copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » Security Bul... » By Year » 2009 » ESB-2009.1522.2 - UPDATE [Win][UNIX/Linux] Drupal: M...
 

ESB-2009.1522.2 - UPDATE [Win][UNIX/Linux] Drupal: Multiple vulnerabilities
Date: 23 November 2009
Related Files: ESB-2009.1522  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2009.1522.2
           Drupal Third Party Modules: Multiple Vulnerabilities
                             23 November 2009

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           RootCandy
                   AddToAny
                   Web Services
Publisher:         Drupal
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Unauthorised Access  -- Remote/Unauthenticated
                   Cross-site Scripting -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2009-4044 CVE-2009-4043 CVE-2009-4042

Original Bulletin: 
   http://drupal.org/node/630168
   http://drupal.org/node/630208
   http://drupal.org/node/630244

Comment: This bulletin contains three (3) Drupal Security Advisories
         
         Please note that the Web Services module is no longer maintained
         and has no patch for the vulnerability. Users should consider
         disabling the module if it is not being used.

Revision History:  November 23 2009: Added CVE References
                   November 12 2009: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

  * Advisory ID: DRUPAL-SA-CONTRIB-2009-099
  * Project: RootCandy (third-party theme)
  * Version: 6.x
  * Date: 2009-November-11
  * Security risk: Moderately Critical
  * Exploitable from: Remote
  * Vulnerability: Cross Site Scripting

- -------- DESCRIPTION ---------------------------------------------------------

RootCandy is a theme specifically designed for use in the administration
section. The theme fails to sanitize a URL value, leading to a Cross Site
Scripting (XSS [1]) vulnerability.

- -------- VERSIONS AFFECTED ---------------------------------------------------

  * RootCandy theme for Drupal 6.x prior to RootCandy 6.x-1.5 [2]

Drupal core is not affected. If you do not use the contributed RootCandy
theme [3], there is nothing you need to do.

- -------- SOLUTION ------------------------------------------------------------

Upgrade to the latest version:
  * If you use the RootCandy theme for Drupal 6.x upgrade to RootCandy 6.x-1.5
    [4]

- -------- REPORTED BY ---------------------------------------------------------

  * Reported by Jim McIntyre

- -------- FIXED BY ------------------------------------------------------------

  * Fixed by Marek Sotak [5], the theme maintainer

- -------- CONTACT -------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.

[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/629894
[3] http://drupal.org/project/rootcandy
[4] http://drupal.org/node/629894
[5] http://drupal.org/user/37679


  * Advisory ID: DRUPAL-SA-CONTRIB-2009-100
  * Project: AddToAny (third-party module)
  * Version: 5.x, 6.x
  * Date: 2009 November 11
  * Security risk: Moderately Critical
  * Exploitable from: Remote
  * Vulnerability: Cross Site Scripting

- -------- DESCRIPTION ---------------------------------------------------------

AddToAny module provides a share button for AddToAny service for social
networks. The module fails to sanitize a value in node title, leading to a
Cross Site Scripting (XSS [1]) vulnerability.

- -------- VERSIONS AFFECTED ---------------------------------------------------

  * AddToAny module for Drupal 6.x prior to AddToAny 6.x-2.4 [2]
  * AddToAny module for Drupal 5.x prior to AddToAny 5.x-2.4 [3]

Drupal core is not affected. If you do not use the contributed AddToAny
module [4], there is nothing you need to do.

- -------- SOLUTION ------------------------------------------------------------

Upgrade to the latest version:
  * If you use the AddToAny module for Drupal 6.x upgrade to AddToAny 6.x-2.4
    [5]
  * If you use the AddToAny module for Drupal 5.x upgrade to AddToAny 5.x-2.4
    [6]

- -------- REPORTED BY ---------------------------------------------------------

  * Reported by Jakub Suchy [7] of the Drupal Security Team.

- -------- FIXED BY ------------------------------------------------------------

  * Fixed by Pat Diven [8], the module maintainer.

- -------- CONTACT -------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.

[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/601110
[3] http://drupal.org/node/630198
[4] http://drupal.org/project/addtoany
[5] http://drupal.org/node/601110
[6] http://drupal.org/node/630198
[7] http://drupal.org/user/31977
[8] http://drupal.org/user/260224


  * Advisory ID: DRUPAL-SA-CONTRIB-2009-101
  * Project: Web Services (third-party theme)
  * Version: 6.x
  * Date: 2009-November-11
  * Security risk: Critical
  * Exploitable from: Remote
  * Vulnerability: Access Bypass

- -------- DESCRIPTION ---------------------------------------------------------

The Web Services module provides an API for other sites to communicate with a
Drupal site, enabling the publishing of content, change of user information,
or simply integration of a Flash application. The module fails to implement
proper access checks, leading to an Access Bypass vulnerability.

- -------- VERSIONS AFFECTED ---------------------------------------------------

  * Web Services module, all versions.

Drupal core is not affected. If you do not use the contributed Web Services
[1] module, there is nothing you need to do.

- -------- SOLUTION ------------------------------------------------------------

Web Services module is not maintained and there is no direct solution.
Disable the module. The Services [2] module, from which Web Services was
forked, may be a possible replacement depending on your requirements.

- -------- REPORTED BY ---------------------------------------------------------

  * Reported by Paolo Sinelli

- -------- CONTACT -------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.

[1] http://drupal.org/project/webservices
[2] http://drupal.org/project/services

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFLCdl0NVH5XJJInbgRAg2BAJ0TyBbYjXRxb7nz3VRXxiJ9I22TwwCgim0/
QdfbsWsBP9yI9K2668lbfTA=
=09+e
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/render.html?cid=10285&it=11944