Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2008.0607 -- [Win][UNIX/Linux]
Multiple Third-Party Drupal Module Vulnerabilities
12 June 2008
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Pblog
Magic Tabs
Taxonomy Image
Node Hierarchy
Aggregation
Publisher: Drupal
Operating System: Windows
UNIX variants (UNIX, Linux)
Impact: Execute Arbitrary Code/Commands
Inappropriate Access
Cross-site Scripting
Access: Remote/Unauthenticated
Comment: This bulletin contains five (5) Drupal Security Advisories.
The first Drupal Advisory is a correction to inaccurate reports
about a vulnerability in Pblog. Users with current versions of
Pblog are reportedly unaffected by the reported vulnerability.
- --------------------------BEGIN INCLUDED TEXT--------------------
- ------------SA-2008-031 - PBLOG - INCORRECT VULNERABILITY REPORT------------
* Advisory ID: SA-2008-031
* Project: Pblog (third-party module)
* Versions: none
* Date: 2008-June-11
* Security risk: Not critical
* Exploitable from: Remote
* Subject: Incorrect vulnerability report
- ------------DESCRIPTION------------
Several 'security'-related sources claim - with SecurityFocus as source ([
http://www.securityfocus.com/bid/29495/info ]) - that the third-party Drupal
module Pblog is vulnerable to SQL injection attacks. The Drupal security team
has investigated the matter and concluded that these sources confuse the Drupal
module Pblog and the blogging platform Life Type ([ http://lifetype.net/ ] ,
formerly plog).
The Life Type team assured us that the 3 year old vulnerable version of pblog
1.0.x has been surpassed by later versions which do not contain this
vulnerability.
While we have not received any response from SecurityFocus, we hope corrections
to their announcement will be made shortly.
- ------------CONTACT------------
The security contact for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
- ------------SA-2008-032 - MAGIC TABS - ARBITRARY CODE EXECUTION------------
* Advisory ID: SA-2008-032
* Project: Magic Tabs (third-party module)
* Versions: 5.x
* Date: 2008-June-11
* Security risk: Highly critical
* Exploitable from: Remote
* Vulnerability: Arbitrary code execution
- ------------DESCRIPTION------------
Magic Tabs provides an implementation of tabs filled via AJAX requests.
Malicious users are able to run arbitrary PHP code via URL arguments to Magic
Tabs as it does not provide a whitelist of callbacks.
- ------------VERSIONS AFFECTED------------
* Magic Tabs for Drupal 5.x prior to Magic Tabs 5.x-1.1
Drupal core is not affected. If you do not use the contributed Magic Tabs
module, there is nothing you need to do.
- ------------SOLUTION------------
Install the latest version:
* If you currently use Magic Tabs 5.x, upgrade to Magic Tabs 5.x-1.1 [
http://drupal.org/node/269324 ]
See also the Magic Tabs project page [ http://drupal.org/project/magic_tabs ].
- ------------REPORTED BY------------
The Magic Tabs maintainer Yuval Hager (yhager [ http://drupal.org/user/71425
]).
- ------------CONTACT------------
The security contact for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
- ------------SA-2008-033 - TAXONOMY IMAGE - CROSS SITE SCRIPTING------------
* Advisory ID: SA-2008-033
* Project: Taxonomy Image (third-party module)
* Versions: 5.x and 6.x
* Date: 2008-June-11
* Security risk: Less critical
* Exploitable from: Remote
* Vulnerability: Cross site scripting
- ------------DESCRIPTION------------
The contributed module Taxonomy Image allows the display of images associated
with taxonomy terms.
Several values are displayed without being escaped, which enables users to
inject arbitrary HTML and script code on pages (Cross Site Scripting [
http://en.wikipedia.org/wiki/Xss ]). This may lead to administrator access.
- ------------VERSIONS AFFECTED------------
* Taxonomy Image for Drupal 5.x before Taxonomy Image 5.x-1.3
* Taxonomy Image for Drupal 6.x before Taxonomy Image 6.x-1.3
Drupal core is not affected. If you do not use the contributed Taxonomy Image
module, there is nothing you need to do.
- ------------SOLUTION------------
Install the latest version:
* If you currently use Taxonomy Image 5.x-1.x upgrade to Taxonomy Image
5.x-1.3 [ http://drupal.org/node/265780 ]
* If you currently use Taxonomy Image 6.x-1.x upgrade to Taxonomy Image
6.x-1.3 [ http://drupal.org/node/265779 ]
See also the Taxonomy Image project page [
http://drupal.org/project/taxonomy_image ].
