Operating System:

[WIN][UNIX/Linux]

Published:

03 July 2008

Protect yourself against future threats.

//Service

Incident Management

Whether it is proactive or reactive services you're after, we will help you detect, interpret and respond to attacks from across the globe.

Read more
Resources > Security Bulletins > ESB-2008.0668 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                    ESB-2008.0668 -- [Win][UNIX/Linux]
        Multiple vulnerabilities in four Drupal third-party modules
                                3 July 2008

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Organic Groups (third-party module)
                      Taxonomy autotagger (third-party module)
                      Tinytax taxonomy block (third-party module)
                      Outline designer (third-party module)
Publisher:            Drupal
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact:               Increased Privileges
                      Access Confidential Data
                      Execute Arbitrary Code/Commands
                      Cross-site Scripting
Access:               Remote/Unauthenticated

Original Bulletin:    http://drupal.org/node/277873
                      http://drupal.org/node/277877
                      http://drupal.org/node/277879
                      http://drupal.org/node/277883

Comment: This bulletin contains four (4) Drupal advisories

- --------------------------BEGIN INCLUDED TEXT--------------------

- ------------SA-2008-040 - ORGANIC GROUPS - CROSS SITE SCRIPTING AND INFORMATION
DISCLOSURE------------

  * Advisory ID: DRUPAL-SA-2008-040

  * Project: Organic Groups (third-party module)

  * Versions: 5.x and 6.x

  * Date: 2008-July-02

  * Security risk: Less Critical

  * Exploitable from: Remote

  * Vulnerability: Cross site scripting and information disclosure

- ------------DESCRIPTION------------

Organic groups enables users to create and manage their own 'groups'. Each
group can be subscribed to, and includes a group home page where subscribers can
communicate amongst themselves. Two vulnerabilities were found in the module.

Cross Site Scripting

The module displays certain values without appropriate filtering.  Malicious
group owners are able to exploit this issue and insert arbitrary HTML and script
code into pages. Such a cross site scripting  [
http://en.wikipedia.org/wiki/Cross-site_scripting ](XSS) attack may lead to
administrator access for the malicious user.

Prerequisites:

  * Audience check boxes must be disabled (enabled by default).

  * Site must allow untrusted users to create groups.

  * Malicious group owner must convince others to join his group.

  * Users may be attacked if they try to start a new discussion in the group
(not a comment).

Information Disclosure

Malicious users may discover the title of private groups. Other group details
and the contents of private posts are not compromised.

Prerequisites:

  * OG Access module must be enabled.

  * Site must use the private groups feature.

- ------------VERSIONS AFFECTED------------

  * Versions of Organic groups for Drupal 5.x prior to 5.x-7.3

  * Versions of Organic groups for Drupal 6.x prior to 6.x-1.0-RC1

Drupal core is not affected. If you do not use the Organic groups module, there
is nothing you need to do.

- ------------SOLUTION------------

Install the latest version and run update.php:

  * If you use Organic groups for Drupal 5.x upgrade to Organic groups 5.x-7.3
[ http://drupal.org/node/277854 ]

  * If you use Organic groups for Drupal 6.x upgrade to Organic groups
6.x-1.0-RC1 [ http://drupal.org/node/277869 ]

Also see the Organic groups project page [ http://drupal.org/project/og ].

- ------------REPORTED BY------------

  * Cross site scripting by fago [ http://drupal.org/user/16747 ].

  * Information disclosure by John Forsythe [ http://drupal.org/user/101901 ].

- ------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org or via
the form at [ http://drupal.org/contact ] and by selecting the security issues
category.


- ------------SA-2008-041 - TAXONOMY AUTOTAGGER - MULTIPLE
VULNERABILITIES------------

  * Advisory ID: DRUPAL-SA-2008-041

  * Project: Taxonomy autotagger (third-party module)

  * Version: 5.x

  * Date: 2008-July-2

  * Security risk: Critical

  * Exploitable from: Remote

  * Vulnerability: Cross site scripting and SQL injection

- ------------DESCRIPTION------------

The Taxonomy Autotagger will automatically tag a post with terms from a
vocabulary if the terms are found in the content of the post.

The module does not properly use Drupal's database API and inserts values
supplied by users directly into queries. This can be exploited by malicious
users with the permission to create or edit posts to perform SQL Injection
attacks [ http://en.wikipedia.org/wiki/Sql_injection ]. These attacks may lead
to the malicious user gaining administrator access.

