[Security-news] SA-CONTRIB-2010-069 - Case Tracker - Multiple Vulnerabilities
security-news at drupal.org
security-news at drupal.org
Wed Jun 23 18:47:51 UTC 2010
* Advisory ID: DRUPAL-SA-CONTRIB-2010-069
* Project: Case Tracker (third-party module)
* Version: 5.x
* Date: 2010-June-23
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Multiple Vulnerabilities
-------- DESCRIPTION
---------------------------------------------------------
The Case Tracker module enables teams to track outstanding cases which need
resolution by attaching a status, priority and type.
-------- CROSS SITE SCRIPTING (XSS)
------------------------------------------
The module does not sanitize some of the user-supplied data before displaying
it, leading to a cross site scripting (XSS [1]) vulnerability that may lead
to a malicious user gaining full administrative access. This vulnerability is
mitigated by the fact that an attacker must have the "administer casetracker"
permission, which should generally only be granted to trusted roles.
-------- ACCESS BYPASS
-------------------------------------------------------
The module provides the "access case tracker" permission which is used to
restrict access to reports and other functionality provided. However it was
also used to restrict access to individual project and case nodes but only in
some instances. This access check has been removed and instead users are
encouraged to install a content access module to restrict access to these
nodes.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Case Tracker module for Drupal 5.x versions prior to 5.x-1.4
Drupal core is not affected. If you do not use the contributed Case Tracker
[2] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Case Tracker module for Drupal 5.x upgrade to Case Tracker
5.x-1.4 [3]
As the "access case tracker" permission no longer controls access to project
and case nodes, users are encouraged to install a content access module to
restrict access to these nodes as necessary. See also the Case Tracker
project page [4].
-------- REPORTED BY
---------------------------------------------------------
* Mariano D'Agostino [5]
* Clemens Tolboom [6]
-------- FIXED BY
------------------------------------------------------------
* Jeff Miccolis [7], module maintainer
* David Rothstein [8] of the Drupal security team
-------- CONTACT
-------------------------------------------------------------
The Drupal security team [9] can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/project/casetracker
[3] http://drupal.org/node/835962
[4] http://drupal.org/project/casetracker
[5] http://drupal.org/user/154086
[6] http://drupal.org/user/125814
[7] http://drupal.org/user/31731
[8] http://drupal.org/user/124982
[9] http://drupal.org/security-team
More information about the Security-news
mailing list