Date: 26 September 2008
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2008.0925 -- [Win][UNIX/Linux]
Vulnerabilties in several Drupal third-party modules
26 September 2008
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Brilliant Gallery
Ajax Checklist
Simplenews
Stock
Plugin Manager
Publisher: Drupal
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact: SQL Injection
Cross-site Scripting
Inappropriate Access
Access: Remote/Unauthenticated
Original Bulletin: http://drupal.org/node/313054
http://drupal.org/node/312968
http://drupal.org/node/312944
http://drupal.org/node/312923
http://drupal.org/node/312898
Comment: This bulletin describes vulnerabilities in five of Drupal's
third-party modules.
- --------------------------BEGIN INCLUDED TEXT--------------------
- ------------SA-2008-058 - BRILLIANT GALLERY - SQL INJECTION------------
* Advisory ID: DRUPAL-SA-2008-058
* Project: Brilliant Gallery (third-party module)
* Versions: 5.x, 6.x
* Date: 2008-September-25
* Security risk: Critical
* Exploitable from: Remote
* Vulnerability: SQL injection
- ------------DESCRIPTION------------
The module does not properly use Drupal's database API and inserts values
supplied by users directly into queries. This can be exploited by malicious
users with the "access brilliant_gallery" permission to perform SQL Injection
attacks [ http://en.wikipedia.org/wiki/Sql_injection ]. These attacks may lead
to the malicious user gaining administrator access.
- ------------VERSIONS AFFECTED------------
* All versions of Brilliant Gallery
Drupal core is not affected. If you do not use the Brilliant Gallery module,
there is nothing you need to do.
- ------------SOLUTION------------
There is no solution available. Please disable the module and remove it from
your site.
The module has been removed from Drupal.org.
- ------------REPORTED BY------------
* The SQL injection vulnerability was reported by Justin Klein Keane
(Justin_KleinKeane [ http://drupal.org/user/302225 ])
- ------------CONTACT------------
The security contact for Drupal can be reached at security at drupal.org or via
the form at [ http://drupal.org/contact ] and by selecting the security issues
category.
- ------------SA-2008-057 - AJAX CHECKLIST - MULTIPLE VULNERABILITIES------------
* Advisory ID: DRUPAL-SA-2008-057
* Project: Ajax Checklist (third-party module)
* Versions: 5.x
* Date: 2008-September-24
* Security risk: Critical
* Exploitable from: Remote
* Vulnerability: SQL injection, Cross site scripting
- ------------DESCRIPTION------------
The Ajax Checklist module implements a filter that allows a user to include
checkboxes into content.
The module does not properly use Drupal's database API and inserts values
supplied by users directly into queries. This can be exploited by malicious
users with the "update ajax checklists" permission to perform SQL Injection
attacks [ http://en.wikipedia.org/wiki/Sql_injection ]. These attacks may lead
to the malicious user gaining administrator access.
The module also displays certain values without appropriate filtering.
Malicious users with the permission to create or edit posts and the ability to
use an input format containing the ajax_checklist filter are able to exploit
this issue and insert arbitrary HTML and script code into pages. Such a cross
site scripting attack [ http://en.wikipedia.org/wiki/Cross-site_scripting ]
(XSS) may lead to a malicious user gaining administrator access.
- ------------VERSIONS AFFECTED------------
* Versions of Ajax Checklist for Drupal 5.x prior to 5.x-1.1
Drupal core is not affected. If you do not use the Ajax Checklist module, there
is nothing you need to do.
- ------------SOLUTION------------
Install the latest version.
* If you use Ajax Checklist for Drupal 5.x upgrade to Ajax Checklist 5.x-1.1
[ http://drupal.org/node/312966 ]
Also see the Ajax Checklist project page [
http://drupal.org/project/ajax_checklist ].
- ------------REPORTED BY------------
* The SQL injection vulnerability was reported by Justin Klein Keane
(Justin_KleinKeane [ http://drupal.org/user/302225 ])
* The cross site scripting vulnerability was reported by Heine Deelstra
(Heine [ http://drupal.org/user/17943 ]) of the Drupal security team
- ------------CONTACT------------
The security contact for Drupal can be reached at security at drupal.org or via
the form at [ http://drupal.org/contact ] and by selecting the security issues
category.
- ------------SA-2008-056 - SIMPLENEWS - CROSS SITE SCRIPTING------------
* Advisory ID: DRUPAL-SA-2008-056
* Project: Simplenews (third-party module)
* Versions: 5.x, 6.x
* Date: 2008-September-24
* Security risk: Not Critical
* Exploitable from: Remote
* Vulnerability: Cross site scripting
- ------------DESCRIPTION------------
Simplenews publishes and sends newsletters to lists of subscribers. Newsletter
categories are not always properly escaped. This allows users with the
"administer taxonomy" permission to add arbitrary HTML and script code to the
site. Wikipedia has more information about such cross site scripting [
http://en.wikipedia.org/wiki/Xss ] (XSS) attacks.
