Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2008.0417 -- [Win][UNIX/Linux] Multiple Vulnerabilities in Drupal third party modules 30 April 2008 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Ubercart for Drupal 5.x Internationalization for Drupal 5.x and 6.x Localizer for Drupal 5.x E-Publish for Drupal 5.x and 6.x Publisher: Drupal Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact: Cross-site Request Forgery Cross-site Scripting Access: Remote/Unauthenticated CVE Names: CVE-2008-1916 CVE-2008-1976 CVE-2008-1977 CVE-2008-1978 CVE-2008-1980 CVE-2008-1981 Original Bulletin: http://drupal.org/project/ubercart http://drupal.org/project/i18n http://drupal.org/project/localizer Comment: This advisory contains 3 (three) Drupal advisories Revision History: April 30 2008: Added CVEs April 24 2008: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - ------------SA-2008-027 - UBERCART - CROSS SITE SCRIPTING------------ * Advisory ID: DRUPAL-SA-2008-027 * Project: Ubercart (third-party module) * Version: 5.x * Date: 2008-April-23 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Cross site scripting - ------------DESCRIPTION------------ When certain product features were being edited, node titles were being printed to the screen as entered by the user. If a store owner had granted product creation rights to a non-secure user, this would provide an opportunity for a malicious user to perform a cross site scripting [ http://en.wikipedia.org/wiki/Xss ] attack when another administrator views the edit page. All users are encouraged to update to the latest version. Be sure to verify the compatibility of your contrib modules as you perform the update. (Current release candidate and recent beta users should not run into any compatibility issues.) - ------------VERSIONS AFFECTED------------ * Ubercart for Drupal 5.x prior to 5.x-1.0-rc3 Drupal core is not affected. If you do not use the contributed Ubercart module, there is nothing you need to do. - ------------SOLUTION------------ Install the latest version: * Ubercart 5.x-1.0-rc4 [ http://drupal.org/node/250386 ]. See also the Ubercart project page [ http://drupal.org/project/ubercart ]. - ------------REPORTED BY------------ The security team passed the information on to the Ubercart team via private e-mail, and the potential vulnerabilities were addressed immediately. - ------------CONTACT------------ The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ]. - ------------SA-2008-028 - INTERNATIONALIZATION AND LOCALIZER - CROSS SITE SCRIPTING------------ * Advisory ID: DRUPAL-SA-2008-028 * Project: Internationalization and Localizer (third-party modules) * Versions: 5.x and 6.x * Date: 2008-April-23 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Cross site scripting - ------------DESCRIPTION------------ The Internationalization (i18n) and Localizer modules add multi-lingual capabilities to Drupal sites. They provide control over a site's user interface language, the ability to enter and control content in multiple languages, and can detect the browser language. Several values are displayed without being escaped, which enables users to inject arbitrary HTML and script code on pages. Wikipedia has more information about cross site scripting [ http://en.wikipedia.org/wiki/Xss ] (XSS). This also fixes a minor Cross Site Request Forgery (CSRF) [ http://en.wikipedia.org/wiki/CSRF ] in the Internationalization module. The translation module handles content translations and creates translation sets of various nodes which are translations from one another. A CSRF attack may result in a node translation becoming unrelated from its corresponding translation set. - ------------VERSIONS AFFECTED------------ * Internationalization (i18n) for Drupal 5.x before Internationalization 5.x-2.3 and 5.x-1.1 * Internationalization (i18n) for Drupal 6.x before Internationalization 6.x-1.0-beta1 * Localizer for Drupal 5.x before Localizer 5.x-3.4, 5.x-2.1 and 5.x-1.11 Drupal core is not affected. If you do not use the contributed modules Internationalization or Localizer, there is nothing you need to do. - ------------SOLUTION------------ Install the latest version: * If you currently use Internationalization 5.x-2.x upgrade to Internationalization 5.x-2.3 [ http://drupal.org/node/250370 ] * If you currently use Internationalization 5.x-1.x upgrade to Internationalization 5.x-1.1 [ http://drupal.org/node/250371 ] * If you currently use Internationalization 6.x-1.x upgrade to Internationalization 6.x-1.0-beta1 [ http://drupal.org/node/250367 ] * If you currently use Localizer 5.x-3.x upgrade to Localizer 5.x-3.4 [ http://drupal.org/node/250379 ] * If you currently use Localizer 5.x-2.x upgrade to Localizer 5.x-2.1 [ http://drupal.org/node/250378 ] * If you currently use Localizer 5.x-1.x upgrade to Localizer 5.x-1.11 [ http://drupal.org/node/250377 ] See also the Internationalization project page [ http://drupal.org/project/i18n ] and the Localizer project page [ http://drupal.org/project/localizer ]. - ------------REPORTED BY------------ Stéphane Corlosquet (scor [ http://drupal.org/user/52142 ]) of the Drupal security team. - ------------CONTACT------------ The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ]. - ------------SA-2008-029 - E-PUBLISH - CROSS SITE SCRIPTING AND CROSS SITE REQUEST FORGERIES------------ * Advisory ID: DRUPAL-SA-2008-029 * Project: E-Publish (third-party module) * Versions: 5.x and 6.x * Date: 2008-April-23 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Cross site scripting and Cross site request forgeries - ------------DESCRIPTION------------ The contributed module E-Publish helps organize a group of nodes into a publication, such as a newspaper, magazine or newsletter. The Drupal Forms API protects against Cross Site Request Forgeries (CSRF) [ http://en.wikipedia.org/wiki/CSRF ], where a malicious site can cause a user to unintentionally take actions on another site where they are authenticated. Several forms do not follow the standard Forms API submission model and are therefore not protected against this type of attack. A CSRF attack may result in a topic, section, edition, volume or publication being deleted. This was fixed in E-Publish 5.x-1.0. Moreover, several values are displayed without being escaped, which enables users to inject arbitrary HTML and script code on pages (Cross Site Scripting [ http://en.wikipedia.org/wiki/Xss ]). This may lead to administrator access. - ------------VERSIONS AFFECTED------------ * E-Publish for Drupal 5.x before E-Publish 5.x-1.1 * E-Publish for Drupal 6.x before E-Publish 6.x-1.0-beta1 Drupal core is not affected. If you do not use the contributed E-Publish module, there is nothing you need to do. - ------------SOLUTION------------ Install the latest version: * If you currently use E-Publish 5.x-1.0 upgrade to E-Publish 5.x-1.1 [ http://drupal.org/node/250414 ] * If you currently use E-Publish 6.x-1.x-dev upgrade to E-Publish 6.x-1.0-beta1 [ http://drupal.org/node/250415 ] See also the E-Publish project page [ http://drupal.org/project/epublish ]. - ------------REPORTED BY------------ Stéphane Corlosquet (scor [ http://drupal.org/user/52142 ]) of the Drupal security team. - ------------CONTACT------------ The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ]. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBSBfGayh9+71yA2DNAQInrgP/XQ2ULZeSHbqMH4/ZBiumXjot8zD4+5f3 yUu6bD/JsQeyHTB2XotEEzSeH0RQY7avKB9F/eLvCjoI4xbv12F8yCKP7cgsindx iBOHG27+v+/ydBWCRayCF4maO4EmKZ6G3YzNDeCcOcduZVZjMgqZCNFzt618iMTK fZ0LUUvuZvE= =Htuw -----END PGP SIGNATURE-----