Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2009.1482.2 Drupal Third Party Modules: Multiple Vulnerabilities 10 November 2009 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: User Protect Node Hierarchy Presentation Player Temporary Invitation NGP COO/CWP Integration Smartqueues for Organic Groups Link Organic Groups Vocabulary Zoomify Publisher: Drupal Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Unauthorised Access -- Remote/Unauthenticated Cross-site Scripting -- Remote/Unauthenticated Cross-site Request Forgery -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2009-3914 CVE-2009-3915 CVE-2009-3916 CVE-2009-3917 CVE-2009-3918 CVE-2009-3919 CVE-2009-3920 CVE-2009-3921 CVE-2009-3922 Original Bulletin: http://drupal.org/node/623162 http://drupal.org/node/623490 http://drupal.org/node/623508 http://drupal.org/node/623526 http://drupal.org/node/623546 http://drupal.org/node/623554 http://drupal.org/node/623562 http://drupal.org/node/623674 http://drupal.org/node/623678 Comment: This bulletin contains nine (9) Drupal Security Advisories. Drupal core is not affected by any of these vulnerabilities. Revision History: November 10 2009: Added CVE References November 5 2009: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- * Advisory ID: SA-CONTRIB-2009-09-090 * Project: User Protect (third-party module) * Version: 5.x, 6.x * Date: 2009-November-04 * Security risk: Moderate * Exploitable from: Remote * Vulnerability: Cross site request forgery - -------- DESCRIPTION --------------------------------------------------------- User Protect provides various editing protection for users. The protections can be specific to a user, or applied to all users in a role. User administrators can be individually configured to be allowed to bypass the protections. The Drupal Forms API protects against cross site request forgeries (CSRF [1]), where a malicious site can cause a user to unintentionally submit a form to a site where he is authenticated. The link for deleting user protections and administrator bypasses does not follow the standard Forms API submission model and is therefore not protected against this type of attack. A CSRF [2] attack may result in the deletion of protections for users, or administrator bypass settings for user administrators. - -------- VERSIONS AFFECTED --------------------------------------------------- * User Protect for Drupal 5.x before User Protect 5.x-1.4 * User Protect for Drupal 6.x before User Protect 6.x-1.3 Drupal core is not affected. If you do not use the contributed User Protect module, there is nothing you need to do. - -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Drupal 5.x upgrade to User Protect 5.x-1.4 [3]. * If you use Drupal 6.x upgrade to User Protect 6.x-1.3 [4]. Please note that update.php *must* be run as part of this upgrade in order for the issue to be fully fixed. See also the User Protect project page [5]. - -------- REPORTED BY --------------------------------------------------------- Chad Phillips [6]. - -------- FIXED BY ------------------------------------------------------------ Chad Phillips [7]. - -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Csrf [2] http://en.wikipedia.org/wiki/Csrf [3] http://drupal.org/node/623180 [4] http://drupal.org/node/623186 [5] http://drupal.org/project/userprotect [6] http://drupal.org/user/22079 [7] http://drupal.org/user/22079 * Advisory ID: DRUPAL-SA-CONTRIB-2009-091 * Project: Node Hierarchy (third-party module) * Version: 6.x, 5.x * Date: 2009 November 4 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting - -------- DESCRIPTION --------------------------------------------------------- The Node Hierarchy module enables a site administrator to arrange their site into a tree-like structure. When displaying the list of children for a node the module does not properly sanitize the titles of the child nodes before outputting them, leading to a cross-site scripting [1] (XSS) vulnerability which would allow a user with the ability to edit the nodes to gain full administrative access. - -------- VERSIONS AFFECTED --------------------------------------------------- * Node Hierarchy versions for Drupal 6.x prior to 6.x-1.3 * Node Hierarchy versions for Drupal 5.x prior to 5.x-1.3 Drupal core is not affected. If you do not use the contributed Node Hierarchy module, there is nothing you need to do. - -------- SOLUTION ------------------------------------------------------------ Upgrade to the latest version: * If you use Node Hierarchy for Drupal 6.x upgrade to version 6.x-1.3 [2] * If you use Node Hierarchy for Drupal 5.x upgrade to version 5.x-1.3 [3] See also the Node Hierarchy [4] project page. - -------- REPORTED BY --------------------------------------------------------- * mr.baileys [5]. - -------- FIXED BY ------------------------------------------------------------ * Ronan Dowling [6], the module maintainer. - -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/622092 [3] http://drupal.org/node/622100 [4] http://drupal.org/project/nodehierarchy [5] http://drupal.org/user/383424 [6] http://drupal.org/user/72815 * Advisory ID: DRUPAL-SA-CONTRIB-2009-092 * Project: S5 Presentation Player (third-party module) * Version: 6.x * Date: 2009 November 4 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting - -------- DESCRIPTION --------------------------------------------------------- The S5 Presentation Player module enables the creation of an S5 slideshow using content from the site. The module does not properly sanitize user supplied text it includes in the HTML HEAD section, leading to a cross-site scripting (XSS [1]) vulnerability. Such an attack may lead to a malicious user gaining full administrative access. - -------- VERSIONS AFFECTED --------------------------------------------------- * S5 Presentation Player 6.x-1.x prior to 6.x-1.1 Drupal core is not affected. If you do not use the contributed S5 Presentation Player module, there is nothing you need to do. - -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the S5 Presentation Player for Drupal 6.x-1.x upgrade to S5 Presentation Player 6.x-1.1 [2] See also the S5 Presentation Player module project page [3]. - -------- REPORTED BY --------------------------------------------------------- * Gábor Hojtsy [4] of the Drupal Security team - -------- FIXED BY ------------------------------------------------------------ * Greg Knaddison [5], the module maintainer, of the Drupal Security team - -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/617136 [3] http://drupal.org/project/s5 [4] http://drupal.org/user/4166 [5] http://drupal.org/user/36762 * Advisory ID: DRUPAL-SA-CONTRIB-2009-093 * Project: Temporary Invitation (third-party module) * Version: 5.x * Date: 2009 November 4 * Security risk: Less Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting - -------- DESCRIPTION --------------------------------------------------------- The Temporary Invitation module enables site users to invite guests for a limited timespan. For each invitation, a new user is created, together with a login code (e.g. "EbN2F3") that the user can use to log in. The module fails to sanitize a value in Name field which is included in the invitation, leading to a Cross Site Scripting (XSS [1]) vulnerability. - -------- VERSIONS AFFECTED --------------------------------------------------- * Temporary Invitation module for Drupal 5.x prior to Temporary Invitation 5.x-2.3 [2] Drupal core is not affected. If you do not use the contributed Temporary invitation module [3], there is nothing you need to do. - -------- SOLUTION ------------------------------------------------------------ Upgrade to the latest version: * If you use Temporary Invitation module for Drupal 5.x upgrade to version 5.x-2.3 [4] - -------- REPORTED BY --------------------------------------------------------- * Reported by Wolfgang Ziegler [5], the module maintainer. - -------- FIXED BY ------------------------------------------------------------ * Fixed by Wolfgang Ziegler [6], the module maintainer. - -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/623018 [3] http://drupal.org/project/temporary_invitation [4] http://drupal.org/node/623018 [5] http://drupal.org/user/16747 [6] http://drupal.org/user/16747 * Advisory ID: DRUPAL-SA-CONTRIB-2009-094 * Project: NGP COO/CWP Integration (crmngp) (third-party module) * Version: 6.x * Date: 2009-November-4 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Cross-site scripting and Access bypass - -------- DESCRIPTION --------------------------------------------------------- The NGP COO/CWP Integration module provides Drupal integration with the NGP Software API for efficient campaign management. An administration page did not properly implement access control thereby allowing untrusted users to view module log information. User-supplied information was not filtered on output allowing a cross-site scripting (XSS [1]) attack. - -------- VERSIONS AFFECTED --------------------------------------------------- * NGP COO/CWP Integration versions for Drupal 6.x prior to 6.x-1.12 Drupal core is not affected. If you do not use the contributed NGP COO/CWP Integration module, there is nothing you need to do. - -------- SOLUTION ------------------------------------------------------------ Upgrade to the latest version: * If you use NGP COO/CWP Integration for Drupal 6.x upgrade to version 6.x-1.13 [2] See also the NGP COO/CWP Integration [3] project page. - -------- REPORTED BY --------------------------------------------------------- * Access bypass reported by Dylan Wilder-Tack [4] * Cross-site scripting reported by Benjamin Jeavons [5] - -------- FIXED BY ------------------------------------------------------------ * XSS vulnerability fixed by Sean Robertson [6], the module maintainer * Access bypass vulnerability fixed by Dylan Wilder-Tack [7] - -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/623506 [3] http://drupal.org/project/crmngp [4] http://drupal.org/user/96647 [5] http://drupal.org/user/91990 [6] https://drupal.org/user/7074 [7] http://drupal.org/user/96647 * Advisory ID: SA-CONTRIB-2009-095 * Project: Smartqueues for Organic Groups (smartqueue_og) (third-party module) * Version: 6.x * Date: 2009 November 4 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Access bypass - -------- DESCRIPTION --------------------------------------------------------- The Smartqueue_og [1] module uses Nodequeue's Smartqueue API to provide a Nodequeue [2] for organic groups which is editable by members of that group or the group's administrators. Users with the "administer nodequeue" permission have the option