[Security-news] SA-CONTRIB-2012-016 - Forward module XSS and Access bypass
security-news at drupal.org
security-news at drupal.org
Wed Feb 1 23:02:41 UTC 2012
* Advisory ID: DRUPAL-SA-CONTRIB-2012-016
* Project: Forward [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2012-February-01
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Access bypass, Cross Site Request Forgery
-------- DESCRIPTION
---------------------------------------------------------
The Forward module enables you to add a "forward this page" link to each
node. The link takes regular site visitors to a form where they can generate
an email to a friend. The module exhibits multiple vulnerabilities as
described below.
The module includes "Recent forwards" and "Most forwarded" blocks that
display the titles of the most recently forwarded nodes and the nodes
forwarded the most for all time. The module doesn't check that site visitors
have permissions to view the node titles listed in these blocks, resulting in
an access bypass. This vulnerability is mitigated by the fact that these
blocks are disabled by default.
The module includes a "Dynamic Block" feature which adds a listing of the top
5 node titles to the bottom of the generated email to a friend. The module
doesn't sufficiently check that the email recipient has permission to view
the node titles included in the block, resulting in an access bypass. This
vulnerability is mitigated by the fact that the Dynamic Block feature is
disabled by default.
The module includes clickthrough tracking so that the site administrator can
determine which emails are generating the most clicks back to the site. The
tracking code is vulnerable to CSRF because it uses a publicly available link
that could be manipulated to falsely boost the perceived importance of a
node.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Forward 6.x-1.x versions prior to 6.x-1.21
* Forward 7.x-1.x versions prior to 7.x-1.3
Drupal core is not affected. If you do not use the contributed Forward [3]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Forward module for Drupal 6.x, upgrade to Forward 6.x-1.21
[4]
* If you use the Forward module for Drupal 7.x, upgrade to Forward 7.x-1.3
[5]
The upgrade is "code only" and does not require running the database update
script.
IMPORTANT: Administrators of sites that rely on the Dynamic Block access
bypass to operate correctly need to visit the Forward configuration page and
explicitly select the Dynamic Block Access Control bypass option after
upgrading. This should be rare, so most site administrators can simply
upgrade the module without the need for additional configuration.
See also the Forward [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Greg Knaddison (greggles) [7] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* John Oltman [8] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison (greggles) [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
[1] http://drupal.org/project/forward
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/project/forward
[4] http://drupal.org/node/1423720
[5] http://drupal.org/node/1423722
[6] http://drupal.org/project/forward
[7] http://drupal.org/user/36762
[8] http://drupal.org/user/699926
[9] http://drupal.org/user/36762
[10] http://drupal.org/contact
[11] http://drupal.org/security-team
[12] http://drupal.org/writing-secure-code
[13] http://drupal.org/security/secure-configuration
More information about the Security-news
mailing list