[Security-news] SA-CONTRIB-2010-058: Chaos tool suite - Multiple vulnerabilities

security-news at drupal.org security-news at drupal.org
Thu May 20 02:41:07 UTC 2010


  * Advisory ID: DRUPAL-SA-CONTRIB-2010-058
  * Project: Chaos tool suite (third-party module)
  * Versions: 6.x
  * Date: 2010 May 19
  * Security risk: Critical
  * Exploitable from: Remote
  * Vulnerability: Multiple vulnerabilities

The Chaos tool suite (ctools) is primarily a set of APIs and tools to improve
the developer experience. This module was found to have multiple
vulnerabilities.
-------- CROSS SITE SCRIPTING (XSS)  
------------------------------------------

The module did not properly sanitize node titles under certain circumstances,
resulting in multiple cross-site scripting [1] vulnerabilities which could
lead to a malicious user gaining full administrative access.
-------- CROSS-SITE REQUEST FORGERY  
------------------------------------------

The module did not use the form API or tokens to protect certain
administrative actions, allowing an attacker to trick an administrator into
unintentionally enabling or disabling pages (cross-site request forgery [2]).
-------- ARBITRARY PHP CODE EXECUTION  
----------------------------------------

Users with the 'administer page manager' permission could execute arbitrary
PHP code on the server via the import functionality. An additional check for
the permission 'use PHP for block visibility' has been added to ensure that
the site administrator has already granted users of the import functionality
the permission to execute PHP.
-------- ACCESS BYPASS  
-------------------------------------------------------

Users with 'access content' permission were able to view the titles of
unpublished nodes under certain circumstances.
-------- VERSIONS AFFECTED  
---------------------------------------------------

  * Versions of "Chaos tool suite" for Drupal 6.x prior to 6.x-1.4

Drupal core is not affected. If you do not use the contributed "Chaos tool
suite" module, there is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------

Install the latest version:
  * If you use "Chaos tool suite" for Drupal 6.x upgrade to Chaos tool suite
    6.x-1.4 [3]

-------- REPORTED BY  
---------------------------------------------------------

The cross-site scripting issue was reported by Martin Barbella [4]. The
cross-site request forgery, arbitrary PHP code execution, and access bypass
issues were reported by Justin Klein Keane [5].
-------- FIXED BY  
------------------------------------------------------------

The cross-site scripting issue was fixed by Earl Miles [6]. The cross-site
request forgery, arbitrary PHP code execution, and access bypass issues were
fixed by Sam Boyer [7].
-------- CONTACT  
-------------------------------------------------------------

The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.

[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://en.wikipedia.org/wiki/Cross-site_request_forgery
[3] http://drupal.org/node/803912
[4] http://drupal.org/user/633600
[5] http://drupal.org/user/302225
[6] http://drupal.org/user/26979
[7] http://drupal.org/user/146719



More information about the Security-news mailing list