[Security-news] SA-CONTRIB-2010-052 - Multiple vulnerabilities in multiple contributed modules

security-news at drupal.org security-news at drupal.org
Wed May 19 22:21:39 UTC 2010 

  * Advisory ID: DRUPAL-SA-CONTRIB-2010-052
  * Projects: Multiple third party modules - Privatemsg, Weather Underground,
    Tellafriend, Menu Block Split, osCommerce, Download Count, Comment Page,
    False Account Detector, User Queue
  * Version: 5.x, 6.x
  * Date: 2010-05-19
  * Security risks: Critical
  * Exploitable from: Remote
  * Vulnerability: Multiple (Cross-site Request Forgery, Cross-site scripting,
    Email header injection, SQL Injection)

-------- VERSIONS AFFECTED AND PROPOSED SOLUTIONS  
----------------------------

Private Message [1] versions for the 5.x versions of Drupal
     The Privatemsg (also known as Private Message) module enables messages to
     be sent internally on a site. The module is vulnerable to cross-site
     request forgeries [2] (CSRF) via it's message delete form. This would
     allow a malicious user to trick an admin into deleting arbitrary message
     content by directing them to the url via a link or image src, etc. or
     trick a user into deleting their own messages. *Solution:* Disable the
     module or upgrade to the latest 6.x versions of Drupal core and the
     Private message module.
Weather Underground [3] 6.x-2.0
     The Weather Underground module retrieves and displays weather information
     from Weather Underground (http://www.wunderground.com). The block subject
     can be configured on the wunderground settings page but is not sanitized
     before display, allowing for a cross site scripting [4] (XSS) attack that
     may lead to a malicious user gaining full administrative access. This
     vulnerability is mitigated by the fact that an attacker must have the
     "access administration pages" permission which should generally only be
     granted to trusted roles. *Solution:* Disable the module. There is no
     safe version of the module to use.
Tellafriend [5] version 6.x-2.10 and 5.x-2.7
     The Tellafriend module enables site visitors to send e-mails about the
     site to their contacts via a form. The module is vulnerable to email
     header injection and could be exploited to send spam. *Solution:* Disable
     the module. There is no safe version of the module to use.
Menu Block Split [6] version 6.x-2.1 and 5.x-2.1
     The Menu Block Split module enables any menu block to be split into two
     different blocks: a first block with the first level menu entries only,
     and a second block with any second level and sub level menu entries. The
     block subject can be configured on the Menu Block Split settings page,
     but is not sanitized before display, allowing for a cross site scripting
     [7] (XSS) attack that may lead to a malicious user gaining full
     administrative access. *Solution:* Disable the module. There is no safe
     version of the module to use.
osCommerce [8] version 6.x-1.0
     The osCommerce module provides a front end to the osCommerce application.
     The module's 'Title for manufacturers block' configuration field is not
     sanitized before display, allowing for a cross site scripting [9] (XSS)
     attack that may lead to a malicious user gaining full administrative
     access. *Solution:* Disable the module. There is no safe version of the
     module to use.
download_count [10] version 6.x-1.3 and 5.x-1.0
     The download_count module increments a download counter each time an
     attached file is successfully downloaded. This module is vulnerable to
     cross site scripting [11] (XSS) attack that may lead to a malicious user
     gaining full administrative access. *Solution:* Disable the module. There
     is no safe version of the module to use.
Comment Page [12] version 6.x-1.1 and 5.x-1.1
     The Comment Page module displays each comments on it's own page, with an
     optional thread review that links to other comments in a comment thread.
     The module does not properly sanitize some content before outputting it,
     exposing multiple cross site scripting [13] (XSS) vulnerabilities and
     allowing malicious users with the permission "post comments" to inject
     scripts. Additionally, Comment Page incorrectly uses drupal_access_denied
     (not stopping the flow after calling this function) and uses a
     non-existing permission ("admin comments") as access argument to it's
     administration page.. *Solution:* Disable the module. There is no safe
     version of the module to use.
False Account Detector [14] versions for the 5.x and 6.x versions of Drupal
     The False Account Detector module helps administrators to find out which
     users have more than one account on a Drupal system and can block them
     from creating new accounts. The module does not properly sanitize
     received cookies, exposing multiple cross site scripting [15] (XSS) and
     SQL Injection vulnerabilities and allowing malicious authenticated users
     to block other user accounts. *Solution:* Disable the module. There is no
     safe version of the module to use.
User Queue [16] version 6.x-1.0
     The Userqueue module enables site builders to create a queue (or list) of
     users on a site. The modules is vulnerable to a CSRF vulnerability which
     would allow a malicious user to trick a site builder into deleting a user
     from a queue. *Solution:* Disable the module. There is no safe version of
     the module to use.
Drupal core is not affected. If you do not use any of the module releases
above there is nothing you need to do.
-------- ONGOING MAINTENANCE OF THESE MODULES  
--------------------------------

If you are interested in taking over maintenance of a module, or branch of a
module, that is no longer supported, and are capable of fixing security
vulnerabilities, you may apply to do so using the abandoned project takeover
process [17].
-------- REPORTED BY  
---------------------------------------------------------

Peter Wolanin [18] of the Drupal Security Team John Morahan [19] of the
Drupal Security Team Dylan Tack [20] of the Drupal Security Team Kieran Lal
[21] of the Drupal Security Team Ivo Van Geertruyen [22] of the Drupal
Security Team Martin Barbella [23] Brandon Bergren [24] George Gongadze [25]
-------- CONTACT  
-------------------------------------------------------------

The security team for Drupal [26] can be reached at security at drupal.org or
via the form at http://drupal.org/contact.
Read more about the Security Team and Security Advisories at
http://drupal.org/security.



[1] http://drupal.org/project/privatemsg
[2] http://en.wikipedia.org/wiki/Csrf
[3] http://drupal.org/project/wunderground
[4] http://en.wikipedia.org/wiki/Cross-site_scripting
[5] http://drupal.org/project/tellafriend
[6] http://drupal.org/project/menu_block_split
[7] http://en.wikipedia.org/wiki/Cross-site_scripting
[8] http://drupal.org/project/oscommerce
[9] http://en.wikipedia.org/wiki/Cross-site_scripting
[10] http://drupal.org/project/download_count
[11] http://en.wikipedia.org/wiki/Cross-site_scripting
[12] http://drupal.org/project/comment_page
[13] http://en.wikipedia.org/wiki/Cross-site_scripting
[14] http://drupal.org/project/false_account
[15] http://en.wikipedia.org/wiki/Cross-site_scripting
[16] http://drupal.org/project/userqueue
[17] http://drupal.org/node/251466
[18] http://drupal.org/user/49851
[19] http://drupal.org/user/58170
[20] http://drupal.org/user/96647
[21] http://drupal.org/user/18703
[22] http://drupal.org/user/383424
[23] http://drupal.org/user/633600
[24] http://drupal.org/user/53081
[25] http://drupal.org/user/322910
[26] http://drupal.org/security-team

More information about the Security-news mailing list