Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2009.1226 Ajax Table, Go - url redirects (Drupal third-party modules): Multiple Vulnerabilities 27 August 2009 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Ajax Table (third-party module) Go - url redirects (third-party module) Publisher: Drupal Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Cross-site Scripting -- Remote/Unauthenticated Delete Arbitrary Files -- Remote/Unauthenticated Execute Arbitrary Code/Commands -- Existing Account Unauthorised Access -- Existing Account Cross-site Request Forgery -- Existing Account Resolution: Patch/Upgrade Original Bulletin: http://drupal.org/node/560298 http://drupal.org/node/560346 Comment: This bulletin contains two (2) Drupal Security Advisories Please note that a patch is not available for the Ajax Table vulnerability. See the solution section below for mitigation advice. - --------------------------BEGIN INCLUDED TEXT-------------------- * Advisory ID: DRUPAL-SA-CONTRIB-2009-053 * Project: Ajax Table (third-party module) * Version: 5.x * Date: 2009-Aug-26 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Multiple vulnerabilities - -------- DESCRIPTION --------------------------------------------------------- The Ajax Table module allows one to create AJAX-refreshable tables by supplying a few parameters. .... Access bypass The module lacks access checks, which makes it possible for any user to delete arbitrary users and nodes. The module contains a number of security issues. .... Cross site scripting The module doesn't escape certain user supplied values. Malicious users can use this to insert arbitrary HTML and script content into pages. Such a cross site scripting [1] attack may even lead to the malicious user gaining administrator access. - -------- VERSIONS AFFECTED --------------------------------------------------- * Ajax Table for Drupal 5.x Drupal core is not affected. If you do not use the contributed Ajax Table module, there is nothing you need to do. - -------- SOLUTION ------------------------------------------------------------ There is no solution available. Please disable the module and remove it from your server. - -------- REPORTED BY --------------------------------------------------------- Franz Heinzmann [2] - -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/user/21850 * Advisory ID: DRUPAL-SA-CONTRIB-2009-054 * Project: Go - url redirects (third-party module) * Versions: 5.x, 6.x * Date: 2009 August 26 * Security risk: Highly Critical * Exploitable from: Remote * Vulnerability: Multiple vulnerabilities - -------- DESCRIPTION --------------------------------------------------------- The Go - url redirects (gotwo) module adds the option to add redirected URLs. This module was found to have multiple vulnerabilities. .... Arbitrary PHP code execution Due to improper use of the PCRE regular expression engine, users with permission to use the input filter provided by the module are able to execute arbitrary PHP code on the server. .... Cross-site scripting (XSS) User-supplied text is displayed in several places without being properly filtered, allowing malicious users to inject arbitrary HTML and script code. Such a cross site scripting [1] (XSS) attack may lead to a malicious user gaining full administrative access. .... Access bypass and cross-site request forgery Due to coding errors, users may be able to add redirects or reset redirect counters without having permission to do so. - -------- VERSIONS AFFECTED --------------------------------------------------- * Versions of "Go - url redirects" for Drupal 5.x prior to 5.x-1.4 * Versions of "Go - url redirects" for Drupal 6.x prior to 6.x-1.1 Drupal core is not affected. If you do not use the contributed "Go - url redirects" module, there is nothing you need to do. - -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use "Go - url redirects" for Drupal 5.x upgrade to Go - url redirects 5.x-1.4 [2] * If you use "Go - url redirects" for Drupal 6.x upgrade to Go - url redirects 6.x-1.1 [3] See also the Go - url redirects project page [4]. - -------- REPORTED BY --------------------------------------------------------- John Morahan [5] of the Drupal security team Alexander Hass [6], co-maintainer of the gotwo module - -------- FIXED BY ------------------------------------------------------------ Alexander Hass [7] - -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/560336 [3] http://drupal.org/node/560332 [4] http://drupal.org/project/gotwo [5] http://drupal.org/user/58170 [6] http://drupal.org/user/85918 [7] http://drupal.org/user/85918 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFKld5lNVH5XJJInbgRAiaXAJwLqpKvQLkz0lOzKAUu//CEWEMR9ACePhyA sfsSG99NH66JXBAosPvdHrQ= =pfaI -----END PGP SIGNATURE-----