Date: 22 January 2010
Related Files:
ESB-2010.0040
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2010.0040.2
Drupal: Multiple vulnerabilities
22 January 2010
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Own Term (third-party module)
Node Block (third-party module)
Publisher: Drupal
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Cross-site Scripting -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2010-0370
Original Bulletin:
http://drupal.org/node/683576
Comment: This bulletin contains two (2) Drupal security advisories.
Revision History: January 22 2010: Added CVE Reference
January 14 2010: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
* Advisory ID: DRUPAL-SA-CONTRIB-2010-005
* Project: Own Term (third-party module)
* Version: 6.x-1.0
* Date: 2010-January-13
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
- -------- DESCRIPTION ---------------------------------------------------------
The Own Term module allows users to create taxonomy terms in a designated
vocabulary and when creating content this term is automatically added to the
node. The module does not sanitize the term description on a term listing
page which opens a cross-site scripting (XSS [1]) attack. Users with a role
containing the permission 'create additional terms' can exploit this
vulnerability.
- -------- VERSIONS AFFECTED ---------------------------------------------------
* Own Term module 6.x-1.0
Drupal core is not affected. If you do not use the contributed Own Term
module, there is nothing you need to do.
- -------- SOLUTION ------------------------------------------------------------
Install the latest version:
* If you use the Own Term module for Drupal 6.x upgrade to Own Term 6.x-1.1
[2]
See also the Own Term project page [3].
- -------- REPORTED BY ---------------------------------------------------------
Benjamin Jeavons [4], Own Term module comaintainer.
- -------- FIXED BY ------------------------------------------------------------
Benjamin Jeavons [5], Own Term module comaintainer.
- -------- CONTACT -------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/683544
[3] http://drupal.org/project/ownterm
[4] http://drupal.org/user/91990
[5] http://drupal.org/user/91990
* Advisory ID: DRUPAL-SA-CONTRIB-2010-004
* Project: Node Block (third-party module)
* Version: 6.13, 5.11
* Date: 2010-January-13
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
- -------- DESCRIPTION ---------------------------------------------------------
This module allows you to specify content type(s) as being a block. This
allows the content managers of the site to edit the block text and title
without having to access the block administration page. Users only need edit
access to that node in order to edit it. Users with administer block access
will see region and weight options on the node form. The Node Block module
creates a block from specified content type(s). Node block doesn't properly
escape titles allowing users with permissions to create/edit the specified
content type(s) to inject arbitrary code into the site. Such a cross site
scripting (XSS) attack may lead to a malicious user gaining full
administrative access.
- -------- VERSIONS AFFECTED ---------------------------------------------------
* Node Blocks module 5.x-1.1 and prior versions
* Node Blocks module 6.x-1.3 and prior versions
Drupal core is not affected. If you do not use the contributed Feed Block
module, there is nothing you need to do.
- -------- SOLUTION ------------------------------------------------------------
Install the latest version:
* If you use the Node Blocks module for Drupal 5.x upgrade to Node Blocks
5.x-1.2 [1]
* If you use the Node Blocks module for Drupal 6.x upgrade to Node Blocks
6.x-1.4 [2]
See also the Node Block project page [3].
- -------- REPORTED BY ---------------------------------------------------------
Martin Barbella [4] and Khalid Baheyeldin [5]
- -------- FIXED BY ------------------------------------------------------------
Thomas Turnbull [6].
- -------- CONTACT -------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.
[1] http://drupal.org/node/683586
[2] http://drupal.org/node/683584
[3] http://drupal.org/project/nodeblock
[4] http://drupal.org/user/633600
[5] http://drupal.org/user/4063
[6] http://drupal.org/user/125573
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFLWR6BNVH5XJJInbgRAnPAAJ9AdDfc7E54iCE2/bR1C5m2Xee3OgCeM+u3
V3Ua7TuiHOX+s4tLsFc2wQM=
=Dc4Y
-----END PGP SIGNATURE-----
|