-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                    ESB-2008.0104 -- [Win][UNIX/Linux]
     Drupal Project issue tracking component multiple vulnerabilities
                              31 January 2008

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Drupal Project Issue Tracking module
Publisher:            Drupal
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact:               Cross-site Scripting
                      Create Arbitrary Files
                      Execute Arbitrary Code/Commands
Access:               Remote/Unauthenticated

Original Bulletin:    http://drupal.org/node/216062
                      http://drupal.org/node/216063

Comment: Please note that this advisory contains two (2) drupal advisories.
         The advisory numbers are SA-2008-012 and SA-2008-013.

- --------------------------BEGIN INCLUDED TEXT--------------------


- ------------SA-2008-012 - PROJECT ISSUE TRACKING - XSS VULNERABILITY IN COMMENT
SUMMARY TABLES------------

  * Advisory ID: DRUPAL-SA-2008-012

  * Project: Project issue tracking (third-party module)

  * Version: 4.7.x-1.x, 4.7.x-2.x, 5.x-1.x, 5.x-2.x

  * Date: 2007-January-30

  * Security risk: Moderately critical

  * Exploitable from: Remote

  * Vulnerability: Cross-site scripting (XSS)

- ------------DESCRIPTION------------

The Project issue tracking [ http://drupal.org/project/project_issue ] module
provides a summary table to show changes in issue states between comments. 
Users who have certain editing rights may be able to inject arbitrary code on
pages containing these tables.

Wikipedia has more information about cross site scripting [
http://en.wikipedia.org/wiki/Cross-site_scripting ] (XSS).

- ------------VERSIONS AFFECTED------------

Project issue tracking (project_issue) versions:

  * 5.x-2.x-dev from before 2008-01-30

  * 5.x-1.2 and earlier

  * 4.7.x-2.6 and earlier

  * 4.7.x-1.6 and earlier

Drupal core is not affected. If you do not use the contributed Project issue
tracking module, there is nothing you need to do. 

- ------------SOLUTION------------

Install the latest version:

  * Project issue tracking 5.x-2.0 [ http://drupal.org/node/216121 ]

  * Project issue tracking 5.x-1.3 [ http://drupal.org/node/216120 ]

  * Project issue tracking 4.7.x-2.7 [ http://drupal.org/node/216119 ]

  * Project issue tracking 4.7.x-1.7 [ http://drupal.org/node/216118 ]

As a temporary workaround, sites can disable the  'maintain projects' and
'administer projects' permissions for all users.

See also the Project issue tracking project page [
http://drupal.org/project/project_issue ]. 

- ------------REPORTED BY------------

Chad Phillips [ http://drupal.org/user/22079 ] of the Drupal Security Team.

- ------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org or via
the form at [ http://drupal.org/contact ].



- -- 


- ------------SA-2008-013 - PROJECT ISSUE TRACKING - ARBITRARY FILE
UPLOAD------------

  * Advisory ID: DRUPAL-SA-2008-013

  * Project: Project issue tracking (third-party module)

  * Version: 4.7.x-1.x, 4.7.x-2.x, 5.x-1.x, 5.x-2.x

  * Date: 2007-January-30

  * Security risk: Highly critical

  * Exploitable from: Remote

  * Vulnerability: Arbitrary file upload

- ------------DESCRIPTION------------

The Project issue tracking module has a vulnerability where new issues are not
properly validated.  If the core Upload module is enabled on issue nodes (the
recommended configuration for the 5.x-2.* series), this vulnerability can be
used to attach malicious files to new issues, regardless of the allowed list of
file extensions.  Using these files an attacker can always perform cross site
scripting attacks, and depending on the server configuration, they might be able
to execute arbitrary code.

Furthermore, the Project issue tracking module (in all versions prior to
5.x-2.0) provides its own file upload mechanism and list of allowed file
extensions.  This list includes HTML by default. Such files can be used to
execute arbitrary script code in the context of the affected site when a user
views the file.

Wikipedia has more information about cross site scripting [
http://en.wikipedia.org/wiki/Xss ] (XSS).

- ------------IMPORTANT NOTE: CONFIGURATION CHANGE NEEDED------------

Installing the new version will not remove the .html extensions from an already
configured Project issue tracking module. Visit Administer » Project
administration »  Project issue settings (admin/project/project-issue-settings)
on Drupal 5.x or administer » settings » project_issue
(admin/settings/project_issue) on Drupal 4.7.x to remove html from the allowed
extensions lists.

The steps above will stop malicious files from being uploaded, but will do
nothing to protect your site against files that have already been uploaded. Make
sure to carefully inspect the file system path and check for files with
extensions that should be forbidden. We recommend you remove any HTML file you
did not upload yourself. You should look for script tags, CSS includes,
Javascript includes, and onerror="" attributes if you need to review files
individually.

- ------------VERSIONS AFFECTED------------

Project issue tracking (project_issue) versions:

  * 5.x-2.x-dev from before 2008-01-30

  * 5.x-1.2 and earlier

  * 4.7.x-2.6 and earlier

  * 4.7.x-1.6 and earlier

Drupal core is not affected. If you do not use the contributed Project issue
tracking module, there is nothing you need to do. 

- ------------SOLUTION------------

Install the latest version:

  * Project issue tracking 5.x-2.0 [ http://drupal.org/node/216121 ]

  * Project issue tracking 5.x-1.3 [ http://drupal.org/node/216120 ]

  * Project issue tracking 4.7.x-2.7 [ http://drupal.org/node/216119 ]

  * Project issue tracking 4.7.x-1.7 [ http://drupal.org/node/216118 ]

See also the Project issue tracking project page [
http://drupal.org/project/project_issue ]. 

- ------------REPORTED BY------------

Derek Wright [ http://drupal.org/user/46549 ] of the Drupal Security Team.

- ------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org or via
the form at [ http://drupal.org/contact ].



- -- 


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBR6FRpih9+71yA2DNAQJnowQAkCibqhhZx6mcI7ZpwQ7HlCwkVuDA+291
7DiL3EH0kV6/edqQ2YbFs6Q0ZiuoTk/0FNNMOZZXHT8kNeNjVqx2QCHPRjwUjkkA
6mWc9+DMgpABG6VbDmur0PvB84zYGE5L23+HsQIWT2zgCzLSYHRYx4WaMWWDhhva
u76G7aGZw3Y=
=mqpl
-----END PGP SIGNATURE-----