-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2010.0460.2
           Drupal Third Party-Modules: Multiple Vulnerabilities
                                25 May 2010

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Wordpress Import (third-party module)
                   CAPTCHA (third-party module)
                   Heartbeat (third-party module)
                   Privatemsg (third-party module)
                   Weather Underground (third-party module)
                   Tellafriend (third-party module)
                   Menu Block Split (third-party module)
                   osCommerce (third-party module)
                   Download Count (third-party module)
                   Comment Page (third-party module)
                   False Account Detector (third-party module)
                   User Queue (third-party module)
                   External Link Page (third-party module)
                   Storm (third-party module)
                   Simplenews (third-party module)
Publisher:         Drupal
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
                   Unauthorised Access             -- Existing Account
                   Create Arbitrary Files          -- Existing Account
                   Cross-site Scripting            -- Existing Account
                   Cross-site Request Forgery      -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2010-2030  

Original Bulletin: 
   http://drupal.org/node/802810
   http://drupal.org/node/802904
   http://drupal.org/node/802896
   http://drupal.org/node/802508
   http://drupal.org/node/251466
   http://drupal.org/node/803254
   http://drupal.org/node/803842

Comment: This bulletin contains eight (8) Drupal security advisories.

Revision History:  May 25 2010: added CVE
                   May 20 2010: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

  * Advisory ID: DRUPAL-SA-CONTRIB-2010-049
  * Project: Wordpress Import (third-party module)
  * Version: 6.x
  * Date: 2010-May-19
  * Security risk: Highly Critical
  * Exploitable from: Remote
  * Vulnerability: Access bypass

- -------- DESCRIPTION  
- ---------------------------------------------------------

The Wordpress Import module provides the ability to import nodes from a
Wordpress WXR export file. The form to import a WXR file does not use the
correct access permission and allows any user to upload arbitrary files and
import data from a remote WRX file.
- -------- VERSIONS AFFECTED  
- ---------------------------------------------------

  * Wordpress Import for Drupal 6.x versions prior to 6.x-2.1 including all
    versions of 6.x-1.x.

Drupal core is not affected. If you do not use the contributed Wordpress
Import [1] module, there is nothing you need to do.
- -------- SOLUTION  
- ------------------------------------------------------------

Install the latest version and revoke the "import wordpress blog" permission
from untrusted roles.
  * If you use Wordpress Import 6.x-2.x or 6.x-1.x upgrade to Wordpress Import
    6.x-2.1 [2]. The Wordpress Import 6.x-1.x branch is no longer maintained.

*Important note*: Only give fully trusted users the "import wordpress blog"
permission. Wordpress Import 6.x-2.1 still allows a user with that permission
to upload arbitrary files.
- -------- REPORTED BY  
- ---------------------------------------------------------

  * Jennifer Hodgdon [3].

- -------- FIXED BY  
- ------------------------------------------------------------

  * Yann Rocq [4], module maintainer.
  * lavamind [5], module maintainer.

- -------- CONTACT  
- -------------------------------------------------------------

The security team for Drupal [6] can be reached at security at drupal.org or
via the form at http://drupal.org/contact.

[1] http://drupal.org/project/wordpress_import
[2] http://drupal.org/node/802810
[3] http://drupal.org/user/155601
[4] http://drupal.org/user/57294
[5] http://drupal.org/user/564674
[6] http://drupal.org/security-team

  * Advisory ID: DRUPAL-SA-CONTRIB-2010-050
  * Project: CAPTCHA (third-party module)
  * Version: 5.x, 6.x
  * Date: 2010-May-19
  * Security risk: Not Critical
  * Exploitable from: Remote
  * Vulnerability: Cross Site Scripting

- -------- DESCRIPTION  
- ---------------------------------------------------------

The CAPTCHA module enables a site administrator to put a CAPTCHA form element
(a simple challenge that is easy for humans, but hard for automated spam
bots) on any form. The CAPTCHA module does not sanitize the CAPTCHA
description that is added as help text to the CAPTCHA form element, allowing
users with permissions to configure the CAPTCHA settings to insert arbitrary
HTML and script code. Such a cross site scripting (XSS [1]) attack may lead
to a malicious user gaining full administrative access. This vulnerability is
mitigated by the attacker needing the "administer CAPTCHA settings"
permission in order to exploit it.
- -------- VERSIONS AFFECTED  
- ---------------------------------------------------

