[Security-news] SA-CONTRIB-2009-054 - Go - url redirects - Multiple vulnerabilities
security-news at drupal.org
security-news at drupal.org
Wed Aug 26 19:25:50 UTC 2009
* Advisory ID: DRUPAL-SA-CONTRIB-2009-054
* Project: Go - url redirects (third-party module)
* Versions: 5.x, 6.x
* Date: 2009 August 26
* Security risk: Highly Critical
* Exploitable from: Remote
* Vulnerability: Multiple vulnerabilities
-------- DESCRIPTION
---------------------------------------------------------
The Go - url redirects (gotwo) module adds the option to add redirected URLs.
This module was found to have multiple vulnerabilities.
.... Arbitrary PHP code execution
Due to improper use of the PCRE regular expression engine, users with
permission to use the input filter provided by the module are able to execute
arbitrary PHP code on the server.
.... Cross-site scripting (XSS)
User-supplied text is displayed in several places without being properly
filtered, allowing malicious users to inject arbitrary HTML and script code.
Such a cross site scripting [1] (XSS) attack may lead to a malicious user
gaining full administrative access.
.... Access bypass and cross-site request forgery
Due to coding errors, users may be able to add redirects or reset redirect
counters without having permission to do so.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Versions of "Go - url redirects" for Drupal 5.x prior to 5.x-1.4
* Versions of "Go - url redirects" for Drupal 6.x prior to 6.x-1.1
Drupal core is not affected. If you do not use the contributed "Go - url
redirects" module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use "Go - url redirects" for Drupal 5.x upgrade to Go - url
redirects 5.x-1.4 [2]
* If you use "Go - url redirects" for Drupal 6.x upgrade to Go - url
redirects 6.x-1.1 [3]
See also the Go - url redirects project page [4].
-------- REPORTED BY
---------------------------------------------------------
John Morahan [5] of the Drupal security team Alexander Hass [6],
co-maintainer of the gotwo module
-------- FIXED BY
------------------------------------------------------------
Alexander Hass [7]
-------- CONTACT
-------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/560336
[3] http://drupal.org/node/560332
[4] http://drupal.org/project/gotwo
[5] http://drupal.org/user/58170
[6] http://drupal.org/user/85918
[7] http://drupal.org/user/85918
More information about the Security-news
mailing list