Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2008.0668 -- [Win][UNIX/Linux] Multiple vulnerabilities in four Drupal third-party modules 3 July 2008 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Organic Groups (third-party module) Taxonomy autotagger (third-party module) Tinytax taxonomy block (third-party module) Outline designer (third-party module) Publisher: Drupal Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact: Increased Privileges Access Confidential Data Execute Arbitrary Code/Commands Cross-site Scripting Access: Remote/Unauthenticated Original Bulletin: http://drupal.org/node/277873 http://drupal.org/node/277877 http://drupal.org/node/277879 http://drupal.org/node/277883 Comment: This bulletin contains four (4) Drupal advisories - --------------------------BEGIN INCLUDED TEXT-------------------- - ------------SA-2008-040 - ORGANIC GROUPS - CROSS SITE SCRIPTING AND INFORMATION DISCLOSURE------------ * Advisory ID: DRUPAL-SA-2008-040 * Project: Organic Groups (third-party module) * Versions: 5.x and 6.x * Date: 2008-July-02 * Security risk: Less Critical * Exploitable from: Remote * Vulnerability: Cross site scripting and information disclosure - ------------DESCRIPTION------------ Organic groups enables users to create and manage their own 'groups'. Each group can be subscribed to, and includes a group home page where subscribers can communicate amongst themselves. Two vulnerabilities were found in the module. Cross Site Scripting The module displays certain values without appropriate filtering. Malicious group owners are able to exploit this issue and insert arbitrary HTML and script code into pages. Such a cross site scripting [ http://en.wikipedia.org/wiki/Cross-site_scripting ](XSS) attack may lead to administrator access for the malicious user. Prerequisites: * Audience check boxes must be disabled (enabled by default). * Site must allow untrusted users to create groups. * Malicious group owner must convince others to join his group. * Users may be attacked if they try to start a new discussion in the group (not a comment). Information Disclosure Malicious users may discover the title of private groups. Other group details and the contents of private posts are not compromised. Prerequisites: * OG Access module must be enabled. * Site must use the private groups feature. - ------------VERSIONS AFFECTED------------ * Versions of Organic groups for Drupal 5.x prior to 5.x-7.3 * Versions of Organic groups for Drupal 6.x prior to 6.x-1.0-RC1 Drupal core is not affected. If you do not use the Organic groups module, there is nothing you need to do. - ------------SOLUTION------------ Install the latest version and run update.php: * If you use Organic groups for Drupal 5.x upgrade to Organic groups 5.x-7.3 [ http://drupal.org/node/277854 ] * If you use Organic groups for Drupal 6.x upgrade to Organic groups 6.x-1.0-RC1 [ http://drupal.org/node/277869 ] Also see the Organic groups project page [ http://drupal.org/project/og ]. - ------------REPORTED BY------------ * Cross site scripting by fago [ http://drupal.org/user/16747 ]. * Information disclosure by John Forsythe [ http://drupal.org/user/101901 ]. - ------------CONTACT------------ The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ] and by selecting the security issues category. - ------------SA-2008-041 - TAXONOMY AUTOTAGGER - MULTIPLE VULNERABILITIES------------ * Advisory ID: DRUPAL-SA-2008-041 * Project: Taxonomy autotagger (third-party module) * Version: 5.x * Date: 2008-July-2 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Cross site scripting and SQL injection - ------------DESCRIPTION------------ The Taxonomy Autotagger will automatically tag a post with terms from a vocabulary if the terms are found in the content of the post. The module does not properly use Drupal's database API and inserts values supplied by users directly into queries. This can be exploited by malicious users with the permission to create or edit posts to perform SQL Injection attacks [ http://en.wikipedia.org/wiki/Sql_injection ]. These attacks may lead to the malicious user