-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                    ESB-2009.0553 -- [Win][UNIX/Linux]
           Drupal third-party modules: Multiple Vulnerabilities
                               22 June 2009

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Taxonomy manager
                      Booktree
                      Services
                      Views
                      Nodequeue
Publisher:            Drupal
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact:               Cross-site Scripting
                      Inappropriate Access
                      Provide Misleading Information
Access:               Remote/Unauthenticated
CVE Names:            CVE-2009-2075 CVE-2009-2076 CVE-2009-2077

Original Bulletin:    http://drupal.org/node/487818
                      http://drupal.org/node/487828
                      http://drupal.org/node/488004
                      http://drupal.org/node/488068
                      http://drupal.org/node/488092

Comment: This bulletin contains five (5) Drupal Security Advisories

Revision History:  June 22 2009: Added CVEs
                      June 11 2009: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------


  * Advisory ID: DRUPAL-SA-CONTRIB-2009-034
  * Project: Taxonomy manager (third-party module)
  * Version: 5.x, 6.x
  * Date: 2009-June-10
  * Security risk: Moderately critical
  * Exploitable from: Remote
  * Vulnerability: Cross Site Scripting

- -------- DESCRIPTION --------------------------------------------------------

The Taxonomy manager module provides additional tools for administering
taxonomy through Drupal. A vocabulary gets displayed in a dynamic tree view,
where parent terms can be expanded to list their nested child terms or can be
collapsed. The module does not properly escape some user-supplied data,
allowing malicious users to insert arbitrary HTML and script code into the
administrative pages provided by this module. A user who has the 'administer
taxonomy' permission, and (depending on configuration) a user able to add
taxonomy terms via free tagging, could attempt a cross site scripting [1]
(XSS) attack which may lead to the user gaining full administrative access.

- -------- VERSIONS AFFECTED --------------------------------------------------

  * Taxonomy manager 6.x prior to 6.x-1.1
  * Taxonomy manager 5.x prior to 5.x-1.2

Drupal core is not affected. If you do not use the contributed Taxonomy
manager module, there is nothing you need to do.

- -------- SOLUTION -----------------------------------------------------------

Install the latest version:
  * If you use Taxonomy manager 6.x upgrade to Taxonomy manager 6.x-1.1 [2]
  * If you use Taxonomy manager 5.x upgrade to Taxonomy manager 5.x-1.2 [3]

See also the Taxonomy manager [4] project page.

- -------- REPORTED BY --------------------------------------------------------

Justin Klein Keane (Justin_KleinKeane [5])

- -------- FIXED BY -----------------------------------------------------------

Matthias Hutterer (mh86 [6] the maintainer) and Justin Klein Keane
(Justin_KleinKeane [7])

- -------- CONTACT ------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.

[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/487602
[3] http://drupal.org/node/487620
[4] http://drupal.org/project/taxonomy_manager
[5] http://drupal.org/user/302225
[6] http://drupal.org/user/59747
[7] http://drupal.org/user/302225
_______________________________________________

 
  * Advisory ID: DRUPAL-SA-CONTRIB-2009-035
  * Project: Booktree (third-party module)
  * Version: 5.x, 6.x
  * Date: 2009-June-10
  * Security risk: Moderately critical
  * Exploitable from: Remote
  * Vulnerability: Cross Site Scripting

- -------- DESCRIPTION --------------------------------------------------------

Booktree takes as input a series of Book nodes and create a tree-like
structure using Book node relationships.The Booktree module does not properly
escape node title and node body on tree root pages. A user with privileges to
create book pages could attempt a cross site scripting [1] (XSS) attack which
may lead to the user gaining full administrative access.

- -------- VERSIONS AFFECTED --------------------------------------------------

  * Booktree for Drupal 5.x prior to Booktree 5.x-7.3
  * Booktree for Drupal 6.x prior to Booktree 6.x-1.1

Drupal core is not affected. If you do not use the contributed Booktree
module, there is nothing you need to do.

- -------- SOLUTION -----------------------------------------------------------

Upgrade to the latest version:
  * If you use Booktree for Drupal 5.x upgrade to Booktree 5.x-7.3 [2]
  * If you use Booktree for Drupal 6.x upgrade to Booktree 6.x-1.1 [3]

See also the Booktree project page [4].

- -------- REPORTED BY --------------------------------------------------------

Stéphane Corlosquet [5] of the Drupal Security Team [6].

- -------- FIXED BY -----------------------------------------------------------

Uccio [7].

- -------- CONTACT ------------------------------------------------------------

The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.

[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/487812
[3] http://drupal.org/node/487810
[4] http://drupal.org/project/booktree
[5] http://drupal.org/user/52142
[6] http://drupal.org/security-team
[7] http://drupal.org/user/32370
_______________________________________________


  * Advisory ID: SA-CONTRIB-2009-036
  * Project: Services (third-party module)
  * Version: 6.x
  * Date: 2009 June 10
  * Security risk: Critical
  * Exploitable from: Remote
  * Vulnerability: Impersonation

- -------- DESCRIPTION --------------------------------------------------------

The Services module provides integration of external applications with
Drupal. Service callbacks may be used with multiple interfaces like XMLRPC,
SOAP, REST, AMF. When key based access is enabled any user may view or add
keys, allowing a third party to access services they would not otherwise be
able to access. The services that can be exploited depend on the access
control checks that are in place on a given client site.

- -------- VERSIONS AFFECTED --------------------------------------------------

Services for 6.x before version 6.x-0.14. Drupal core is not affected. If you
do not use the contributed Services module, there is nothing you need to do.

- -------- SOLUTION -----------------------------------------------------------

Upgrade to the latest version: If you are running Services 6.x then upgrade
to Services 6.x-0.14 [1]. If you are running a development version of
Services module please upgrade to a version dated later than 9th June 2009.
See also the Services [2] project page.

