[Security-news] SA-CONTRIB-2009-094 - NGP COO/CWP Integration (crmngp) - Multiple Vulnerabilities

security-news at drupal.org security-news at drupal.org
Wed Nov 4 20:00:19 UTC 2009 

  * Advisory ID: DRUPAL-SA-CONTRIB-2009-094
  * Project: NGP COO/CWP Integration (crmngp) (third-party module)
  * Version: 6.x
  * Date: 2009-November-4
  * Security risk: Less critical
  * Exploitable from: Remote
  * Vulnerability: Cross-site scripting and Access bypass

-------- DESCRIPTION  
---------------------------------------------------------

The NGP COO/CWP Integration module provides Drupal integration with the NGP
Software API for efficient campaign management. An administration page did
not properly implement access control thereby allowing untrusted users to
view module log information. User-supplied information was not filtered on
output allowing a cross-site scripting (XSS [1]) attack.
-------- VERSIONS AFFECTED  
---------------------------------------------------

  * NGP COO/CWP Integration versions for Drupal 6.x prior to 6.x-1.12

Drupal core is not affected. If you do not use the contributed NGP COO/CWP
Integration module, there is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------

Upgrade to the latest version:
  * If you use NGP COO/CWP Integration for Drupal 6.x upgrade to version
    6.x-1.13 [2]

See also the NGP COO/CWP Integration [3] project page.
-------- REPORTED BY  
---------------------------------------------------------

  * Access bypass reported by Dylan Wilder-Tack [4]
  * Cross-site scripting reported by Benjamin Jeavons [5]

-------- FIXED BY  
------------------------------------------------------------

  * XSS vulnerability fixed by Sean Robertson [6], the module maintainer
  * Access bypass vulnerability fixed by Dylan Wilder-Tack [7]

-------- CONTACT  
-------------------------------------------------------------

The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.

[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/623506
[3] http://drupal.org/project/crmngp
[4] http://drupal.org/user/96647
[5] http://drupal.org/user/91990
[6] https://drupal.org/user/7074
[7] http://drupal.org/user/96647

More information about the Security-news mailing list