Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2008.0104 -- [Win][UNIX/Linux] Drupal Project issue tracking component multiple vulnerabilities 31 January 2008 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Drupal Project Issue Tracking module Publisher: Drupal Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact: Cross-site Scripting Create Arbitrary Files Execute Arbitrary Code/Commands Access: Remote/Unauthenticated Original Bulletin: http://drupal.org/node/216062 http://drupal.org/node/216063 Comment: Please note that this advisory contains two (2) drupal advisories. The advisory numbers are SA-2008-012 and SA-2008-013. - --------------------------BEGIN INCLUDED TEXT-------------------- - ------------SA-2008-012 - PROJECT ISSUE TRACKING - XSS VULNERABILITY IN COMMENT SUMMARY TABLES------------ * Advisory ID: DRUPAL-SA-2008-012 * Project: Project issue tracking (third-party module) * Version: 4.7.x-1.x, 4.7.x-2.x, 5.x-1.x, 5.x-2.x * Date: 2007-January-30 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross-site scripting (XSS) - ------------DESCRIPTION------------ The Project issue tracking [ http://drupal.org/project/project_issue ] module provides a summary table to show changes in issue states between comments. Users who have certain editing rights may be able to inject arbitrary code on pages containing these tables. Wikipedia has more information about cross site scripting [ http://en.wikipedia.org/wiki/Cross-site_scripting ] (XSS). - ------------VERSIONS AFFECTED------------ Project issue tracking (project_issue) versions: * 5.x-2.x-dev from before 2008-01-30 * 5.x-1.2 and earlier * 4.7.x-2.6 and earlier * 4.7.x-1.6 and earlier Drupal core is not affected. If you do not use the contributed Project issue tracking module, there is nothing you need to do. - ------------SOLUTION------------ Install the latest version: * Project issue tracking 5.x-2.0 [ http://drupal.org/node/216121 ] * Project issue tracking 5.x-1.3 [ http://drupal.org/node/216120 ] * Project issue tracking 4.7.x-2.7 [ http://drupal.org/node/216119 ] * Project issue tracking 4.7.x-1.7 [ http://drupal.org/node/216118 ] As a temporary workaround, sites can disable the 'maintain projects' and 'administer projects' permissions for all users. See also the Project issue tracking project page [ http://drupal.org/project/project_issue ]. - ------------REPORTED BY------------ Chad Phillips [ http://drupal.org/user/22079 ] of the Drupal Security Team. - ------------CONTACT------------ The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ]. - -- - ------------SA-2008-013 - PROJECT ISSUE TRACKING - ARBITRARY FILE UPLOAD------------ * Advisory ID: DRUPAL-SA-2008-013 * Project: Project issue tracking (third-party module) * Version: 4.7.x-1.x, 4.7.x-2.x, 5.x-1.x, 5.x-2.x * Date: 2007-January-30 * Security risk: Highly critical * Exploitable from: Remote * Vulnerability: Arbitrary file upload - ------------DESCRIPTION------------ The Project issue tracking module has a vulnerability where new issues are not properly validated. If the core Upload module is enabled on issue nodes (the recommended configuration for the 5.x-2.* series), this vulnerability can be used to attach malicious files to new issues, regardless of the allowed list of file extensions. Using these files an attacker can always perform cross site scripting attacks, and depending on the server configuration, they might be able to execute arbitrary code. Furthermore, the Project issue tracking module (in all versions prior to 5.x-2.0) provides its own file upload mechanism and list of allowed file extensions. This list includes HTML by default. Such files can be used to execute arbitrary script code in the context of the affected site when a user views the file. Wikipedia has more information about cross site scripting [ http://en.wikipedia.org/wiki/Xss ] (XSS). - ------------IMPORTANT NOTE: CONFIGURATION CHANGE NEEDED------------ Installing the new version will not remove the .html extensions from an already configured Project issue tracking module. Visit Administer » Project administration » Project issue settings (admin/project/project-issue-settings) on Drupal 5.x or administer » settings » project_issue (admin/settings/project_issue) on Drupal 4.7.x to remove html from the allowed extensions lists. The steps above will stop malicious files from being uploaded, but will do nothing to protect your site against files that have already been uploaded. Make sure to carefully inspect the file system path and check for files with extensions that should be forbidden. We recommend you remove any HTML file you did not upload yourself. You should look for script tags, CSS includes, Javascript includes, and onerror="" attributes if you need to review files individually. - ------------VERSIONS AFFECTED------------ Project issue tracking (project_issue) versions: * 5.x-2.x-dev from before 2008-01-30 * 5.x-1.2 and earlier * 4.7.x-2.6 and earlier * 4.7.x-1.6 and earlier Drupal core is not affected. If you do not use the contributed Project issue tracking module, there is nothing you need to do. - ------------SOLUTION------------ Install the latest version: * Project issue tracking 5.x-2.0 [ http://drupal.org/node/216121 ] * Project issue tracking 5.x-1.3 [ http://drupal.org/node/216120 ] * Project issue tracking 4.7.x-2.7 [ http://drupal.org/node/216119 ] * Project issue tracking 4.7.x-1.7 [ http://drupal.org/node/216118 ] See also the Project issue tracking project page [ http://drupal.org/project/project_issue ]. - ------------REPORTED BY------------ Derek Wright [ http://drupal.org/user/46549 ] of the Drupal Security Team. - ------------CONTACT------------ The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ]. - -- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBR6FRpih9+71yA2DNAQJnowQAkCibqhhZx6mcI7ZpwQ7HlCwkVuDA+291 7DiL3EH0kV6/edqQ2YbFs6Q0ZiuoTk/0FNNMOZZXHT8kNeNjVqx2QCHPRjwUjkkA 6mWc9+DMgpABG6VbDmur0PvB84zYGE5L23+HsQIWT2zgCzLSYHRYx4WaMWWDhhva u76G7aGZw3Y= =mqpl -----END PGP SIGNATURE-----