Date: 04 January 2010
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2010.0002
Drupal: Multiple vulnerabilities
4 January 2010
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: CCK Comment Reference (Drupal third-party module)
FAQ Ask (Drupal third-party module)
Webform (Drupal third-party module)
Shibboleth authentication (Drupal third-party module)
Printer, e-mail and PDF versions (Drupal third-party module)
RealName (Drupal third-party module)
Insert Node (Drupal third-party module)
Storm (Drupal third-party module)
OpenSocial Shindig-Integrator (Drupal third-party module)
Workflow (Drupal third-party module)
Publisher: Drupal
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Administrator Compromise -- Remote/Unauthenticated
Increased Privileges -- Remote with User Interaction
Cross-site Request Forgery -- Remote with User Interaction
Cross-site Scripting -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2009-4534 CVE-2009-4533 CVE-2009-4532
CVE-2009-4526 CVE-2009-4525 CVE-2009-4524
CVE-2009-4520 CVE-2009-4520 CVE-2009-4518
CVE-2009-4517 CVE-2009-4516 CVE-2009-4516
CVE-2009-4515 CVE-2009-4514 CVE-2009-4513
Original Bulletin:
http://drupal.org/node/617456
http://drupal.org/node/617422
http://drupal.org/node/617494
http://drupal.org/node/617400
http://drupal.org/node/604760
http://drupal.org/node/604808
http://drupal.org/node/604488
http://drupal.org/node/604942
http://drupal.org/node/617444
http://drupal.org/node/617380
Comment: This bulletin contains ten (10) Drupal security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
* Advisory ID: DRUPAL-SA-CONTRIB-2009-083
* Project: CCK Comment Reference (third-party module)
* Version: 6.x
* Date: 2009-October-28
* Security risk: Moderately Critical
* Exploitable from: Remote
* Vulnerability: Access Bypass
- - -------- Description
- - ---------------------------------------------------------
The CCK Comment Reference module enables administrators to define node fields
that are references to comments. Users can access comments through the
autocomplete path that the module provides even if they don't have access to
read comments.
- - -------- Versions affected
- - ---------------------------------------------------------
* CCK Comment Reference module versions Drupal 6.x prior to CCK Comment
Reference 6.x-1.3
* Comment reference module versions Drupal 5.x prior to CCK Comment
Reference 5.x-1.2
Drupal core is not affected. If you do not use the contributed CCK Comment
Reference module, there is nothing you need to do.
- - -------- Solution
- - ---------------------------------------------------------
Install the latest version.
* If you use the CCK Comment Reference module for Drupal 6.x upgrade to
CCK Comment Reference 6.x-1.3
* If you use the CCK Comment Reference module for Drupal 6.x upgrade to
CCK Comment Reference 5.x-1.2
- - -------- Reported by
- - ---------------------------------------------------------
* Ben Jeavons of Drupal Security Team.
- - -------- Fixed by
- - ---------------------------------------------------------
* Kristof De Jaeger, the module maintainer.
- - -------- Contact
- - ---------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.
__________________________________________________________________________________
* Advisory ID: DRUPAL-SA-CONTRIB-2009-087
* Project: FAQ Ask (third-party module)
* Version: 6.x
* Date: 2009 October 28
* Security risk: Critical
* Exploitable from: Remote
* Vulnerability: Multiple Vulnerabilities (XSS, CSRF, Open Redirect)
- - -------- Description
- - ---------------------------------------------------------
The FAQ Ask module enables site users to ask questions for experts to answer.
The module suffers multiple vulnerabilities, including Cross Site Request
Forgeries (CSRF) and Cross Site Scripting problems (Cross Site Scripting).
These vulnerabilities allow an attacker to hijack the account of a logged
in user by tricking them into visiting a seemingly innocent page, and gain
access to unpublished content on a site.
Versions affected
* FAQ Ask module for Drupal 6.x prior to 6.x-2.0 (including 6.x-1.x)
* FAQ Ask module for Drupal 5.x
Drupal core is not affected. If you do not use the contributed FAQ Ask module,
there is nothing you need to do.
- - -------- Solution
- - ---------------------------------------------------------
Upgrade to the latest version or disable the module.
* If you use FAQ Ask for Drupal 6.x upgrade to version 6.x-2.0
* If you use FAQ Ask for Drupal 5.x it is no longer supported and you
should disable it or upgrade your site to 6.x so you can use FAQ
Ask 6.x-2.0.