  * CAPTCHA module for Drupal 5.x versions prior to 5.x-3.3
  * CAPTCHA module for Drupal 6.x versions prior to 6.x-2.2

Drupal core is not affected. If you do not use the contributed CAPTCHA [2]
module, there is nothing you need to do.
- -------- SOLUTION  
- ------------------------------------------------------------

Install the latest version:
  * If you use CAPTCHA module for Drupal 5.x, update to CAPTCHA 5.x-3.3 [3].
  * If you use CAPTCHA module for Drupal 6.x, update to CAPTCHA 6.x-2.2 [4].

See also the CAPTCHA project page [5].
- -------- REPORTED BY  
- ---------------------------------------------------------

mr.baileys [6]
- -------- FIXED BY  
- ------------------------------------------------------------

Stefaan Lippens [7] (soxofaan), the CAPTCHA module maintainer
- -------- CONTACT  
- -------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.

[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/project/captcha
[3] http://drupal.org/node/802904
[4] http://drupal.org/node/802896
[5] http://drupal.org/project/captcha
[6] http://drupal.org/user/383424
[7] http://drupal.org/user/41478

  * Advisory ID: DRUPAL-SA-CONTRIB-2010-051
  * Project: Heartbeat (third-party module)
  * Version: 6.x
  * Date: 2010-May-19
  * Security risk: Critical
  * Exploitable from: Remote
  * Vulnerability: Cross Site Scripting

- -------- DESCRIPTION  
- ---------------------------------------------------------

The Heartbeat project contains a suite of modules to display user activity on
a website. These modules do not properly sanitize some of their output,
allowing certain users the ability to insert arbitrary HTML and script code.
Such a cross site scripting (XSS [1]) attack may lead to a malicious user
gaining full administrative access. Depending on how the modules are
configured, this vulnerability may extend to relatively unprivileged users,
such as those with the ability to post comments, user "shouts" or other
content.
- -------- VERSIONS AFFECTED  
- ---------------------------------------------------

  * Heartbeat for Drupal 6.x versions prior to 6.x-4.9

Drupal core is not affected. If you do not use the contributed Heartbeat [2]
modules, there is nothing you need to do.
- -------- SOLUTION  
- ------------------------------------------------------------

Install the latest version:
  * If you use the Heartbeat module for Drupal 6.x, update to Heartbeat
    6.x-4.9 [3].

See also the Heartbeat project page [4].
- -------- REPORTED BY  
- ---------------------------------------------------------

Some aspects of the vulnerability were reported by Sebastian SzaÅ\x{130}achowski,
and others were reported by Jochen Stals [5] (Stalski), the module
maintainer.
- -------- FIXED BY  
- ------------------------------------------------------------

Jochen Stals [6] (Stalski), the module maintainer, and David Rothstein [7] of
the Drupal Security Team
- -------- CONTACT  
- -------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.

[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/project/heartbeat
[3] http://drupal.org/node/802508
[4] http://drupal.org/project/heartbeat
[5] http://drupal.org/user/322618
[6] http://drupal.org/user/322618
[7] http://drupal.org/user/124982

  * Advisory ID: DRUPAL-SA-CONTRIB-2010-052
  * Projects: Multiple third party modules - Privatemsg, Weather Underground,
    Tellafriend, Menu Block Split, osCommerce, Download Count, Comment Page,
    False Account Detector, User Queue
  * Version: 5.x, 6.x
  * Date: 2010-05-19
  * Security risks: Critical
  * Exploitable from: Remote
  * Vulnerability: Multiple (Cross-site Request Forgery, Cross-site scripting,
    Email header injection, SQL Injection)