- ------------VERSIONS AFFECTED------------
* Versions of Simplenews for Drupal 5.x prior to 5.x-1.5
* Versions of Simplenews for Drupal 6.x prior to 6.x-1.0-beta4
Drupal core is not affected. If you do not use the Simplenews module, there is
nothing you need to do.
- ------------SOLUTION------------
Install the latest version.
* If you use Simplenews for Drupal 5.x upgrade to Simplenews 5.x-1.5 [
http://drupal.org/node/288096 ]
* If you use Simplenews for Drupal 6.x upgrade to Simplenews 6.x-1.0-beta 4 [
http://drupal.org/node/288094 ]
Note: Beta and development versions are not recommended for use on production
sites.
Also see the Simplenews project page [ http://drupal.org/project/Simplenews ].
- ------------REPORTED BY------------
* The module maintainer Erik Stielstra (Sutharsan [
http://drupal.org/user/73854 ])
- ------------CONTACT------------
The security contact for Drupal can be reached at security at drupal.org or via
the form at [ http://drupal.org/contact ] and by selecting the security issues
category.
- ------------SA-2008-055 - STOCK - CROSS SITE SCRIPTING------------
* Advisory ID: DRUPAL-SA-2008-055
* Project: Stock (third-party module)
* Versions: 6.x
* Date: 2008-September-24
* Security risk: Moderately Critical
* Exploitable from: Remote
* Vulnerability: Cross site scripting
- ------------DESCRIPTION------------
The stock module provides the ability to query price quotes and trading volumes
from various stock markets.
An oversight in the menu permissions code allows any user to change the text of
the heading at the top of the stock quotes page. As this text is not escaped, it
is safe only for an administrator of the site to modify. Due to the access
bypass users can add arbitrary HTML and script code to pages. Wikipedia has more
information about such cross site scripting [ http://en.wikipedia.org/wiki/Xss ]
(XSS) attacks.
- ------------VERSIONS AFFECTED------------
* Versions of Stock for Drupal 6.x prior to 6.x-1.0
Drupal core is not affected. If you do not use the Stock module, there is
nothing you need to do.
- ------------SOLUTION------------
Install the latest version.
* If you use Stock for Drupal 6.x upgrade to Stock 6.x-1.0 [
http://drupal.org/node/312884 ]
Also see the Stock project page [ http://drupal.org/project/stock ].
- ------------REPORTED BY------------
* Greg Knaddison (greggles [ http://drupal.org/user/36762 ])
- ------------CONTACT------------
The security contact for Drupal can be reached at security at drupal.org or via
the form at [ http://drupal.org/contact ] and by selecting the security issues
category.
- ------------SA-2008-054 - PLUGIN MANAGER - ACCESS BYPASS------------
* Advisory ID: DRUPAL-SA-2008-054
* Project: Plugin Manager (third-party module)
* Versions: 6.x
* Date: 2008-September-24
* Security risk: Critical
* Exploitable from: Remote
* Vulnerability: Access bypass
- ------------DESCRIPTION------------
The Plugin Manager module provides the methods and graphical interfaces needed
to automatically install new modules and themes from the Drupal.org website.
An oversight in the menu permissions code allows any user to uninstall and
remove modules installed with the Plugin Manager.
This risk is only present under insecure configurations where the web server
has permission to delete files. The recommended file permissions are described
in the drupal.org handbook at [ http://drupal.org/node/244924 ].
- ------------VERSIONS AFFECTED------------
All versions prior to Plugin Manager 6.x-1.2.
Drupal core is not affected. If you do not use the Plugin Manager module, there
is nothing you need to do.
- ------------SOLUTION------------
Install Plugin Manager 6.x-1.2 [ http://drupal.org/node/312887 ].
See also the Plugin Manager project page [
http://drupal.org/project/plugin_manager ].
- ------------REPORTED BY------------
Jared Forsyth (jabapyth [ http://drupal.org/user/222666 ])
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBSNwY6yh9+71yA2DNAQIvdgQAgMIINs9QMMqALbCvbECuwlnx7RPwBJpY
zSDYep3+h8T8KamzQJw9YQynuuebIBls6BWPT8JzUPVYfxzwkpBgbBYhGXqwrOjQ
dTeNM2fR7+kAdk/tu34w2oeqloRwLkoYNhIsL2jUCL6izIYwlLhjvo11MBDI24dA
4BEN4rlNLKU=
=gbJ2
-----END PGP SIGNATURE-----
|