- - -------- Reported by
- - ---------------------------------------------------------
* XSS and CSRF vulnerability reported by Dylan Wilder-Tack
See also the FAQ Ask module project page.
- - -------- Fixed by
- - ---------------------------------------------------------
* Fixed by NancyDru.
- - -------- Contact
- - ---------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.
__________________________________________________________________________________
* Advisory ID: DRUPAL-SA-CONTRIB-2009-074
* Project: Webform (third-party module)
* Version: 5.x, 6.x
* Date: 2009-October-14
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Multiple vulnerabilities
- - -------- Description
- - ---------------------------------------------------------
Cross-site scripting
The Webform module enables the creation of custom forms for collecting data
from users. The Webform module does not properly escape field labels in
certain situations. A malicious user with permission to create webforms
could attempt a cross-site scripting (XSS) attack when viewing the result,
leading to the user gaining full administrative access.
Session data disclosure
The Webform module fails to prevent the page from being cached when a default
value uses token placeholders. This leads to disclosure of session variables
to anonymous users when caching is enabled.
- - -------- Versions affected
- - ---------------------------------------------------------
* Webform for Drupal 6.x prior to 6.x-2.8
* Webform for Drupal 5.x prior to 5.x-2.8
Drupal core is not affected. If you do not use the contributed Webform module,
there is nothing you need to do.
- - -------- Solution
- - ---------------------------------------------------------
Upgrade to the latest version:
* If you use Webform for Drupal 6.x upgrade to Webform 6.x-2.8
* If you use Webform for Drupal 5.x upgrade to Webform 5.x-2.8
See also the Webform project page.
- - -------- Reported by
- - ---------------------------------------------------------
The XSS issue was reported by Justine Klein Keane.
The session disclosure issue was reported by seattlehimay.
- - -------- Fixed by
- - ---------------------------------------------------------
The XSS issue was fixed by Greg Knaddison of the Drupal Security Team.
The session disclosure issue was fixed by Nathan Haug, the module maintainer.
- - -------- Contact
- - ---------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org
or via the form at http://drupal.org/contact.
___________________________________________________________________________________
* Advisory ID: DRUPAL-SA-CONTRIB-2009-070
* Project: Shibboleth authentication (third-party module)
* Version: 6.x, 5.x
* Date: 2009-October-14
* Security risk: Less critical
* Exploitable from: Remote
* Vulnerability: Impersonation, privilege escalation
- - -------- Description
- - ---------------------------------------------------------
The Shibboleth authentication module provides user authentication and
authorisation based on the Shibboleth Web Single Sign-on system.
The module does not properly handle the changes of the underlying Shibboleth
session. This can result in impersonation and possible privilege escalation
if a user leaves the browser unattended (ie. after SAML2 Single Logout). A
person using the same browser session but re-authenticated at their IdP
might become logged in as the original user (even accidentally). Dynamic
roles which are provided by the module are based on the attributes of the
new user, however any permissions statically granted to the victim would
still be in effect.
- - -------- Versions affected
- - ---------------------------------------------------------
* Shibboleth authentication versions for Drupal 6.x prior to 6.x-3.2
* Shibboleth authentication versions for Drupal 5.x prior to 5.x-3.4
Drupal core is not affected. If you do not use the contributed Shibboleth
authentication module, there is nothing you need to do.
- - -------- Solution
- - ---------------------------------------------------------
Upgrade to the latest version:
* If you use Shibboleth authentication for Drupal 6.x upgrade to
version 6.x-3.2
* If you use Shibboleth authentication for Drupal 5.x upgrade to
version 5.x-3.4
See also the Shibboleth authentication project page.
- - -------- Reported by
- - ---------------------------------------------------------
Kristof Bajnok, Shibboleth authentication module maintainer.
- - -------- Fixed by
- - ---------------------------------------------------------
Kristof Bajnok, Shibboleth authentication module maintainer.
- - -------- Contact
- - ---------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.
___________________________________________________________________________________
* Advisory ID: DRUPAL-SA-CONTRIB-2009-073
* Project: Printer, e-mail and PDF versions (third-party module)
* Version: 5.x, 6.x
* Date: 2009-October-14
* Security risk: Less critical
* Exploitable from: Remote
* Vulnerability: Multiple vulnerabilities
- - -------- Description
- - ---------------------------------------------------------
The Printer, e-mail and PDF versions ("print") module provides printer-friendly
versions of content. When displaying the list of links in a page, the module
does not properly escape this data, leading to a cross site scripting (XSS)
vulnerability.
