[Security-news] SA-CONTRIB-2009-040 - Advanced Forum - Multiple vulnerabilities

security-news at drupal.org security-news at drupal.org
Wed Jul 1 21:25:53 UTC 2009 

  * Advisory ID: DRUPAL-SA-CONTRIB-2009-040
  * Project: Advanced Forum (third-party module)
  * Version: 5.x, 6.x
  * Date: 2009-July-1
  * Security risk: Moderately critical
  * Exploitable from: Remote
  * Vulnerability: Multiple vulnerabilities

-------- DESCRIPTION  
---------------------------------------------------------

.... Cross-site scripting

The Advanced Forum module does not correctly handle certain arguments
obtained from the URL. By enticing a suitably privileged user to visit a
specially crafted URL, a malicious user is able to insert arbitrary HTML and
script code into forum pages. Such a cross-site scripting attack may lead to
the malicious user gaining administrative access. Wikipedia has more
information about cross-site scripting (XSS). This issue affects both
Advanced Forum for Drupal 5.x and Advanced Forum for Drupal 6.x.
.... Input format access bypass

User signatures have no separate input format, they use the format of the
comment with which they are displayed. A user will no longer be able to edit
a comment when an administrator changes the comment's input format to a
format that is not accessible to the user. However they will still be able to
modify their signature, which will then be processed by the new input format.
If the new format is very permissive, via their signature, the user may be
able to insert arbitrary HTML and script code into pages or, when the PHP
filter is enabled for the new format, execute PHP code. This issue affects
Advanced Forum for Drupal 6.x only.
-------- VERSIONS AFFECTED  
---------------------------------------------------

  * Advanced Forum for Drupal 5.x prior to Advanced Forum 5.x-1.2
  * Advanced Forum for Drupal 6.x prior to Advanced Forum 6.x-1.2

-------- SOLUTION  
------------------------------------------------------------

Upgrade to the latest version:
  * If you use Advanced Forum for Drupal 5.x upgrade to Advanced Forum 5.x-1.1
    [1]
  * If you use Advanced Forum for Drupal 6.x upgrade to Advanced Forum 6.x-1.1
    [2]

See also the Advanced Forum project page [3].
-------- FIXED BY  
------------------------------------------------------------

Michelle Cox [4], the project maintainer.
-------- CONTACT  
-------------------------------------------------------------

The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.

[1] http://drupal.org/node/507550
[2] http://drupal.org/node/507526
[3] http://drupal.org/project/advanced_forum
[4] http://drupal.org/user/23570

More information about the Security-news mailing list