[Security-news] SA-CONTRIB-2010-108 - Who Bought What|Ubercart - Multiple Vulnerabilities

security-news at drupal.org security-news at drupal.org
Wed Dec 8 21:45:42 UTC 2010


  * DRUPAL-SA-CONTRIB-2010-108
  * Who Bought What|Ubercart (third-party module)
  * Version: 6.x
  * Date: 2010-Dec-08
  * Security risk: Highly Critical
  * Exploitable from: Remote
  * Vulnerability: Multiple Vulnerabilities

-------- DESCRIPTION  
---------------------------------------------------------

The Who Bought What-module collects and displays relevant information about
purchases, including purchaser name, quantity, payment status, and all
attributes. The module does not properly sanitize arguments passed via the
URL when used in SQL queries, leading to a SQL Injection [1] vulnerability.
Additionally, the module neglects to sanitize some of the user-generated
content before displaying it, leading to a Cross-Site Scripting (XSS [2])
vulnerability. Finally, the module allows users with the "view
uc_who_bought_what" permission to view the title of any node in the system,
including unpublished nodes and nodes that user might otherwise not have
access to, which constitutes an Information Disclosure vulnerability.

-------- VERSIONS AFFECTED  
---------------------------------------------------

  * Who Bought What|Ubercart module for Drupal 6.x versions prior to 6.x-2.11.

Drupal core is not affected. If you do not use the contributed Who Bought
What|Ubercart module, there is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------

Install the latest version:

  * If you use the Who Bought What|Ubercart module for Drupal 6.x upgrade to
    Who Bought What|Ubercart 6.x-2.11 [3]

See also the Who Bought What|Ubercart project page [4].
-------- REPORTED BY  
---------------------------------------------------------

  * The SQL Injection vulnerability was reported by Mark Styles (lambic [5])
  * The XSS and Information Disclosure vulnerabilities were reported by
    mr.baileys [6] of the Drupal.org Security Team

-------- FIXED BY  
------------------------------------------------------------

  * Michael Moradzadeh (Cayenne [7]), module maintainer

-------- CONTACT  
-------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact [8].


[1] http://en.wikipedia.org/wiki/SQL_Injection
[2] http://en.wikipedia.org/wiki/Cross-site_scripting
[3] http://drupal.org/node/991762
[4] http://drupal.org/project/uc_who_bought_what
[5] http://drupal.org/user/58843
[6] http://drupal.org/user/383424
[7] http://drupal.org/user/92993
[8] http://drupal.org/contact



More information about the Security-news mailing list