- -------- VERSIONS AFFECTED AND PROPOSED SOLUTIONS  
- ----------------------------

Private Message [1] versions for the 5.x versions of Drupal
     The Privatemsg (also known as Private Message) module enables messages to
     be sent internally on a site. The module is vulnerable to cross-site
     request forgeries [2] (CSRF) via it's message delete form. This would
     allow a malicious user to trick an admin into deleting arbitrary message
     content by directing them to the url via a link or image src, etc. or
     trick a user into deleting their own messages. *Solution:* Disable the
     module or upgrade to the latest 6.x versions of Drupal core and the
     Private message module.
Weather Underground [3] 6.x-2.0
     The Weather Underground module retrieves and displays weather information
     from Weather Underground (http://www.wunderground.com). The block subject
     can be configured on the wunderground settings page but is not sanitized
     before display, allowing for a cross site scripting [4] (XSS) attack that
     may lead to a malicious user gaining full administrative access. This
     vulnerability is mitigated by the fact that an attacker must have the
     "access administration pages" permission which should generally only be
     granted to trusted roles. *Solution:* Disable the module. There is no
     safe version of the module to use.
Tellafriend [5] version 6.x-2.10 and 5.x-2.7
     The Tellafriend module enables site visitors to send e-mails about the
     site to their contacts via a form. The module is vulnerable to email
     header injection and could be exploited to send spam. *Solution:* Disable
     the module. There is no safe version of the module to use.
Menu Block Split [6] version 6.x-2.1 and 5.x-2.1
     The Menu Block Split module enables any menu block to be split into two
     different blocks: a first block with the first level menu entries only,
     and a second block with any second level and sub level menu entries. The
     block subject can be configured on the Menu Block Split settings page,
     but is not sanitized before display, allowing for a cross site scripting
     [7] (XSS) attack that may lead to a malicious user gaining full
     administrative access. *Solution:* Disable the module. There is no safe
     version of the module to use.
osCommerce [8] version 6.x-1.0
     The osCommerce module provides a front end to the osCommerce application.
     The module's 'Title for manufacturers block' configuration field is not
     sanitized before display, allowing for a cross site scripting [9] (XSS)
     attack that may lead to a malicious user gaining full administrative
     access. *Solution:* Disable the module. There is no safe version of the
     module to use.
download_count [10] version 6.x-1.3 and 5.x-1.0
     The download_count module increments a download counter each time an
     attached file is successfully downloaded. This module is vulnerable to
     cross site scripting [11] (XSS) attack that may lead to a malicious user
     gaining full administrative access. *Solution:* Disable the module. There
     is no safe version of the module to use.
Comment Page [12] version 6.x-1.1 and 5.x-1.1
     The Comment Page module displays each comments on it's own page, with an
     optional thread review that links to other comments in a comment thread.
     The module does not properly sanitize some content before outputting it,
     exposing multiple cross site scripting [13] (XSS) vulnerabilities and
     allowing malicious users with the permission "post comments" to inject
     scripts. Additionally, Comment Page incorrectly uses drupal_access_denied
     (not stopping the flow after calling this function) and uses a
     non-existing permission ("admin comments") as access argument to it's
     administration page.. *Solution:* Disable the module. There is no safe
     version of the module to use.
False Account Detector [14] versions for the 5.x and 6.x versions of Drupal
     The False Account Detector module helps administrators to find out which
     users have more than one account on a Drupal system and can block them
     from creating new accounts. The module does not properly sanitize
     received cookies, exposing multiple cross site scripting [15] (XSS) and
     SQL Injection vulnerabilities and allowing malicious authenticated users
     to block other user accounts. *Solution:* Disable the module. There is no
     safe version of the module to use.
User Queue [16] version 6.x-1.0
     The Userqueue module enables site builders to create a queue (or list) of
     users on a site. The modules is vulnerable to a CSRF vulnerability which
     would allow a malicious user to trick a site builder into deleting a user
     from a queue. *Solution:* Disable the module. There is no safe version of
     the module to use.
Drupal core is not affected. If you do not use any of the module releases
above there is nothing you need to do.
- -------- ONGOING MAINTENANCE OF THESE MODULES  
- --------------------------------

If you are interested in taking over maintenance of a module, or branch of a
module, that is no longer supported, and are capable of fixing security
vulnerabilities, you may apply to do so using the abandoned project takeover
process [17].
- -------- REPORTED BY  
- ---------------------------------------------------------

Peter Wolanin [18] of the Drupal Security Team John Morahan [19] of the
Drupal Security Team Dylan Tack [20] of the Drupal Security Team Kieran Lal
[21] of the Drupal Security Team Ivo Van Geertruyen [22] of the Drupal
Security Team Martin Barbella [23] Brandon Bergren [24] George Gongadze [25]
- -------- CONTACT  
- -------------------------------------------------------------

The security team for Drupal [26] can be reached at security at drupal.org or
via the form at http://drupal.org/contact.
Read more about the Security Team and Security Advisories at
http://drupal.org/security.