The module also displays certain values without appropriate filtering.
Malicious users with the permission to create or edit posts are able to exploit
this issue and insert arbitrary HTML and script code into pages. Such a cross
site scripting attack [ http://en.wikipedia.org/wiki/Cross-site_scripting ]
(XSS) may lead to a malicious user gaining administrator access.

- ------------VERSIONS AFFECTED------------

  * Taxonomy Autotagger for Drupal 5.x prior to 5.x-1.8.

Drupal core is not affected. If you do not use the contributed Taxonomy
Autotagger module, there is nothing you need to do.

- ------------SOLUTION------------

Install the latest version:

  * Taxonomy Autotagger 5.x-1.8 [ http://drupal.org/node/277684 ].

See also the Taxonomy Autotagger project page [
http://drupal.org/project/autotag ].

- ------------REPORTED BY------------

  * The SQL injection was reported by John Morahan [
http://drupal.org/user/58170 ].

  * The cross site scripting issue was reported by Heine Deelstra [
http://drupal.org/user/17943 ] of the Drupal security team.

- ------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org or via
the form at [ http://drupal.org/contact ] and by selecting the security issues
category.


- ------------SA-2008-042 - TINYTAX - CROSS SITE SCRIPTING  ------------

  * Advisory ID: DRUPAL-SA-2008-042

  * Project: Tinytax taxonomy block (third-party module)

  * Version: 5.x

  * Date: 2008-July-2

  * Security risk: Moderately critical

  * Exploitable from: Remote

  * Vulnerability: Cross site scripting

- ------------DESCRIPTION------------

The Tinytax taxonomy block displays a vocabulary as a tree within a block.

The module displays certain values without appropriate filtering. Malicious
users with the permission to create taxonomy terms are able to exploit this
issue and insert arbitrary HTML and script code into pages. Such a cross site
scripting attack [ http://en.wikipedia.org/wiki/Cross-site_scripting ] (XSS) may
lead to the malicious user gaining administrator access.

- ------------VERSIONS AFFECTED------------

  * Tinytax taxonomy block for Drupal 5.x prior to 5.x-1.10-1.

Drupal core is not affected. If you do not use the contributed Tinytax taxonomy
block module, there is nothing you need to do.

- ------------SOLUTION------------

Install the latest version:

  * Tinytax taxonomy block 5.x-1.10 [ http://drupal.org/node/277682 ].

See also the Tinytax taxonomy block project page [
http://drupal.org/project/tinytax ].

- ------------REPORTED BY------------

  * The cross site scripting issue was reported by the module maintainer, Simon
Rycroft [ http://drupal.org/user/151544 ].

- ------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org or via
the form at [ http://drupal.org/contact ] and by selecting the security issues
category.


- ------------SA-2008-043 - OUTLINE DESIGNER - PRIVILEGE ESCALATION  ------------

  * Advisory ID: DRUPAL-SA-2008-043

  * Project: Outline designer (third-party module)

  * Version: 5.x

  * Date: 2008-July-2

  * Security risk: Highly critical

  * Exploitable from: Remote

  * Vulnerability: Privilege escalation

- ------------DESCRIPTION------------

The Outline designer module provides a visual way of structuring content in
books. 

A programming error in the module causes the current user to become
authenticated as the author of the viewed content item.

- ------------VERSIONS AFFECTED------------

  * Outline designer for Drupal 5.x prior to 5.x-1.4.

Drupal core is not affected. If you do not use the contributed Outline designer
module, there is nothing you need to do.

- ------------SOLUTION------------

Install the latest version:

  * Outline designer 5.x-1.4 [ http://drupal.org/node/277851 ].

See also the Outline designer project page [
http://drupal.org/project/outline_designer ].

- ------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org or via
the form at [ http://drupal.org/contact ] and by selecting the security issues
category.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBSGwzySh9+71yA2DNAQLkcwP/WMExodAixLag2OsSqWogeTJag32EVA+C
69eAFGhL60asi+iqqqEwxUWqZ21gb3usc1VoeWTlaX/XYpkrqiOgKELsLv2sC0UV
SiGFlIf9OC7BHuJNC6m9G1FxuMzgkV39UQ5BnLtjn591Eg6U4I4xbiemHBuvYF7v
HnsbB1DjDUg=
=zYn0
-----END PGP SIGNATURE-----