[Security-news] SA-CONTRIB-2011-004 - Multiple Vulnerabilities In Multiple Contributed Modules
security-news at drupal.org
security-news at drupal.org
Wed Feb 2 18:32:55 UTC 2011
* Advisory ID: DRUPAL-SA-CONTRIB-2011-004
* Projects: Multiple third party modules - OG Forum, Open Legislation,
PowerSQL
* Version: 6.x
* Date: 2011-February-02
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Multiple (Information disclosure, Cross Site Scripting,
Cross Site Request Forgery, SQL injection)
-------- VERSIONS AFFECTED AND PROPOSED SOLUTIONS
----------------------------
OG Forum [1] for Drupal 6.x
OG Forum creates a forum per organic group and restricts viewing forum
nodes by group membership. OG Forum does not properly implement access
controls on private forums it creates, which can lead to a private
group's forums becoming public via Cross Site Request Forgeries (CSRF
[2]). Additionally, OG Forum stores private group and forum information
in a global vocabulary, which can lead to information such as group and
forum names being disclosed to members not part of the private group.
*Solution:* Disable the module. There is no safe version of the module to
use.
Open Legislation [3] for Drupal 6.x
This module provides integation for OpenLegislation, the open legislation
database and web service of the New York State Senate. The module is
vulnerable to a Cross Site Scripting [4] (XSS) attack via content
consumed from remote web services. *Solution:* Disable the module. There
is no safe version of the module to use.
PowerSQL [5] for Drupal 6.x
This module provides implements additional database API functions which
are not secure. Use of this module may make your site vulnerable to a SQL
Injection attack [6] *Solution:* Disable the module. There is no safe
version of the module to use.
Drupal core is not affected. If you do not use any of the module releases
above there is nothing you need to do.
-------- ONGOING MAINTENANCE OF THESE MODULES
--------------------------------
If you are interested in taking over maintenance of a module, or branch of a
module, that is no longer supported, and are capable of fixing security
vulnerabilities, you may apply to do so using the abandoned project takeover
process [7].
-------- REPORTED BY
---------------------------------------------------------
* OG Forum issues:
* The information disclosure vulnerability was reported by Tim_O [8]
* The access bypass vulnerability was reported by Michael Hao (qmhao99
[9])
* Open Legislation issue reported by Stéphane Corlosquet [10] of the Drupal
Security Team
* PowerSQL issue reported by Jakub Suchy [11] of the Drupal Security Team
-------- CONTACT
-------------------------------------------------------------
The security team for Drupal [12] can be reached at security at drupal.org or
via the form at http://drupal.org/contact.
Read more about the Security Team and Security Advisories at
http://drupal.org/security.
[1] http://drupal.org/project/og_forum
[2] http://en.wikipedia.org/wiki/Csrf
[3] http://drupal.org/project/openleg
[4] http://en.wikipedia.org/wiki/Cross_Site_Scripting
[5] http://drupal.org/project/vitzo_powersql
[6] http://en.wikipedia.org/wiki/Sql_injection
[7] http://drupal.org/node/251466
[8] http://drupal.org/user/111066
[9] http://drupal.org/user/855110
[10] http://drupal.org/user/52142
[11] http://drupal.org/user/31977
[12] http://drupal.org/security-team
More information about the Security-news
mailing list