[Security-news] SA-CONTRIB-2009-084 - LDAP Integration - Multiple Vulnerabilities
security-news at drupal.org
security-news at drupal.org
Wed Oct 28 21:55:59 UTC 2009
* Advisory ID: DRUPAL-SA-CONTRIB-2009-084
* Project: LDAP Integration (third-party module)
* Version: 6.x, 5.x
* Date: 2009-October-28
* Security risk: Critical
* Exploitable from: Remote
* Vulnerability: Multiple vulnerabilities
-------- DESCRIPTION
---------------------------------------------------------
The LDAP Integration module enables users to authenticate against LDAP
servers. The module does not properly implement confirmation pages for the
LDAP server activation/deactivation which could lead to a Cross Site Request
Forgery (CSRF [1]) attack. The user defined server name is not properly
escaped on the administration pages making it vulnerable to a cross site
scripting (XSS [2]) attack. User LDAP data can be viewed by un-authorized
users, as it is not properly access controlled before being displayed on user
profile pages. Additionally some user management access rules were ignored
during the authentication process.
-------- VERSIONS AFFECTED
---------------------------------------------------
* LDAP Integration module versions for Drupal 6.x prior to LDAP Integration
6.x-1.0-beta2 [3]
* LDAP Integration module versions for Drupal 5.x prior to LDAP Integration
5.x-1.5 [4]
* LDAP Integration module versions for Drupal 4.7.x are now unsupported.
Drupal core is not affected. If you do not use the contributed LDAP
Integration [5] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version.
* If you use the LDAP Integration module for Drupal 6.x upgrade to LDAP
Integration 6.x-1.0-beta2 [6]
* If you use the LDAP Integration module for Drupal 5.x upgrade to LDAP
Integration 5.x-1.5 [7]
* If you use the LDAP Integration module for Drupal 4.7.x, disable the
module.
-------- REPORTED BY
---------------------------------------------------------
* The XSS vulnerability was reported by Jakub Suchy [8] of the Drupal
Security Team.
* The CSRF vulnerability was reported by Stéphane Corlosquet [9] of the
Drupal Security Team.
* The Access Bypass vulnerabilities were reported by Christian A. Reiter
[10] and Matt Vance [11].
* The User management access rules vulnerability was reported by Kevin
Murphy [12].
-------- FIXED BY
------------------------------------------------------------
* Miglius Alaburda [13], the module maintainer
-------- CONTACT
-------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/en/Cross_Site_Request_Forgery
[2] http://en.wikipedia.org/en/Cross_Site_Scripting
[3] http://drupal.org/node/615898
[4] http://drupal.org/node/615900
[5] http://drupal.org/project/ldap_integration
[6] http://drupal.org/node/615898
[7] http://drupal.org/node/615900
[8] http://drupal.org/user/31977
[9] http://drupal.org/user/52142
[10] http://drupal.org/user/116783
[11] http://drupal.org/user/88338
[12] http://drupal.org/user/60619
[13] http://drupal.org/user/18741
More information about the Security-news
mailing list