In addition, the "Send by e-mail" sub-module does not properly check for
access permissions before displaying the "Send to friend" form, and may
display the page title for pages to which the user does not have access
(usually as they are unpublished or unauthorized for his role), even though
the user is not actually allowed to send them by e-mail.
- - -------- Versions affected
- - ---------------------------------------------------------
* Printer, e-mail and PDF versions 6.x prior to 6.x-1.9
* Printer, e-mail and PDF versions 5.x prior to 5.x-4.9
Drupal core is not affected. If you do not use the contributed Printer, e-mail
and PDF versions module, there is nothing you need to do.
- - -------- Solution
- - ---------------------------------------------------------
Install the latest version:
* If you use Printer, e-mail and PDF versions for Drupal 6.x upgrade to
Printer, e-mail and PDF versions 6.x-1.9
* If you use Printer, e-mail and PDF versions for Drupal 5.x upgrade to
Printer, e-mail and PDF versions 5.x-4.9
Or Alternatively:
Disable the "Printer-friendly URLs list" in 'admin/settings/print/common' and
disable the "Send by e-mail" ("print_mail") module.
See also the Printer, e-mail and PDF versions project page.
- - -------- Reported by
- - ---------------------------------------------------------
mcarbone
- - -------- Fixed by
- - ---------------------------------------------------------
jcnventura, the module maintainer
- - -------- Contact
- - ---------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.
__________________________________________________________________________________
* Advisory ID: DRUPAL-SA-CONTRIB-2009-072
* Project: RealName (third-party module)
* Version: 6.x
* Date: 2009-October-14
* Security risk: Moderately Critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
- - -------- Description
- - ---------------------------------------------------------
The RealName module allows the administrator to choose fields from the user
profile that will be used to add a "real name" element (method) to a user
object. In some specific cases, the module does not sanitize before outputting
the realname, resulting in a cross-site scripting (XSS) vulnerability. Such
an attack may lead to a malicious user gaining full administrative access.
- - -------- Versions affected
- - ---------------------------------------------------------
* RealName 6.x-1.x prior to 6.x-1.3
Drupal core is not affected. If you do not use the contributed RealName module,
there is nothing you need to do.
- - -------- Solution
- - ---------------------------------------------------------
Install the latest version:
* If you use the RealName for Drupal 6.x-1.x upgrade to RealName 6.x-1.3
See also the RealName module project page.
- - -------- Reported by
- - ---------------------------------------------------------
mr.baileys
- - -------- Fixed by
- - ---------------------------------------------------------
NancyDru, the module maintainer
- - -------- Contact
- - ---------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
__________________________________________________________________________________
* Advisory ID: DRUPAL-SA-CONTRIB-2009-085
* Project: Insert Node (third-party module)
* Version: 5.x
* Date: 2009-October-28
* Security risk: Moderately Critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
- - -------- Description
- - ---------------------------------------------------------
The Insert Node module provides an input filter that enables a node to be
inserted within the body field of another node.
The module fails to sanitize the inserted node, making it vulnerable to a
cross site scripting (XSS) attack.
- - -------- Versions affected
- - ---------------------------------------------------------
* Insert Node module versions for Drupal 5.x prior to Insert Node 5.x-1.2
Drupal core is not affected. If you do not use the contributed Insert Node
module, there is nothing you need to do.
- - -------- Solution
- - ---------------------------------------------------------
Install the latest version.
* If you use the Insert Node module for Drupal 6.x there is nothing you
need to do.
* If you use the Insert Node module for Drupal 5.x upgrade to Insert Node
5.x-1.2
- - -------- Reported by
- - ---------------------------------------------------------
* Konstantin Kfer.
- - -------- Fixed by
- - ---------------------------------------------------------
* Mark Burton and Alexis Wilke, the module maintainers.
- - -------- Contact
- - ---------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
__________________________________________________________________________________
* Advisory ID: DRUPAL-SA-CONTRIB-2009-089
* Project: Storm (third-party module)
* Version: 6.x
* Date: 2009-October-28
* Security risk: Less Critical
* Exploitable from: Remote
* Vulnerability: Access Bypass
- - -------- Description
- - ---------------------------------------------------------
The Storm module provides a project management application for Drupal.