gaining administrator access. The module also displays certain values without appropriate filtering. Malicious users with the permission to create or edit posts are able to exploit this issue and insert arbitrary HTML and script code into pages. Such a cross site scripting attack [ http://en.wikipedia.org/wiki/Cross-site_scripting ] (XSS) may lead to a malicious user gaining administrator access. - ------------VERSIONS AFFECTED------------ * Taxonomy Autotagger for Drupal 5.x prior to 5.x-1.8. Drupal core is not affected. If you do not use the contributed Taxonomy Autotagger module, there is nothing you need to do. - ------------SOLUTION------------ Install the latest version: * Taxonomy Autotagger 5.x-1.8 [ http://drupal.org/node/277684 ]. See also the Taxonomy Autotagger project page [ http://drupal.org/project/autotag ]. - ------------REPORTED BY------------ * The SQL injection was reported by John Morahan [ http://drupal.org/user/58170 ]. * The cross site scripting issue was reported by Heine Deelstra [ http://drupal.org/user/17943 ] of the Drupal security team. - ------------CONTACT------------ The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ] and by selecting the security issues category. - ------------SA-2008-042 - TINYTAX - CROSS SITE SCRIPTING ------------ * Advisory ID: DRUPAL-SA-2008-042 * Project: Tinytax taxonomy block (third-party module) * Version: 5.x * Date: 2008-July-2 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross site scripting - ------------DESCRIPTION------------ The Tinytax taxonomy block displays a vocabulary as a tree within a block. The module displays certain values without appropriate filtering. Malicious users with the permission to create taxonomy terms are able to exploit this issue and insert arbitrary HTML and script code into pages. Such a cross site scripting attack [ http://en.wikipedia.org/wiki/Cross-site_scripting ] (XSS) may lead to the malicious user gaining administrator access. - ------------VERSIONS AFFECTED------------ * Tinytax taxonomy block for Drupal 5.x prior to 5.x-1.10-1. Drupal core is not affected. If you do not use the contributed Tinytax taxonomy block module, there is nothing you need to do. - ------------SOLUTION------------ Install the latest version: * Tinytax taxonomy block 5.x-1.10 [ http://drupal.org/node/277682 ]. See also the Tinytax taxonomy block project page [ http://drupal.org/project/tinytax ]. - ------------REPORTED BY------------ * The cross site scripting issue was reported by the module maintainer, Simon Rycroft [ http://drupal.org/user/151544 ]. - ------------CONTACT------------ The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ] and by selecting the security issues category. - ------------SA-2008-043 - OUTLINE DESIGNER - PRIVILEGE ESCALATION ------------ * Advisory ID: DRUPAL-SA-2008-043 * Project: Outline designer (third-party module) * Version: 5.x * Date: 2008-July-2 * Security risk: Highly critical * Exploitable from: Remote * Vulnerability: Privilege escalation - ------------DESCRIPTION------------ The Outline designer module provides a visual way of structuring content in books. A programming error in the module causes the current user to become authenticated as the author of the viewed content item. - ------------VERSIONS AFFECTED------------ * Outline designer for Drupal 5.x prior to 5.x-1.4. Drupal core is not affected. If you do not use the contributed Outline designer module, there is nothing you need to do. - ------------SOLUTION------------ Install the latest version: * Outline designer 5.x-1.4 [ http://drupal.org/node/277851 ]. See also the Outline designer project page [ http://drupal.org/project/outline_designer ]. - ------------CONTACT------------ The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ] and by selecting the security issues category. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBSGwzySh9+71yA2DNAQLkcwP/WMExodAixLag2OsSqWogeTJag32EVA+C 69eAFGhL60asi+iqqqEwxUWqZ21gb3usc1VoeWTlaX/XYpkrqiOgKELsLv2sC0UV SiGFlIf9OC7BHuJNC6m9G1FxuMzgkV39UQ5BnLtjn591Eg6U4I4xbiemHBuvYF7v HnsbB1DjDUg= =zYn0 -----END PGP SIGNATURE-----