Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2008.0340 -- [Win][UNIX/Linux] Flickr and Ubercart (Drupal third-party module) Cross site scripting vulnerabilities 16 April 2008 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Flickr Ubercart Publisher: Drupal Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact: Cross-site Scripting Access: Remote/Unauthenticated CVE Names: CVE-2008-1792 Original Bulletin: http://drupal.org/node/241939 http://drupal.org/node/241944 Comment: The bulletin contains two (2) Drupal third-party module advisories. Revision History: April 16 2008: Added CVE reference April 3 2008: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - ------------SA-2008-022 - FLICKR - CROSS SITE SCRIPTING------------ * Advisory ID: DRUPAL-SA-2008-022 * Project: Flickr (third-party module) * Version: 5.x, 6.x * Date: 2008-April-02 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Cross site scripting - ------------DESCRIPTION------------ The Flickr module allows one to access photos on one's site via the Flickr API. The module provides a filter for inserting photos and photosets and blocks for a user's recent photos and photosets. Several values are displayed without being escaped, which enables users to inject arbitrary HTML and script code on pages. - ------------VERSIONS AFFECTED------------ * Flickr for Drupal 5.x prior to 5.x-1.3 * Flickr for Drupal 6.x prior to 6.x-1.0-alpha Drupal core is not affected. If you do not use the contributed Flickr module, there is nothing you need to do. - ------------SOLUTION------------ Install the latest version: * If you use Drupal 5.x install Flickr 5.x-1.3 [ http://drupal.org/node/241943 ]. * If you use Drupal 6.x install Flickr 6.x-1.0-alpha1. [ http://drupal.org/node/241941 ] See also the Flickr project page [ http://drupal.org/project/flickr ]. - ------------REPORTED BY------------ Kees Cook [ https://wiki.ubuntu.com/KeesCook ] reported this issue. - ------------CONTACT------------ The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ]. - ------------SA-2008-023 - UBERCART - CROSS SITE SCRIPTING------------ * Advisory ID: DRUPAL-SA-2008-023 * Project: Ubercart (third-party module) * Version: 5.x * Date: 2008-April-02 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross site scripting - ------------DESCRIPTION------------ During checkout in Ubercart enabled stores, customers have text fields in which to enter their address and order information. Some stores will have modules enabled that restrict what sort of values are accepted in these fields, but this is not the case for everyone. This provides an opportunity for a malicious user to perform a cross site scripting attack when the orders are displayed on administrative pages (particularly the order view page). All users are encouraged to update to the latest version. Be sure to verify the compatibility of your contrib modules as you perform the update. (Recent beta users should not run into any compatibility issues.) - ------------VERSIONS AFFECTED------------ * Ubercart for Drupal 5.x prior to 5.x-1.0-rc1 Drupal core is not affected. If you do not use the contributed Ubercart module, there is nothing you need to do. - ------------SOLUTION------------ Install the latest version: * Ubercart 5.x-1.0-rc1 [ http://drupal.org/node/241016 ]. See also the Ubercart project page [ http://drupal.org/project/ubercart ]. - ------------REPORTED BY------------ chadcrew [ http://www.ubercart.org/user/1002 ] reported the issue via private message at Ubercart.org, and the Ubercart team was able to adjust the code in various modules in the project accordingly. - ------------CONTACT------------ The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ]. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBSAWbbih9+71yA2DNAQLQxQP+Lo5Sku4SfpD3aaUlWCXCmrGE5ldondm3 xVYQNsKvWuWUNslO4YyoAtOnsW/okz+7siFOceejH3xbbuEri3rIaWZgw1IGHwgX yjht3GgN6udPIw42LBjdCPy7DLy5VyvnQ0fJM60CD0JFx22ePEnm0jWkNs1nbthR wtAcNzuuN7w= =UAlQ -----END PGP SIGNATURE-----