Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2008.0607 -- [Win][UNIX/Linux] Multiple Third-Party Drupal Module Vulnerabilities 12 June 2008 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Pblog Magic Tabs Taxonomy Image Node Hierarchy Aggregation Publisher: Drupal Operating System: Windows UNIX variants (UNIX, Linux) Impact: Execute Arbitrary Code/Commands Inappropriate Access Cross-site Scripting Access: Remote/Unauthenticated Comment: This bulletin contains five (5) Drupal Security Advisories. The first Drupal Advisory is a correction to inaccurate reports about a vulnerability in Pblog. Users with current versions of Pblog are reportedly unaffected by the reported vulnerability. - --------------------------BEGIN INCLUDED TEXT-------------------- - ------------SA-2008-031 - PBLOG - INCORRECT VULNERABILITY REPORT------------ * Advisory ID: SA-2008-031 * Project: Pblog (third-party module) * Versions: none * Date: 2008-June-11 * Security risk: Not critical * Exploitable from: Remote * Subject: Incorrect vulnerability report - ------------DESCRIPTION------------ Several 'security'-related sources claim - with SecurityFocus as source ([ http://www.securityfocus.com/bid/29495/info ]) - that the third-party Drupal module Pblog is vulnerable to SQL injection attacks. The Drupal security team has investigated the matter and concluded that these sources confuse the Drupal module Pblog and the blogging platform Life Type ([ http://lifetype.net/ ] , formerly plog). The Life Type team assured us that the 3 year old vulnerable version of pblog 1.0.x has been surpassed by later versions which do not contain this vulnerability. While we have not received any response from SecurityFocus, we hope corrections to their announcement will be made shortly. - ------------CONTACT------------ The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. - ------------SA-2008-032 - MAGIC TABS - ARBITRARY CODE EXECUTION------------ * Advisory ID: SA-2008-032 * Project: Magic Tabs (third-party module) * Versions: 5.x * Date: 2008-June-11 * Security risk: Highly critical * Exploitable from: Remote * Vulnerability: Arbitrary code execution - ------------DESCRIPTION------------ Magic Tabs provides an implementation of tabs filled via AJAX requests. Malicious users are able to run arbitrary PHP code via URL arguments to Magic Tabs as it does not provide a whitelist of callbacks. - ------------VERSIONS AFFECTED------------ * Magic Tabs for Drupal 5.x prior to Magic Tabs 5.x-1.1 Drupal core is not affected. If you do not use the contributed Magic Tabs module, there is nothing you need to do. - ------------SOLUTION------------ Install the latest version: * If you currently use Magic Tabs 5.x, upgrade to Magic Tabs 5.x-1.1 [ http://drupal.org/node/269324 ] See also the Magic Tabs project page [ http://drupal.org/project/magic_tabs ]. - ------------REPORTED BY------------ The Magic Tabs maintainer Yuval Hager (yhager [ http://drupal.org/user/71425 ]). - ------------CONTACT------------ The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. - ------------SA-2008-033 - TAXONOMY IMAGE - CROSS SITE SCRIPTING------------ * Advisory ID: SA-2008-033 * Project: Taxonomy Image (third-party module) * Versions: 5.x and 6.x * Date: 2008-June-11 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Cross site scripting - ------------DESCRIPTION------------ The contributed module Taxonomy Image allows the display of images associated with taxonomy terms. Several values are displayed without being escaped, which enables users to inject arbitrary HTML and script code on pages (Cross Site Scripting [ http://en.wikipedia.org/wiki/Xss ]). This may lead to administrator access. - ------------VERSIONS AFFECTED------------ * Taxonomy Image for Drupal 5.x before Taxonomy Image 5.x-1.3 * Taxonomy Image for Drupal 6.x before Taxonomy Image 6.x-1.3 Drupal core is not affected. If you do not use the contributed Taxonomy Image module, there is nothing you need to do. - ------------SOLUTION------------ Install the latest version: * If you currently use Taxonomy Image 5.x-1.x upgrade to Taxonomy Image 5.x-1.3 [ http://drupal.org/node/265780 ] * If you currently use Taxonomy Image 6.x-1.x upgrade to Taxonomy Image 6.x-1.3 [ http://drupal.org/node/265779 ] See also the Taxonomy Image project page [ http://drupal.org/project/taxonomy_image ]. - ------------REPORTED BY------------ Owen Barton (Grugnog2 [ http://drupal.org/user/19668 ]). - ------------CONTACT------------ The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ]. - ------------SA-2008-034 - NODE HIERARCHY - ACCESS BYPASS------------ * Advisory ID: SA-2008-034 * Project: Node Hierarchy (third-party module) * Versions: 5.x and 6.x * Date: 2008-June-11 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Access bypass - ------------DESCRIPTION------------ The contributed module Node Hierarchy allows nodes to be children of other nodes creating a tree-like hierarchy of content. Due to incorrectly implemented access checks, any user with the "access content" permission is able to rearrange the hierarchy. No private data is exposed, and no content can be removed from the site with this attack. - ------------VERSIONS AFFECTED------------ * Versions of Node Hierarchy for Drupal 5.x before Node Hierarchy 5.x-1.1 * Versions of Node Hierarchy for Drupal 6.x before Node Hierarchy 6.x-1.0 Drupal core is not affected. If you do not use the contributed Node Hierarchy module, there is nothing you need to do. - ------------SOLUTION------------ Install the latest version: * If you currently use Node Hierarchy 5.x-1.x upgrade to Node Hierarchy 5.x-1.1 [ http://drupal.org/node/269464 ] * If you currently use Node Hierarchy 6.x-1.x upgrade to Node Hierarchy 6.x-1.0 [ http://drupal.org/node/269469 ] See also the Node Hierarchy project page [ http://drupal.org/project/nodehierarchy ]. - ------------REPORTED BY------------ Ronny López (dropcube [ http://drupal.org/user/37031 ]). - ------------CONTACT------------ The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ]. - ------------SA-2008-035 - AGGREGATION - MULTIPLE VULNERABILITIES------------ * Advisory ID: SA-2008-035 * Project: Aggregation (third-party module) * Versions: 5.x * Date: 2008-June-11 * Security risk: Highly critical * Exploitable from: Remote * Vulnerability: Multiple vulnerabilities - ------------DESCRIPTION------------ The Aggregation module syndicates content from external feeds saving them as nodes. A significant amount of vulnerabilities were discovered in the module: Cross site scripting - Numerous values are displayed without being properly escaped or filtered, which enables users to inject arbitrary HTML and script code on pages. SQL Injection - Numerous values are used in SQL strings without being properly sanitized. Arbitrary code execution - Maliciously constructed feeds can result in the upload of files with arbitrary extensions to the server. Whether this may lead to arbitrary code execution, depends on the exact server configuration. Access bypass - Incorrect implementation of the access control results in access bypass when node access modules (taxonomy access control, acl) are used. - ------------VERSIONS AFFECTED------------ * Aggregation for Drupal 5.x prior to Aggregation 5.x-4.4 Drupal core is not affected. If you do not use the contributed Aggregation module, there is nothing you need to do. - ------------SOLUTION------------ Install the latest version: * If you currently use Aggregation 5.x, upgrade to Aggregation 5.x-4.4 [ http://drupal.org/node/269184 ] See also the Aggregation project page [ http://drupal.org/project/aggregation ]. - ------------REPORTED BY------------ The cross site scripting issue was publicly reported by fonan [ http://drupal.org/user/96515 ]. The other issues were identified by Adam Light (aclight [ http://drupal.org/user/86358 ]) and Heine Deelstra (Heine [ http://drupal.org/user/17943 ]) of the Drupal security team. - ------------CONTACT------------ The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBSFB3aSh9+71yA2DNAQL3XgP5AYRItDWnnDTRSiLoLNDzBFBmzZg5nKWt 2kgU0LNBR03ut3FwuDzjVMaL+I2h8BUxIqNlmcpouU4qFRshc9uapPX72m6ELJuq lpOYRCZuZfuKzlMhWtVIQJvYtqLOmUnVfBiwl1iA7MBNqTcsXT2B/LEwlUcsfCxz 2AqVXcnfRl4= =qUb5 -----END PGP SIGNATURE-----