Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2009.0141 -- [Win][UNIX/Linux]
Vulnerabilities discovered in Troll and Advertisement
(Drupal third-party modules)
12 February 2009
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Troll
Advertisement
Publisher: Drupal
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact: Cross-site Scripting
Cross-site Request Forgery
Access: Remote/Unauthenticated
Comment: This bulletin contains two (2) Drupal Security Advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- ---- SA-CONTRIB-2009-006 - TROLL - CROSS SITE REQUEST FORGERIES ----
* Advisory ID: DRUPAL-SA-CONTRIB-2009-006
* Project: Troll (third-party module)
* Version: 5.x
* Date: 2009 February 11
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Cross-site request forgeries (CSRF)
- ---- DESCRIPTION ----
The Troll module provides management tools for community sites to deal with
badly behaved users, known as "trolls", including banning users by IP
address, advanced user searching, and blocking users by role.
The module does not properly implement the Drupal Form API which makes it
vulnerable to Cross Site Request Forgeries (CSRF [
http://en.wikipedia.org/wiki/Csrf ]). Nearly all actions taken by the module
can be executed via a cross site request forgery, making it possible for
malicious users to for example cause administrators to unknowingly block
users and arbitrary IP-ranges from using the site.
- ---- VERSIONS AFFECTED ----
* Versions of Troll for Drupal 5.x
The Drupal 6 version by John VanDyk (jvandyk [ http://drupal.org/user/2375 ])
is *not* affected. Drupal core is not affected. If you do not use the
contributed Troll module, there is nothing you need to do.
- ---- SOLUTION ----
There is no solution available. Disable the module and remove it from your
site. See also the Troll project page [ http://drupal.org/project/troll ].
- ---- REPORTED BY ----
* Reported by Heine Deelstra (Heine [ http://drupal.org/user/17943 ]).
* Independently reported by David Kent Norman (deekayen
[http://drupal.org/user/972 ]).
- ---- CONTACT ----
The security contact for Drupal can be reached at security at drupal.org or
via the form at [ http://drupal.org/contact ].
- --
- ---- SA-CONTRIB-2009-007 - ADVERTISEMENT CROSS-SITE SCRIPTING ----
* Advisory ID: DRUPAL-SA-CONTRIB-2009-007
* Project: Advertisement module (third-party module)
* Versions: 5.x, 6.x
* Date: 2009 February 11
* Security risk: Less critical
* Exploitable from: Remote
* Vulnerability: Cross-site scripting (XSS)
- ---- DESCRIPTION ----
The Advertisement module displays and tracks advertisements on Drupal
websites. Unsanitized text is displayed in several places, allowing users
with "administer advertisements" permissions to execute arbitrary code.
Users with "administer advertisements" permissions have the ability to
configure the Advertisement module to ignore Drupal's standard input
filters, allowing any user with "create advertisements" permissions the
ability to execute arbitrary code.
- ---- VERSIONS AFFECTED ----
* Versions of Advertisement module for Drupal 5.x prior to 5.x-1.7.
* Versions of Advertisement module for Drupal 6.x prior to 6.x-1.0-rc1.
Note that this vulnerability also affects the unsupported branches of code
for 4.7 and 5.x-2.x. The Advertisement module maintainer will update these
at his discretion. If you use those unsupported versions you should disable
them until an updated release is available.
Drupal core is not affected. If you do not use the contributed Advertisement
module, there is nothing you need to do.
- ---- SOLUTION ----
Install the latest version:
* If you use Advertisement for Drupal 5.x upgrade to Advertisement 5.x-1.7
[http://drupal.org/node/372995 ]
* If you use Advertisement for Drupal 6.x upgrade to Advertisement
6.x-1.0-rc1 [ http://drupal.org/node/372997 ]
See also the Advertisement project page [ http://drupal.org/project/ad ].
- ---- REPORTED BY ----
Justin C. Klein Keane.
- ---- FIXED BY ----
Jeremy Andrews (Jeremy [ http://drupal.org/user/409 ])
- ---- CONTACT ----
The security contact for Drupal can be reached at security at drupal.org or via
the form at [ http://drupal.org/contact ].
- --
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFJk3YiNVH5XJJInbgRAnqiAJ9Pw0Xox53+iROE8xapTi0W95kjhwCeLhC1
AbvolGfwfUx2EDd36ZuFGjw=
=7077
-----END PGP SIGNATURE-----