The module suffers a vulnerability whereby nodes of type 'storminvoiceitem'
are not respecting the expected access permissions, potentially exposing the
node title to unauthorized users.
- - -------- Versions affected
- - ---------------------------------------------------------
* Versions of Storm for Drupal 6.x prior to 6.x-1.25
Versions of Storm for Drupal 5.x and 7.x are not affected.
Drupal core is not affected. If you do not use the 6.x version of the
contributed Storm module, there is nothing you need to do.
- - -------- Solution
- - ---------------------------------------------------------
Install the latest version:
* If you use Storm for Drupal 6.x upgrade to Storm 6.x-1.25
Also see the Storm project page.
- - -------- Reported by
- - ---------------------------------------------------------
* Fabio Fabbri
- - -------- Fixed by
- - ---------------------------------------------------------
* Magnity, the module maintainer
- - -------- Contact
- - ---------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.
__________________________________________________________________________________
* Advisory ID: DRUPAL-SA-CONTRIB-2009-086
* Project: OpenSocial Shindig-Integrator (third-party module)
* Version: 6.x, 5.x
* Date: 2009-October-86
* Security risk: Moderately Critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
- - -------- Description
- - ---------------------------------------------------------
The OpenSocial Shindig-Integrator module enables sites to host OpenSocial
widgets.
The module fails to sanitize user input, making it vulnerable to cross site
scripting (XSS) attacks. This vulnerability is somewhat limited by the fact
that an attacker would need an account with the permissions to "create
application" on the site.
- - -------- Versions affected
- - ---------------------------------------------------------
* OpenSocial Shindig-Integrator module for Drupal 6.x prior to OpenSocial
Shindig-Integrator 6.x-2.1
* OpenSocial Shindig-Integrator module for Drupal 5.x
Drupal core is not affected. If you do not use the contributed OpenSocial
Shindig-Integrator module, there is nothing you need to do.
- - -------- Solution
- - ---------------------------------------------------------
Install the latest version or disable the module.
* If you use the OpenSocial Shindig-Integrator module for Drupal 6.x
upgrade to OpenSocial Shindig-Integrator 6.x-2.1
* If you use the OpenSocial Shindig-Integrator module for Drupal 5.x,
disable the module and un-install it. The 5.x branch is no longer
supported.
- - -------- Reported by
- - ---------------------------------------------------------
* Tony Mobily
- - -------- Fixed by
- - ---------------------------------------------------------
* Astha Bhatnagar, module maintainer.
- - -------- Contact
- - ---------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
__________________________________________________________________________________
* Advisory ID: DRUPAL-SA-CONTRIB-2009-088
* Project: Workflow (third-party module)
* Version: 6.x, 5.x
* Date: 2009-October-28
* Security risk: Moderately Critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
- - -------- Description
- - ---------------------------------------------------------
The Workflow module enables sites to define flexible process management
systems. Names of workflows and workflow states are not sanitised to display
as plain text, leading to a Cross Site Scripting (XSS) vulnerability.
Exploiting this vulnerability would allow a malicious user to gain full
administrative access.
Mitigating factors: A malicious user would need 'administer workflow'
permission to carry out the cross-site-scripting attack.
- - -------- Versions affected
- - ---------------------------------------------------------
* Workflow module versions Drupal 6.x prior to Workflow 6.x-1.2
* Workflow module versions Drupal 5.x prior to Workflow 5.x-2.4
Drupal core is not affected. If you do not use the contributed Workflow module,
there is nothing you need to do.
- - -------- Solution
- - ---------------------------------------------------------
Install the latest version.
* If you use the Workflow module for Drupal 6.x upgrade to Workflow
6.x-1.2
* If you use the Workflow module for Drupal 5.x upgrade to Workflow
5.x-2.4
- - -------- Reported by
- - ---------------------------------------------------------
Justin_KleinKeane.
- - -------- Fixed by
- - ---------------------------------------------------------
jvandyk, the module maintainer.
- - -------- Contact
- - ---------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFLQV66NVH5XJJInbgRAh29AJoCiylHpFrQ8Df2USDQNLdBIwOJzACZASVU
/BGNwO6qMvZsgTjjxBIcYtY=
=aTYw
-----END PGP SIGNATURE-----
|