- -------- REPORTED BY --------------------------------------------------------

Gerhard Killesreiter [3] of the Drupal Security Team

- -------- FIXED BY -----------------------------------------------------------

Marc Ingram [4].

- -------- CONTACT ------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.

[1] http://drupal.org/node/487784
[2] http://drupal.org/project/services
[3] http://drupal.org/user/227
[4] http://drupal.org/user/77320
_______________________________________________


  * Advisory ID: DRUPAL-SA-CONTRIB-2009-037
  * Project: Views
  * Versions: 6.x-2.x
  * Date: 2009-June-10
  * Security risk: Moderately critical
  * Exploitable from: Remote
  * Vulnerability: Cross Site Scripting (XSS), Access Bypass

- -------- DESCRIPTION --------------------------------------------------------

The Views module provides a flexible method for Drupal site designers to
control how lists of content are presented. In the Views UI administrative
interface when configuring exposed filters, user input presented as possible
exposed filters is not correctly filtered, potentially allowing malicious
users to insert arbitrary HTML and script code into these pages. In addition,
content entered by users with 'administer views' permission into the View
name when defining custom views is subsequently displayed without being
filtered. Such cross site scripting [1] (XSS) attacks may lead to a malicious
user gaining full administrative access. An access bypass may exist where
unpublished content owned by the anonymous user (e.g. content created by a
user whose account was later deleted) is visible to any anonymous user there
is a view already configured to show it incorrectly. An additional access
bypass may occur because Views may generate queries which disrespect node
access control. Users may be able to access private content if they have
permission to see the resulting View.

- -------- VERSIONS AFFECTED --------------------------------------------------

  * Versions of Views for Drupal 6.x prior to 6.x-2.6

Drupal core is not affected. If you do not use the Views module, there is
nothing you need to do.

- -------- SOLUTION -----------------------------------------------------------

Install the latest version.
  * If you use Views for Drupal 6.x upgrade to 6.x-2.6 [2]

In addition, preventing the node access bypass may require adding *node:
access filters* to the View manually if using relationships to nodes that
might be restricted. Also see the Views project page [3].

- -------- REPORTED BY --------------------------------------------------------

  * The exposed filters XSS was reported by Derek Wright (dww [4]) of the
    Drupal Security Team [5]
  * The XSS from the view name was reported by Justin Klein Keane
    (Justin_KleinKeane [6])
  * The unpublished content access bypass was reported by Brandon Bergren
    (bdragon [7])
  * The node access query bypass was reported by Moshe Weitzman (moshe
    weitzman [8]) of the Drupal Security Team [9]

- -------- FIXED BY -----------------------------------------------------------

Earl Miles (merlinofchaos [10]) Views project maintainer.

- -------- CONTACT ------------------------------------------------------------

The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact and by selecting the security
issues category.

[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/488082
[3] http://drupal.org/project/views
[4] http://drupal.org/user/46549
[5] http://drupal.org/security-team
[6] http://drupal.org/user/302225
[7] http://drupal.org/user/53081
[8] http://drupal.org/user/23
[9] http://drupal.org/security-team
[10] http://drupal.org/user/26979
_______________________________________________

 
  * Advisory ID: DRUPAL-SA-CONTRIB-2009-038
  * Project: Nodequeue (third-party module)
  * Version: 5.x, 6.x
  * Date: 2009-June-10
  * Security risk: Moderately critical
  * Exploitable from: Remote
  * Vulnerability: Multiple vulnerabilities

- -------- DESCRIPTION --------------------------------------------------------

The Nodequeue module enables an administrator to arbitrarily put nodes in a
group for some purpose, such as providing a listing of nodes or featuring a
particular node. It suffers from a cross-site scripting [1] (XSS)
vulnerability due to not properly sanitizing vocabulary names before they are
displayed. Additionally, the module does not respect node access restrictions
when displaying node titles.

- -------- VERSIONS AFFECTED --------------------------------------------------

  * Nodequeue for Drupal 5.x prior to Nodequeue 5.x-2.7
  * Nodequeue for Drupal 6.x prior to Nodequeue 6.x-2.2

Drupal core is not affected. If you do not use the contributed Nodequeue
module, there is nothing you need to do.

- -------- SOLUTION -----------------------------------------------------------

Upgrade to the latest version:
  * If you use Nodequeue for Drupal 5.x upgrade to Nodequeue 5.x-2.7 [2]
  * If you use Nodequeue for Drupal 6.x upgrade to Nodequeue 6.x-2.2 [3]

See also the Nodequeue project page [4].

- -------- REPORTED BY --------------------------------------------------------

  * The XSS issue was reported by Justin C. Klein Keane [5].
  * The access bypass issue was reported by Ezra Barnett Gildesgame [6].

- -------- FIXED BY -----------------------------------------------------------

  * The XSS issue was fixed by Justin C. Klein Keane [7].
  * The access bypass issue was fixed by Ezra Barnett Gildesgame [8] and Earl
    Miles [9].

- -------- CONTACT ------------------------------------------------------------

The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.

[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/488104
[3] http://drupal.org/node/488102
[4] http://drupal.org/project/nodequeue
[5] http://drupal.org/user/302225
[6] http://drupal.org/user/69959
[7] http://drupal.org/user/302225
[8] http://drupal.org/user/69959
[9] http://drupal.org/user/26979

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFKPw8lNVH5XJJInbgRAowJAJ4rVh8Z6Q4CITfjOXMXl0xEKtXY3gCbBbVs
+asSZ1lFFqKKvYzYiMjuMAw=
=96Zc
-----END PGP SIGNATURE-----