Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2009.0362 -- [Win][UNIX/Linux] Drupal third-party modules: Cross-site Scripting 24 April 2009 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: CCK comment reference Localization client Print Publisher: Drupal Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact: Cross-site Scripting Access: Remote/Unauthenticated CVE Names: CVE-2009-1342 CVE-2009-1343 CVE-2009-1344 Original Bulletin: http://drupal.org/node/434836 http://drupal.org/node/434748 http://drupal.org/node/434682 Comment: This ESB contains three (3) Drupal advisories. Revision History: April 24 2009: Added CVEs April 16 2009: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- * Advisory ID: DRUPAL-SA-CONTRIB-2009-019 * Project: Localization client (third-party module) * Versions: 5.x, 6.x * Date: 2009-April-15 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross-site scripting (XSS) - -------- DESCRIPTION --------------------------------------------------------- The Localization client module allows you to translate the interface of your Drupal site from within each page as you go. When displaying translatable strings and their completed translations, the module does not escape the data. If used to translate the Drupal core interface, this is not a problem, since no user input is involved. However, when used with modules such as the Internationalization module suite or Views, user provided data is translated, making the module vulnerable to cross site scripting [1] (XSS). This enables malicious users to insert arbitrary HTML and scripts into certain pages. Such an attack against sufficiently privileged users may lead to adminstrator access to the site. - -------- VERSIONS AFFECTED --------------------------------------------------- * Versions of Localization client for Drupal 5.x prior to 5.x-1.2 * Versions of Localization client for Drupal 6.x prior to 6.x-1.7 Drupal core is not affected. If you do not use the Localization client module, there is nothing you need to do. - -------- SOLUTION ------------------------------------------------------------ Install the latest version. * If you use Localization client on Drupal 5, upgrade to Localization client 5.x-1.2 [2] * If you use Localization client on Drupal 6, upgrade to Localization client 6.x-1.7 [3] - -------- REPORTED BY --------------------------------------------------------- Grégoire Moreau - -------- FIXED BY ------------------------------------------------------------ Roger Lopez, Alexander Hass, Bálint Csuthy, Jose A. Reyero and Gábor Hojtsy - -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact [4] and by selecting the security issues category. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/434694 [3] http://drupal.org/node/434688 [4] http://drupal.org/contact * Advisory ID: DRUPAL-SA-CONTRIB-2009-020 * Project: Printer, e-mail and PDF versions (third-party module) * Version: 5.x, 6.x * Date: 2009-April-15 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross-site scripting (XSS) - -------- DESCRIPTION --------------------------------------------------------- The Printer, e-mail and PDF versions ("Print") module provides printer-friendly versions of content. The module does not correctly escape content titles, enabling malicious users to insert arbitrary HTML and scripts into certain pages. Such a cross site scripting [1] (XSS) attack against sufficiently privileged users may lead to administrator access to the site. - -------- VERSIONS AFFECTED --------------------------------------------------- * Versions of Printer, e-mail and PDF versions for Drupal 5.x prior to 5.x-4.5 * Versions of Printer, e-mail and PDF versions for Drupal 6.x prior to 6.x-1.5 Drupal core is not affected. If you do not use the contributed Printer, e-mail and PDF versions module, there is nothing you need to do. - -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Printer, e-mail and PDF versions for Drupal 5.x upgrade to Printer, e-mail and PDF versions 5.x-4.5 [2] * If you use Printer, e-mail and PDF versions for Drupal 5.x upgrade to Printer, e-mail and PDF versions 6.x-1.5 [3] See also the Printer, e-mail and PDF versions project page [4]. - -------- REPORTED BY --------------------------------------------------------- Stéphane Corlosquet [5] - -------- FIXED BY ------------------------------------------------------------ Peter Wolanin [6] - -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact [7]. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/434718 [3] http://drupal.org/node/434720 [4] http://drupal.org/project/print [5] http://drupal.org/user/52142 [6] http://drupal.org/user/49851 [7] http://drupal.org/contact * Advisory ID: DRUPAL-SA-CONTRIB-2009-021 * Project: CCK comment reference (third-party module) * Version: 6.x * Date: 2009 April 15 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross-site scripting (XSS) - -------- DESCRIPTION --------------------------------------------------------- CCK comment reference project, lets administrators define node fields that are references to comments. When displaying a node edit form, the titles of candidate referenced comments are not properly filtered, allowing malicious users to inject arbitrary code on those pages. Such a cross site scripting [1] (XSS) attack may lead to a malicious user gaining full administrative access. - -------- VERSIONS AFFECTED --------------------------------------------------- * Versions of CCK comment reference for Drupal 6.x prior to 6.x-1.2 Drupal core is not affected. If you do not use the CCK comment reference module, there is nothing you need to do. - -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use CCK comment reference for Drupal 6.x upgrade to CCK comment reference 6.x-1.2 [2] See also the CCK comment reference project page [3]. - -------- REPORTED BY --------------------------------------------------------- Kristof De Jaeger (swentel [4]). - -------- FIXED BY ------------------------------------------------------------ Kristof De Jaeger (swentel [5]). - -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/434842 [3] http://drupal.org/project/commentreference [4] http://drupal.org/user/107403 [5] http://drupal.org/user/107403 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFJ8VkINVH5XJJInbgRAjGTAJ0cS2DeAF3gLUz6dH+Bd9z8njCdpgCePoc6 FGMR0fg00qv6+AugU53/nbo= =cvmv -----END PGP SIGNATURE-----