[Security-news] SA-CONTRIB-2009-044 - Bubbletimer - Multiple vulnerabilities

security-news at drupal.org security-news at drupal.org
Wed Jul 22 12:36:45 UTC 2009 

  * Advisory ID: DRUPAL-SA-CONTRIB-2009-044
  * Project: Bubbletimer (third-party module)
  * Version: 6.x
  * Date: 2009-July-22
  * Security risk: Moderately critical
  * Exploitable from: Remote
  * Vulnerability: Multiple vulnerabilities

-------- DESCRIPTION  
---------------------------------------------------------

Bubbletimer allows users to create timesheets based on nodes. It suffers from
a cross-site scripting [1] (XSS) vulnerability due to not properly sanitizing
node titles before they are displayed. It is also vulnerable to cross-site
request forgeries [2] (CSRF) making it possible for users to unknowingly add
nodes to, or remove nodes from, their timesheets. Together, these
vulnerabilities could lead to an attacker gaining administrator access.
Additionally, the module does not respect node access restrictions when
displaying node listings.
-------- VERSIONS AFFECTED  
---------------------------------------------------

  * Bubbletimer for Drupal 6.x prior to Bubbletimer 6.x-1.5

Drupal core is not affected. If you do not use the contributed Bubbletimer
module, there is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------

Upgrade to the latest version:

  * If you use Bubbletimer for Drupal 6.x upgrade to Bubbletimer 6.x-1.5 [3]

See also the Bubbletimer project page [4].
-------- REPORTED BY  
---------------------------------------------------------

  * The CSRF issue was reported by Andrew Berry [5].
  * The XSS issue was reported by Stéphane Corlosquet [6] of the Drupal
    Security Team.
  * The access bypass issue was reported by John Morahan [7] of the Drupal
    Security Team.

-------- FIXED BY  
------------------------------------------------------------

  * Peter Arato [8], the Bubbletimer module maintainer.

-------- CONTACT  
-------------------------------------------------------------

The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.

[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://en.wikipedia.org/wiki/Cross-site_request_forgery
[3] http://drupal.org/node/527372
[4] http://drupal.org/project/bubbletimer
[5] http://drupal.org/user/71291
[6] http://drupal.org/user/52142
[7] http://drupal.org/user/58170
[8] http://drupal.org/user/428960

More information about the Security-news mailing list