http://drupal.org/user/151770
[10] http://drupal.org/user/366337
[11] http://drupal.org/user/20975
[12] http://drupal.org/security-team