- ------------REPORTED BY------------
Owen Barton (Grugnog2 [ http://drupal.org/user/19668 ]).
- ------------CONTACT------------
The security contact for Drupal can be reached at security at drupal.org or via
the form at [ http://drupal.org/contact ].
- ------------SA-2008-034 - NODE HIERARCHY - ACCESS BYPASS------------
* Advisory ID: SA-2008-034
* Project: Node Hierarchy (third-party module)
* Versions: 5.x and 6.x
* Date: 2008-June-11
* Security risk: Less critical
* Exploitable from: Remote
* Vulnerability: Access bypass
- ------------DESCRIPTION------------
The contributed module Node Hierarchy allows nodes to be children of other
nodes creating a tree-like hierarchy of content.
Due to incorrectly implemented access checks, any user with the "access
content" permission is able to rearrange the hierarchy. No private data is
exposed, and no content can be removed from the site with this attack.
- ------------VERSIONS AFFECTED------------
* Versions of Node Hierarchy for Drupal 5.x before Node Hierarchy 5.x-1.1
* Versions of Node Hierarchy for Drupal 6.x before Node Hierarchy 6.x-1.0
Drupal core is not affected. If you do not use the contributed Node Hierarchy
module, there is nothing you need to do.
- ------------SOLUTION------------
Install the latest version:
* If you currently use Node Hierarchy 5.x-1.x upgrade to Node Hierarchy
5.x-1.1 [ http://drupal.org/node/269464 ]
* If you currently use Node Hierarchy 6.x-1.x upgrade to Node Hierarchy
6.x-1.0 [ http://drupal.org/node/269469 ]
See also the Node Hierarchy project page [
http://drupal.org/project/nodehierarchy ].
- ------------REPORTED BY------------
Ronny López (dropcube [ http://drupal.org/user/37031 ]).
- ------------CONTACT------------
The security contact for Drupal can be reached at security at drupal.org or via
the form at [ http://drupal.org/contact ].
- ------------SA-2008-035 - AGGREGATION - MULTIPLE VULNERABILITIES------------
* Advisory ID: SA-2008-035
* Project: Aggregation (third-party module)
* Versions: 5.x
* Date: 2008-June-11
* Security risk: Highly critical
* Exploitable from: Remote
* Vulnerability: Multiple vulnerabilities
- ------------DESCRIPTION------------
The Aggregation module syndicates content from external feeds saving them as
nodes. A significant amount of vulnerabilities were discovered in the module:
Cross site scripting - Numerous values are displayed without being properly
escaped or filtered, which enables users to inject arbitrary HTML and script
code on pages.
SQL Injection - Numerous values are used in SQL strings without being properly
sanitized.
Arbitrary code execution - Maliciously constructed feeds can result in the
upload of files with arbitrary extensions to the server. Whether this may lead
to arbitrary code execution, depends on the exact server configuration.
Access bypass - Incorrect implementation of the access control results in
access bypass when node access modules (taxonomy access control, acl) are used.
- ------------VERSIONS AFFECTED------------
* Aggregation for Drupal 5.x prior to Aggregation 5.x-4.4
Drupal core is not affected. If you do not use the contributed Aggregation
module, there is nothing you need to do.
- ------------SOLUTION------------
Install the latest version:
* If you currently use Aggregation 5.x, upgrade to Aggregation 5.x-4.4 [
http://drupal.org/node/269184 ]
See also the Aggregation project page [ http://drupal.org/project/aggregation
].
- ------------REPORTED BY------------
The cross site scripting issue was publicly reported by fonan [
http://drupal.org/user/96515 ].
The other issues were identified by Adam Light (aclight [
http://drupal.org/user/86358 ]) and Heine Deelstra (Heine [
http://drupal.org/user/17943 ]) of the Drupal security team.
- ------------CONTACT------------
The security contact for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBSFB3aSh9+71yA2DNAQL3XgP5AYRItDWnnDTRSiLoLNDzBFBmzZg5nKWt
2kgU0LNBR03ut3FwuDzjVMaL+I2h8BUxIqNlmcpouU4qFRshc9uapPX72m6ELJuq
lpOYRCZuZfuKzlMhWtVIQJvYtqLOmUnVfBiwl1iA7MBNqTcsXT2B/LEwlUcsfCxz
2AqVXcnfRl4=
=qUb5
-----END PGP SIGNATURE-----