[1] http://drupal.org/project/privatemsg
[2] http://en.wikipedia.org/wiki/Csrf
[3] http://drupal.org/project/wunderground
[4] http://en.wikipedia.org/wiki/Cross-site_scripting
[5] http://drupal.org/project/tellafriend
[6] http://drupal.org/project/menu_block_split
[7] http://en.wikipedia.org/wiki/Cross-site_scripting
[8] http://drupal.org/project/oscommerce
[9] http://en.wikipedia.org/wiki/Cross-site_scripting
[10] http://drupal.org/project/download_count
[11] http://en.wikipedia.org/wiki/Cross-site_scripting
[12] http://drupal.org/project/comment_page
[13] http://en.wikipedia.org/wiki/Cross-site_scripting
[14] http://drupal.org/project/false_account
[15] http://en.wikipedia.org/wiki/Cross-site_scripting
[16] http://drupal.org/project/userqueue
[17] http://drupal.org/node/251466
[18] http://drupal.org/user/49851
[19] http://drupal.org/user/58170
[20] http://drupal.org/user/96647
[21] http://drupal.org/user/18703
[22] http://drupal.org/user/383424
[23] http://drupal.org/user/633600
[24] http://drupal.org/user/53081
[25] http://drupal.org/user/322910
[26] http://drupal.org/security-team

  * Advisory ID: DRUPAL-SA-CONTRIB-2010-053
  * Project: External Link Page (third-party module)
  * Version: 5.x, 6.x
  * Date: 2010-March-19
  * Security risk: Critical
  * Exploitable from: Remote
  * Vulnerability: Cross Site Scripting

.... Description

The External Link Page provides a content filter that redirects external
links to a customizable page. This page informs the user that they are about
to leave the site and then redirects them. The module does not sanitise data
input in it's administration page before displaying it on redirect pages,
allowing for a cross site scripting [1] (XSS) attack that may lead to a
malicious user gaining full administrative access.

.... Versions affected

  * External Link Page prior to 5.x-1.0
  * External Link Page prior to 6.x-1.2

Drupal core is not affected. If you do not use the contributed External Link
Page module, there is nothing you need to do.
.... Solution

Install the latest version:
  * If you use External Link Page for Drupal 5.x upgrade to External Link Page
    5.x-1.0 [2]
  * If you use External Link Page for Drupal 6.x upgrade to External Link Page
    6.x-1.2 [3]

.... Reported by

  * zzolo [4], the module maintainer

.... Fixed by

  * zzolo [5], the module maintainer

.... Contact

The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.

[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/xxxx
[3] http://drupal.org/node/xxxx
[4] http://drupal.org/user/147331
[5] http://drupal.org/user/147331

  * Advisory ID: DRUPAL-SA-CONTRIB-2010-054
  * Project: Storm (third-party module)
  * Version: 6.x
  * Date: 2010-May-19
  * Security risk: Critical
  * Exploitable from: Remote
  * Vulnerability: Cross Site Scripting (XSS)

- -------- DESCRIPTION  
- ---------------------------------------------------------

The Storm project provides a group of modules for project management and
billing. The module displays data entered by users without sanitising it,
allowing for a cross site scripting [1] (XSS) attack that may lead to a
malicious user gaining full administrative access.

- -------- VERSIONS AFFECTED  
- ---------------------------------------------------

  * Storm project for Drupal 5.x (all versions). This branch is unsupported
    and has not been fixed. It is recommended not to use Storm for Drupal 5.x.
  * Storm project for Drupal 6.x versions prior to 6.x-1.33

Drupal core is not affected. If you do not use the contributed Storm module,
there is nothing you need to do.

- -------- SOLUTION  
- ------------------------------------------------------------

  * If you use the Storm module for Drupal 5.x, uninstall this module
  * If you use the Storm module for Drupal 6.x, upgrade to Storm 6.x-1.33 [2]

- -------- REPORTED BY  
- ---------------------------------------------------------

Disclosed outside the Drupal Security Team process. [3]
- -------- FIXED BY  
- ------------------------------------------------------------

  * juliangb [4], the module maintainer

- -------- CONTACT  
- -------------------------------------------------------------

The security team for Drupal [5] can be reached at security at drupal.org or
via the form at http://drupal.org/contact.

