Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2009.0362 -- [Win][UNIX/Linux]
Drupal third-party modules: Cross-site Scripting
24 April 2009
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: CCK comment reference
Localization client
Print
Publisher: Drupal
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact: Cross-site Scripting
Access: Remote/Unauthenticated
CVE Names: CVE-2009-1342 CVE-2009-1343 CVE-2009-1344
Original Bulletin: http://drupal.org/node/434836
http://drupal.org/node/434748
http://drupal.org/node/434682
Comment: This ESB contains three (3) Drupal advisories.
Revision History: April 24 2009: Added CVEs
April 16 2009: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
* Advisory ID: DRUPAL-SA-CONTRIB-2009-019
* Project: Localization client (third-party module)
* Versions: 5.x, 6.x
* Date: 2009-April-15
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Cross-site scripting (XSS)
- -------- DESCRIPTION ---------------------------------------------------------
The Localization client module allows you to translate the interface of your
Drupal site from within each page as you go. When displaying translatable
strings and their completed translations, the module does not escape the
data. If used to translate the Drupal core interface, this is not a problem,
since no user input is involved. However, when used with modules such as the
Internationalization module suite or Views, user provided data is translated,
making the module vulnerable to cross site scripting [1] (XSS). This enables
malicious users to insert arbitrary HTML and scripts into certain pages. Such
an attack against sufficiently privileged users may lead to adminstrator
access to the site.
- -------- VERSIONS AFFECTED ---------------------------------------------------
* Versions of Localization client for Drupal 5.x prior to 5.x-1.2
* Versions of Localization client for Drupal 6.x prior to 6.x-1.7
Drupal core is not affected. If you do not use the Localization client
module, there is nothing you need to do.
- -------- SOLUTION ------------------------------------------------------------
Install the latest version.
* If you use Localization client on Drupal 5, upgrade to Localization client
5.x-1.2 [2]
* If you use Localization client on Drupal 6, upgrade to Localization client
6.x-1.7 [3]
- -------- REPORTED BY ---------------------------------------------------------
Grégoire Moreau
- -------- FIXED BY ------------------------------------------------------------
Roger Lopez, Alexander Hass, Bálint Csuthy, Jose A. Reyero and Gábor Hojtsy
- -------- CONTACT -------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact [4] and by selecting the security
issues category.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/434694
[3] http://drupal.org/node/434688
[4] http://drupal.org/contact
* Advisory ID: DRUPAL-SA-CONTRIB-2009-020
* Project: Printer, e-mail and PDF versions (third-party module)
* Version: 5.x, 6.x
* Date: 2009-April-15
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Cross-site scripting (XSS)
- -------- DESCRIPTION ---------------------------------------------------------
The Printer, e-mail and PDF versions ("Print") module provides
printer-friendly versions of content. The module does not correctly escape
content titles, enabling malicious users to insert arbitrary HTML and scripts
into certain pages. Such a cross site scripting [1] (XSS) attack against
sufficiently privileged users may lead to administrator access to the site.
- -------- VERSIONS AFFECTED ---------------------------------------------------
* Versions of Printer, e-mail and PDF versions for Drupal 5.x prior to
5.x-4.5
* Versions of Printer, e-mail and PDF versions for Drupal 6.x prior to
6.x-1.5
Drupal core is not affected. If you do not use the contributed Printer,
e-mail and PDF versions module, there is nothing you need to do.
- -------- SOLUTION ------------------------------------------------------------
Install the latest version:
* If you use Printer, e-mail and PDF versions for Drupal 5.x upgrade to
Printer, e-mail and PDF versions 5.x-4.5 [2]
* If you use Printer, e-mail and PDF versions for Drupal 5.x upgrade to
Printer, e-mail and PDF versions 6.x-1.5 [3]
See also the Printer, e-mail and PDF versions project page [4].
- -------- REPORTED BY ---------------------------------------------------------
Stéphane Corlosquet [5]
- -------- FIXED BY ------------------------------------------------------------
Peter Wolanin [6]
- -------- CONTACT -------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact [7].
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/434718
[3] http://drupal.org/node/434720
[4] http://drupal.org/project/print
[5] http://drupal.org/user/52142
[6] http://drupal.org/user/49851
[7] http://drupal.org/contact
* Advisory ID: DRUPAL-SA-CONTRIB-2009-021
* Project: CCK comment reference (third-party module)
* Version: 6.x
* Date: 2009 April 15
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Cross-site scripting (XSS)
- -------- DESCRIPTION ---------------------------------------------------------
CCK comment reference project, lets administrators define node fields that
are references to comments. When displaying a node edit form, the titles of
candidate referenced comments are not properly filtered, allowing malicious
users to inject arbitrary code on those pages. Such a cross site scripting
[1] (XSS) attack may lead to a malicious user gaining full administrative
access.
- -------- VERSIONS AFFECTED ---------------------------------------------------
* Versions of CCK comment reference for Drupal 6.x prior to 6.x-1.2
Drupal core is not affected. If you do not use the CCK comment reference
module, there is nothing you need to do.
- -------- SOLUTION ------------------------------------------------------------
Install the latest version:
* If you use CCK comment reference for Drupal 6.x upgrade to CCK comment
reference 6.x-1.2 [2]
See also the CCK comment reference project page [3].
- -------- REPORTED BY ---------------------------------------------------------
Kristof De Jaeger (swentel [4]).
- -------- FIXED BY ------------------------------------------------------------
Kristof De Jaeger (swentel [5]).
- -------- CONTACT -------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/434842
[3] http://drupal.org/project/commentreference
[4] http://drupal.org/user/107403
[5] http://drupal.org/user/107403
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFJ8VkINVH5XJJInbgRAjGTAJ0cS2DeAF3gLUz6dH+Bd9z8njCdpgCePoc6
FGMR0fg00qv6+AugU53/nbo=
=cvmv
-----END PGP SIGNATURE-----