Operating System:

[WIN][UNIX/Linux]

Published:

16 April 2008

Protect yourself against future threats.

//Service

Member Security Incident Notifications

Be proactive with your security and receive our daily Member Security Incident Notifications (MSINs) custom to your network.

Read more
Resources > Security Bulletins > ESB-2008.0340 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                    ESB-2008.0340 -- [Win][UNIX/Linux]
        Flickr and Ubercart (Drupal third-party module) Cross site
                         scripting vulnerabilities
                               16 April 2008

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Flickr
                      Ubercart
Publisher:            Drupal
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact:               Cross-site Scripting
Access:               Remote/Unauthenticated
CVE Names:            CVE-2008-1792

Original Bulletin:    http://drupal.org/node/241939
                      http://drupal.org/node/241944

Comment: The bulletin contains two (2) Drupal third-party module advisories.

Revision History:     April 16 2008: Added CVE reference
                      April  3 2008: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

- ------------SA-2008-022 - FLICKR - CROSS SITE SCRIPTING------------

  * Advisory ID: DRUPAL-SA-2008-022

  * Project: Flickr (third-party module)

  * Version: 5.x, 6.x

  * Date: 2008-April-02

  * Security risk: Less critical

  * Exploitable from: Remote

  * Vulnerability: Cross site scripting

- ------------DESCRIPTION------------

The Flickr module allows one to access photos on one's site via the Flickr API.
The module provides a filter for inserting photos and photosets and blocks for a
user's recent photos and photosets. Several values are displayed without being
escaped, which enables users to inject arbitrary HTML and script code on pages. 

- ------------VERSIONS AFFECTED------------

  * Flickr for Drupal 5.x prior to 5.x-1.3

  * Flickr for Drupal 6.x prior to 6.x-1.0-alpha

Drupal core is not affected. If you do not use the contributed Flickr module,
there is nothing you need to do.

- ------------SOLUTION------------

Install the latest version:

  * If you use Drupal 5.x install Flickr 5.x-1.3 [
http://drupal.org/node/241943 ].

  * If you use Drupal 6.x install Flickr 6.x-1.0-alpha1. [
http://drupal.org/node/241941 ]

See also the Flickr project page [ http://drupal.org/project/flickr ].

- ------------REPORTED BY------------

Kees Cook [ https://wiki.ubuntu.com/KeesCook ] reported this issue.

- ------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org or via
the form at [ http://drupal.org/contact ].


- ------------SA-2008-023 - UBERCART - CROSS SITE SCRIPTING------------

  * Advisory ID: DRUPAL-SA-2008-023

  * Project: Ubercart (third-party module)

  * Version: 5.x

  * Date: 2008-April-02

  * Security risk: Moderately critical

  * Exploitable from: Remote

  * Vulnerability: Cross site scripting

- ------------DESCRIPTION------------

During checkout in Ubercart enabled stores, customers have text fields in which
to enter their address and order information.  Some stores will have modules
enabled that restrict what sort of values are accepted in these fields, but this
is not the case for everyone.  This provides an opportunity for a malicious user
to perform a cross site scripting attack when the orders are displayed on
administrative pages (particularly the order view page).

All users are encouraged to update to the latest version. Be sure to verify the
compatibility of your contrib modules as you perform the update.  (Recent beta
users should not run into any compatibility issues.)

- ------------VERSIONS AFFECTED------------

  * Ubercart for Drupal 5.x prior to 5.x-1.0-rc1

Drupal core is not affected. If you do not use the contributed Ubercart module,
there is nothing you need to do.

- ------------SOLUTION------------

Install the latest version:

  * Ubercart 5.x-1.0-rc1 [ http://drupal.org/node/241016 ].

See also the Ubercart project page [ http://drupal.org/project/ubercart ].

- ------------REPORTED BY------------

chadcrew [ http://www.ubercart.org/user/1002 ] reported the issue via private
message at Ubercart.org, and the Ubercart team was able to adjust the code in
various modules in the project accordingly.

- ------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org or via
the form at [ http://drupal.org/contact ].

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBSAWbbih9+71yA2DNAQLQxQP+Lo5Sku4SfpD3aaUlWCXCmrGE5ldondm3
xVYQNsKvWuWUNslO4YyoAtOnsW/okz+7siFOceejH3xbbuEri3rIaWZgw1IGHwgX
yjht3GgN6udPIw42LBjdCPy7DLy5VyvnQ0fJM60CD0JFx22ePEnm0jWkNs1nbthR
wtAcNzuuN7w=
=UAlQ
-----END PGP SIGNATURE-----