[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://ftp.drupal.org/files/projects/storm-6.x-1.33.tar.gz
[3] http://drupal.org/security-team#report-issue
[4] http://drupal.org/user/719472
[5] http://drupal.org/security-team

  * Advisory ID: DRUPAL-SA-CONTRIB-2010-055
  * Project: Simplenews (third-party module)
  * Version: 6.x
  * Date: 2010-May-19
  * Security risk: Less Critical
  * Exploitable from: Remote
  * Vulnerability: Access bypass

- -------- DESCRIPTION  
- ---------------------------------------------------------

Simplenews publishes and sends email newsletters to lists of subscribers,
with both anonymous and authenticated users being able to opt-in to mailing
lists. The user subscription form does not use the correct access permission
resulting in any user with the permission 'subscribe to newsletters' being
able to edit other user subscriptions.
- -------- VERSIONS AFFECTED  
- ---------------------------------------------------

  * Simplenews module for Drupal 6.x versions prior to 6.x-1.2

Drupal core is not affected. If you do not use the contributed Simplenews [1]
module, there is nothing you need to do.
- -------- SOLUTION  
- ------------------------------------------------------------

Install the latest version:
  * If you use the Simplenews module for Drupal 6.x upgrade to Simplenews
    6.x-1.2 [2]

- -------- REPORTED BY  
- ---------------------------------------------------------

  * rpk [3]
  * Opengl [4]
  * Miro Dietiker [5]

- -------- FIXED BY  
- ------------------------------------------------------------

  * Erik Stielstra [6], module maintainer
  * Miro Dietiker [7]

- -------- CONTACT  
- -------------------------------------------------------------

The security team for Drupal [8] can be reached at security at drupal.org or
via the form at http://drupal.org/contact.

[1] http://drupal.org/project/simplenews
[2] http://drupal.org/node/803254
[3] http://drupal.org/user/254717
[4] http://drupal.org/user/474706
[5] http://drupal.org/user/227761
[6] http://drupal.org/user/73854
[7] http://drupal.org/user/227761
[8] http://drupal.org/security-team

  * Advisory ID: DRUPAL-SA-CONTRIB-2010-056
  * Project: User Queue (third-party module)
  * Versions: 6.x
  * Date: 2010-May-19
  * Security risk: Less Critical
  * Exploitable from: Remote
  * Vulnerability: Cross-site Request Forgery

- -------- DESCRIPTION  
- ---------------------------------------------------------

The User Queue module allows you to create multiple queues, add users to
them, and order the users within the queue. The module is vulnerable to
cross-site request forgeries (CSRF [1]) via the URL used to delete users from
the queue. A user with "administer user queues" permission could be
manipulated into requesting this URL and removing any user from the queue.

- -------- VERSIONS AFFECTED  
- ---------------------------------------------------

  * User Queue module for Drupal 6.x version prior to 6.x-1.1.

Drupal core is not affected. If you do not use the contributed User Queue
module, there is nothing you need to do.
- -------- SOLUTION  
- ------------------------------------------------------------

Install the latest version.

  * If you use the User Queue module for Drupal 6.x upgrade to User Queue
    6.x-1.1 [2]

See also the User Queue project page [3].
- -------- REPORTED BY  
- ---------------------------------------------------------

  * George Gongadze [4]

- -------- FIXED BY  
- ------------------------------------------------------------

  * Matt Johnson [5], the module maintainer

- -------- CONTACT  
- -------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact [6].

[1] http://en.wikipedia.org/wiki/Csrf
[2] http://drupal.org/node/803842
[3] http://drupal.org/project/userqueue
[4] http://drupal.org/user/322910
[5] http://drupal.org/user/169600
[6] http://drupal.org/contact

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFL+zZ3/iFOrG6YcBERAmXMAJsHrGLWnO7ixazh57vl4jK2yc3uHACfcaTD
UgKdBzkXRzAChXJOLjiiwAI=
=K5yf
-----END PGP SIGNATURE-----