Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2009.0266 -- [Win][UNIX/Linux]
Vulnerabilities identified in Printer, e-mail and PDF versions, and Content
Construction Kit (Drupal third-party modules)
27 March 2009
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Printer, e-mail and PDF versions
Content Construction Kit
Publisher: Drupal
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact: Cross-site Scripting
Reduced Security
Access: Remote/Unauthenticated
CVE Names: CVE-2009-1047 CVE-2009-1069
Original Bulletin: http://drupal.org/node/406520
http://drupal.org/node/406516
Comment: This bulletin contains two (2) Drupal Security Advisories
Revision History: March 27 2009: Added CVE Reference
March 25 2009: Added CVE Reference
March 23 2009: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
* Advisory ID: DRUPAL-SA-CONTRIB-2009-012
* Project: Printer, e-mail and PDF versions (third-party module)
* Versions: 5.x, 6.x
* Date: 2009 March 18
* Security risk: Highly Critical
* Exploitable from: Remote
* Vulnerability: Unrestricted e-mailing (spam)
The "Send by e-mail" module, part of the "Printer, e-mail and PDF versions"
project, allows users to send e-mail messages while viewing content on the
site. This module was found to have multiple vulnerabilities.
- -------- UNRESTRICTED E-MAILING (SPAM) ---------------------------------------
Due to improper use of Drupal's flood control API, it is possible for
spammers or spambots to send an unlimited numbers of e-mails using the "Send
by e-mail" module.
This vulnerability is very similar to the recent vulnerability found in the
Forward module and reported in SA-CONTRIB-2009-009 [1]. The security team has
received reports of this vulnerability being actively exploited on production
sites using the Forward module.
In addition, when sending out e-mails in HTML format, some content is not
properly filtered, allowing malicious users to inject arbitrary HTML and
script code into these e-mails.
- -------- VERSIONS AFFECTED ---------------------------------------------------
* Versions of "Printer, e-mail and PDF versions" 5.x prior to 5.x-4.4
* Versions of "Printer, e-mail and PDF versions" 6.x prior to 6.x-1.4
Drupal core is not affected. If you do not use the contributed "Printer,
e-mail and PDF versions" module, there is nothing you need to do.
- -------- SOLUTION ------------------------------------------------------------
Install the latest version:
* If you use "Printer, e-mail and PDF versions" 5.x upgrade to Printer,
e-mail and PDF versions 5.x-4.4 [2]
* If you use "Printer, e-mail and PDF versions" 6.x upgrade to Printer,
e-mail and PDF versions 6.x-1.4 [3]
- -------- REPORTED BY ---------------------------------------------------------
João Ventura, the "Printer, e-mail and PDF versions"
project maintainer
- -------- FIXED BY ------------------------------------------------------------
Joao Ventura, with assistance from James Gilliand and David Rothstein of the
Drupal security team
- -------- CONTACT -------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact [4].
[1] http://drupal.org/node/398564
[2] http://drupal.org/node/406512
[3] http://drupal.org/node/406522
[4] http://drupal.org/contact
* Advisory ID: DRUPAL-SA-CONTRIB-2009-013
* Project: Content Construction Kit (third-party module)
* Version: 6.x
* Date: 2009 March 18
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Cross-site scripting (XSS)
- -------- DESCRIPTION ---------------------------------------------------------
The Node reference and User reference sub-modules, which are part of the
Content Construction Kit (CCK) project, lets administrators define node
fields that are references to other nodes or to users. When displaying a node
edit form, the titles of candidate referenced nodes or names of candidate
referenced users are not properly filtered, allowing malicious users to
inject arbitrary code on those pages. Such a cross site scripting [1] (XSS)
attack may lead to a malicious user gaining full administrative access.
- -------- VERSIONS AFFECTED ---------------------------------------------------
* Versions of CCK for Drupal 6.x prior to 6.x-2.2
Drupal core is not affected. If you do not use the Node reference or User
reference sub-modules of the contributed Content Construction Kit (CCK)
project, there is nothing you need to do.
- -------- SOLUTION ------------------------------------------------------------
Install the latest version:
* If you use CCK for Drupal 6.x upgrade to CCK 6.x-2.2 [2]
See also the Content Construction Kit (CCK) project page [3].
- -------- REPORTED BY ---------------------------------------------------------
Yves Chedemois (yched [4]).
- -------- FIXED BY ------------------------------------------------------------
Yves Chedemois (yched [5]).
- -------- CONTACT -------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/406534
[3] http://drupal.org/project/cck
[4] http://drupal.org/user/39567
[5] http://drupal.org/user/39567
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFJzGq5NVH5XJJInbgRAne7AJ0QcOTx2yQmjPiOJlCDzJbvNjmQHQCfYWg8
hfh49kjBz+vTWm9yVFlylYw=
=xJja
-----END PGP SIGNATURE-----