Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2008.0633 -- [Win][UNIX/Linux][OSX] Drupal Third Party Modules - Multiple Vulnerabilities 19 June 2008 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Profile Search (Drupal third party module) TrailScout (Drupal third party module) Services (Drupal third party module) Publisher: Drupal Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact: Execute Arbitrary Code/Commands Cross-site Scripting Access: Remote/Unauthenticated Original Bulletin: http://drupal.org/node/272038 http://drupal.org/node/272191 http://drupal.org/node/272201 Comment: Please note that this bulletin includes three (3) Drupal advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - ------------SA-2008-036 - PROFILE SEARCH - SQL INJECTION------------ * Advisory ID: SA-2008-036 * Project: Profile Search (third-party module) * Versions: 5.x * Date: 2008-July-18 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Multiple vulnerabilities - ------------DESCRIPTION------------ The Profile search module provides a way for users to search users by all profile fields, as provided by the profile module in core. Numerous values are used in SQL strings without being properly sanitized. Users with the "access user profiles" permission can use these values to execute SQL injection attacks. These attacks may lead to administrator access. - ------------VERSIONS AFFECTED------------ * Profile search 5.x releases prior to 5.x-1.0. Drupal core is not affected. If you do not use the contributed Profile search module, there is nothing you need to do. - ------------SOLUTION------------ Install the latest version: * If you currently use Profile search 5.x, upgrade to Profile search 5.x-1.0 [ http://drupal.org/node/272061 ] See also the Profile search project page [ http://drupal.org/project/profilesearch ]. - ------------REPORTED BY------------ This issue was reported by Larry Garfield (Crell [ http://drupal.org/user/26398 ]), who has now taken over maintenance of the module. - ------------CONTACT------------ The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ]. - ------------SA-2008-037 - TRAILSCOUT - XSS AND SQL INJECTION------------ * Advisory ID: DRUPAL-SA-2008-037 * Project: TrailScout (third-party module) * Version: 5.x * Date: 2008-June-18 * Security risk: Higly critical * Exploitable from: Remote * Vulnerability: Cross site scripting and SQL injection - ------------DESCRIPTION------------ The TrailScout module displays a number of last visited pages as breadcrumbs. The module displays certain values without appropriate filtering. Malicious users with the permission to create posts are able to exploit this issue and insert arbitrary HTML and script code into pages. Such a cross site scripting attack [ http://en.wikipedia.org/wiki/Xss ] may lead to the malicious user gaining administrator access. Trailscout also does not properly use the Drupal database API and inserts values from cookies directly into queries. This can be exploited on most PHP configurations to perform SQL Injection attacks [ http://en.wikipedia.org/wiki/Sql_injection ]. These attacks may lead to the malicious user gaining administrator access. All users are encouraged to update to the latest version. Be sure to verify the compatibility of your contrib modules as you perform the update. - ------------VERSIONS AFFECTED------------ * TrailScout for Drupal 5.x prior to 5.x-1.4 Drupal core is not affected. If you do not use the contributed TrailScout module, there is nothing you need to do. - ------------SOLUTION------------ Install the latest version: * TrailScout 5.x-1.4 [ http://drupal.org/node/272114 ]. See also the TrailScout project page [ http://drupal.org/project/trailscout ]. - ------------REPORTED BY------------ Gerhard Killesreiter [ http://drupal.org/user/227 ] (Drupal security team). - ------------CONTACT------------ The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ]. - ------------SA-2008-038 - SERVICES - ARBITRARY CODE EXECUTION------------ * Advisory ID: DRUPAL-SA-2008-038 * Project: Services (third-party module) * Versions: 5.x and 6.x * Date: 2008-June-18 * Security risk: Highly critical * Exploitable from: Remote * Vulnerability: Arbitrary code execution - ------------DESCRIPTION------------ The Services module package was created out of a need for a standardized solution to integrate external applications with Drupal. It builds on concepts from Drupal core's XMLRPC interface, but abstracts service callbacks so that they may be used with multiple interfaces such as XMLRPC, SOAP, REST, and AMF. This enables a Drupal site to provide web services via multiple interfaces while using the same callback code. Unfortunately, the access control system is not sufficiently granular; Users with access to use a services have access to all provided services. With the provided node services, or the system services enabled, it allowed arbitrary code execution for those users. Access to services can optionally be limited to certain ip addresses or configured to need an API key, somewhat mitigating the issue. - ------------VERSIONS AFFECTED------------ * Versions of Services for Drupal 5.x prior to 5.x-0.9 * Versions of Services for Drupal 6.x prior to 6.x-0.9 If you do not use the Services module, there is nothing you need to do. - ------------SOLUTION------------ Install the latest version: * If you use Services for Drupal 5.x upgrade to Services 5.x-0.9 [ http://drupal.org/node/272203 ] * If you use Services for Drupal 6.x upgrade to Services 6.x-0.9 [ http://drupal.org/node/272202 ] Review the new security features within the module, and upgrade all of your remote service calls to authenticate a user session ID before making any Service calls requiring secure communication. See also the Services project page [ http://drupal.org/project/services ]. - ------------REPORTED BY------------ Scott Nelson [ http://drupal.org/user/31156 ], Gerhard Killesreiter [ http://drupal.org/user/227 ], Heine Deelstra [ http://drupal.org/user/17943 ]. - ------------CONTACT------------ The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ]. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBSFncISh9+71yA2DNAQI1YgP+ObpwhdzxdU6gz+EJNCWRA1+1dr4Ej3Xr CXQToXP8iZtxIR8jYFrBtrib0vvgc40uK5pzksthRf4zL1udOmo5E/kuQ4GVlqzI 3Py+VPldtyELrSbQmYAyAofl5YZ0AmTEwzCEzW9gAiRjzlFtiuWcacyA7zYOFnJu +sF5BN0y3Yw= =DXBA -----END PGP SIGNATURE-----