Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

                  ESB-2008.0633 -- [Win][UNIX/Linux][OSX]
          Drupal Third Party Modules  - Multiple Vulnerabilities
                               19 June 2008


        AusCERT Security Bulletin Summary

Product:              Profile Search (Drupal third party module)
                      TrailScout (Drupal third party module)
                      Services (Drupal third party module)
Publisher:            Drupal
Operating System:     UNIX variants (UNIX, Linux, OSX)
Impact:               Execute Arbitrary Code/Commands
                      Cross-site Scripting
Access:               Remote/Unauthenticated

Original Bulletin:    http://drupal.org/node/272038

Comment: Please note that this bulletin includes three (3) Drupal advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

- ------------SA-2008-036 - PROFILE SEARCH - SQL INJECTION------------

  *  Advisory ID: SA-2008-036

  * Project: Profile Search (third-party module)

  * Versions: 5.x

  * Date: 2008-July-18

  * Security risk: Critical

  * Exploitable from: Remote

  * Vulnerability: Multiple vulnerabilities

- ------------DESCRIPTION------------

The Profile search module provides a way for users to search users by all
profile fields, as provided by the profile module in core. Numerous values are
used in SQL strings without being properly sanitized. Users with the "access
user profiles" permission can use these values to execute SQL injection attacks.
These attacks may lead to administrator access.

- ------------VERSIONS AFFECTED------------

  * Profile search 5.x releases prior to 5.x-1.0.

Drupal core is not affected. If you do not use the contributed Profile search
module, there is nothing you need to do.

- ------------SOLUTION------------

Install the latest version:

  * If you currently use Profile search 5.x, upgrade to Profile search 5.x-1.0
[ http://drupal.org/node/272061 ]

See also the Profile search project page [
http://drupal.org/project/profilesearch ].

- ------------REPORTED BY------------

This issue was reported by Larry Garfield (Crell [ http://drupal.org/user/26398
]), who has now taken over maintenance of the module.

- ------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org or via
the form at [ http://drupal.org/contact ].

- ------------SA-2008-037 - TRAILSCOUT - XSS AND SQL INJECTION------------

  * Advisory ID: DRUPAL-SA-2008-037

  * Project: TrailScout (third-party module)

  * Version: 5.x

  * Date: 2008-June-18

  * Security risk: Higly critical

  * Exploitable from: Remote

  * Vulnerability: Cross site scripting and SQL injection

- ------------DESCRIPTION------------

The TrailScout module displays a number of last visited pages as breadcrumbs. 

The module displays certain values without appropriate filtering.  Malicious
users with the permission to create posts are able to exploit this issue and
insert arbitrary HTML and script code into pages. Such a cross site scripting
attack [ http://en.wikipedia.org/wiki/Xss ] may lead to the malicious user
gaining administrator access.

Trailscout also does not properly use the Drupal database API and inserts
values from cookies directly into queries. This can be exploited on most PHP
configurations to perform SQL Injection attacks [
http://en.wikipedia.org/wiki/Sql_injection ]. These attacks may lead to the
malicious user gaining administrator access.

All users are encouraged to update to the latest version. Be sure to verify the
compatibility of your contrib modules as you perform the update.

- ------------VERSIONS AFFECTED------------

  * TrailScout for Drupal 5.x prior to 5.x-1.4

Drupal core is not affected. If you do not use the contributed TrailScout
module, there is nothing you need to do.

- ------------SOLUTION------------

Install the latest version:

  * TrailScout 5.x-1.4 [ http://drupal.org/node/272114 ].

See also the TrailScout project page [ http://drupal.org/project/trailscout ].

- ------------REPORTED BY------------

Gerhard Killesreiter [ http://drupal.org/user/227 ] (Drupal security team).

- ------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org or via
the form at [ http://drupal.org/contact ].

- ------------SA-2008-038 - SERVICES - ARBITRARY CODE EXECUTION------------

  * Advisory ID: DRUPAL-SA-2008-038

  * Project: Services (third-party module)

  * Versions: 5.x and 6.x

  * Date: 2008-June-18

  * Security risk: Highly critical

  * Exploitable from: Remote

  * Vulnerability: Arbitrary code execution

- ------------DESCRIPTION------------

The Services module package was created out of a need for a standardized
solution to integrate external applications with Drupal. It builds on concepts
from Drupal core's XMLRPC interface, but abstracts service callbacks so that
they may be used with multiple interfaces such as XMLRPC, SOAP, REST, and AMF.
This enables a Drupal site to provide web services via multiple interfaces while
using the same callback code.

Unfortunately, the access control system is not sufficiently granular; Users
with access to use a services have access to all provided services. With the
provided node services, or the system services enabled, it allowed arbitrary
code execution for those users.

Access to services can optionally be limited to certain ip addresses or
configured to need an API key, somewhat mitigating the issue.

- ------------VERSIONS AFFECTED------------

  * Versions of Services for Drupal 5.x prior to 5.x-0.9

  * Versions of Services for Drupal 6.x prior to 6.x-0.9

If you do not use the Services module, there is nothing you need to do.

- ------------SOLUTION------------

Install the latest version:

  * If you use Services for Drupal 5.x upgrade to Services 5.x-0.9 [
http://drupal.org/node/272203 ]

  * If you use Services for Drupal 6.x upgrade to Services 6.x-0.9 [
http://drupal.org/node/272202 ]

Review the new security features within the module, and upgrade all of your
remote service calls to authenticate a user session ID before making any Service
calls requiring secure communication.

See also the Services project page [ http://drupal.org/project/services ].

- ------------REPORTED BY------------

Scott Nelson [ http://drupal.org/user/31156 ], Gerhard Killesreiter [
http://drupal.org/user/227 ], Heine Deelstra [ http://drupal.org/user/17943 ].

- ------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org or via
the form at [ http://drupal.org/contact ].

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.

Comment: http://www.auscert.org.au/render.html?it=1967