12 February 2009
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2009.0141 -- [Win][UNIX/Linux] Vulnerabilities discovered in Troll and Advertisement (Drupal third-party modules) 12 February 2009 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Troll Advertisement Publisher: Drupal Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact: Cross-site Scripting Cross-site Request Forgery Access: Remote/Unauthenticated Comment: This bulletin contains two (2) Drupal Security Advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - ---- SA-CONTRIB-2009-006 - TROLL - CROSS SITE REQUEST FORGERIES ---- * Advisory ID: DRUPAL-SA-CONTRIB-2009-006 * Project: Troll (third-party module) * Version: 5.x * Date: 2009 February 11 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross-site request forgeries (CSRF) - ---- DESCRIPTION ---- The Troll module provides management tools for community sites to deal with badly behaved users, known as "trolls", including banning users by IP address, advanced user searching, and blocking users by role. The module does not properly implement the Drupal Form API which makes it vulnerable to Cross Site Request Forgeries (CSRF [ http://en.wikipedia.org/wiki/Csrf ]). Nearly all actions taken by the module can be executed via a cross site request forgery, making it possible for malicious users to for example cause administrators to unknowingly block users and arbitrary IP-ranges from using the site. - ---- VERSIONS AFFECTED ---- * Versions of Troll for Drupal 5.x The Drupal 6 version by John VanDyk (jvandyk [ http://drupal.org/user/2375 ]) is *not* affected. Drupal core is not affected. If you do not use the contributed Troll module, there is nothing you need to do. - ---- SOLUTION ---- There is no solution available. Disable the module and remove it from your site. See also the Troll project page [ http://drupal.org/project/troll ]. - ---- REPORTED BY ---- * Reported by Heine Deelstra (Heine [ http://drupal.org/user/17943 ]). * Independently reported by David Kent Norman (deekayen [http://drupal.org/user/972 ]). - ---- CONTACT ---- The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ]. - -- - ---- SA-CONTRIB-2009-007 - ADVERTISEMENT CROSS-SITE SCRIPTING ---- * Advisory ID: DRUPAL-SA-CONTRIB-2009-007 * Project: Advertisement module (third-party module) * Versions: 5.x, 6.x * Date: 2009 February 11 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Cross-site scripting (XSS) - ---- DESCRIPTION ---- The Advertisement module displays and tracks advertisements on Drupal websites. Unsanitized text is displayed in several places, allowing users with "administer advertisements" permissions to execute arbitrary code. Users with "administer advertisements" permissions have the ability to configure the Advertisement module to ignore Drupal's standard input filters, allowing any user with "create advertisements" permissions the ability to execute arbitrary code. - ---- VERSIONS AFFECTED ---- * Versions of Advertisement module for Drupal 5.x prior to 5.x-1.7. * Versions of Advertisement module for Drupal 6.x prior to 6.x-1.0-rc1. Note that this vulnerability also affects the unsupported branches of code for 4.7 and 5.x-2.x. The Advertisement module maintainer will update these at his discretion. If you use those unsupported versions you should disable them until an updated release is available. Drupal core is not affected. If you do not use the contributed Advertisement module, there is nothing you need to do. - ---- SOLUTION ---- Install the latest version: * If you use Advertisement for Drupal 5.x upgrade to Advertisement 5.x-1.7 [http://drupal.org/node/372995 ] * If you use Advertisement for Drupal 6.x upgrade to Advertisement 6.x-1.0-rc1 [ http://drupal.org/node/372997 ] See also the Advertisement project page [ http://drupal.org/project/ad ]. - ---- REPORTED BY ---- Justin C. Klein Keane. - ---- FIXED BY ---- Jeremy Andrews (Jeremy [ http://drupal.org/user/409 ]) - ---- CONTACT ---- The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ]. - -- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to firstname.lastname@example.org and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: email@example.com Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFJk3YiNVH5XJJInbgRAnqiAJ9Pw0Xox53+iROE8xapTi0W95kjhwCeLhC1 AbvolGfwfUx2EDd36ZuFGjw= =7077 -----END PGP SIGNATURE-----