to batch create subqueues (individual instances of a queue) for all eligible organic group nodes. For each subqueue that is created, a confirmation message is displayed containing the name of the organic group. The displayed message does not check that the current user has permission to view the group node. A similar message is also displayed when an eligible group node is submitted. Smartqueue_og users should also note: Subqueue titles contain the title of the organic group node to which the subqueue is related. Users with the 'manipulate all queues' or 'manipulate all og queues' permissions will be able to view all smartqueue_og subqueue titles, and therefore the node titles of all groups that have a subqueue, regardless of node access restrictions. This is by design and is not changed in the latest version. - -------- VERSIONS AFFECTED --------------------------------------------------- * Smartqueue_og module for Drupal 6.x prior to Smartqueue_og 6.x-1.0-rc3 [3] * Smartqueue_og module for Drupal 5.x prior to Smartqueue_og 5.x-1.3 [4] Drupal core is not affected. If you do not use the contributed Smartqueue_og module, there is nothing you need to do. - -------- SOLUTION ------------------------------------------------------------ Install the latest version. * If you use the Smartqueue_og module for Drupal 6.x upgrade to Smartqueue_og module 6.x-1.0-rc3 [5] * If you use the Smartqueue_og module for Drupal 5.x upgrade to Smartqueue_og module 5.x-1.3 [6]. See also the Smartqueue_og [7] module project page. - -------- REPORTED BY --------------------------------------------------------- * Ezra Barnett Gildesgame [8], the module maintainer. - -------- FIXED BY ------------------------------------------------------------ * Ezra Barnett Gildesgame [9], the module maintainer. - -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security@drupal.org [10] or via the form at http://drupal.org/contact. [1] http://drupal.org/project/smartqueue_og [2] http://drupal.org/project/nodequeue [3] http://drupal.org/node/617496 [4] http://drupal.org/node/617500 [5] http://drupal.org/node/617496 [6] http://drupal.org/node/617500 [7] http://drupal.org/project/smartqueue_og [8] http://drupal.org/user/69959 [9] http://drupal.org/user/69959 [10] mailto:security@drupal.org * Advisory ID: DRUPAL-SA-CONTRIB-2009-096 * Project: Link (third-party module) * Version: 5.x, 6.x * Date: 2009-November-4 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting - -------- DESCRIPTION --------------------------------------------------------- The Link module provides a CCK field which enables links to be added to content types, that can include a URL, title, and target attribute. When using the "Separate title and URL" formatter supplied by the module, the link title field is not sanitized before being displayed, leading to a Cross Site Scripting (XSS [1]) vulnerability. - -------- VERSIONS AFFECTED --------------------------------------------------- * Link module for Drupal 6.x prior to Link 6.x-2.7 [2] * Link module for Drupal 5.x prior to Link 5.x-2.6 [3] Drupal core is not affected. If you do not use the contributed Link module [4], there is nothing you need to do. - -------- SOLUTION ------------------------------------------------------------ Upgrade to the latest version: * If you use Link module for Drupal 6.x upgrade to version 6.x-2.7 [5] * If you use Link module for Drupal 5.x upgrade to version 5.x-2.6 [6] - -------- REPORTED BY --------------------------------------------------------- * Reported by mr.baileys [7] - -------- FIXED BY ------------------------------------------------------------ * Fixed by dropcube [8], Link module co-maintainer, and mr.baileys [9] - -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/620668 [3] http://drupal.org/node/620662 [4] http://drupal.org/project/link [5] http://drupal.org/node/620668 [6] http://drupal.org/node/620662 [7] http://drupal.org/user/383424 [8] http://drupal.org/user/37031 [9] http://drupal.org/user/383424 * Advisory ID: DRUPAL-SA-CONTRIB-2009-097 * Project: Organic Groups Vocabulary (third-party module) * Version: 6.x * Date: 2009-November-4 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting - -------- DESCRIPTION --------------------------------------------------------- The Organic Groups Vocabulary module enables a vocabulary to be restricted for use to a specific Organic Group. The module does not sanitize before outputting the group title in some cases, resulting in a cross-site scripting (XSS [1]) vulnerability. Such an attack may lead to a malicious user gaining full administrative access. - -------- VERSIONS AFFECTED --------------------------------------------------- * Organic Groups Vocabulary versions for Drupal 6.x prior to Organic Groups Vocabulary 6.x-1.1 [2] Drupal core is not affected. If you do not use the contributed Organic Groups Vocabulary module, there is nothing you need to do. - -------- SOLUTION ------------------------------------------------------------ Upgrade to the latest version: * If you use Organic Groups Vocabulary for Drupal 6.x upgrade to version 6.x-1.1 [3] See also the Organic Groups Vocabulary module project page [4]. - -------- REPORTED BY --------------------------------------------------------- * Stéphane Corlosquet [5] of the Drupal Security Team and Dylan Wilder-Tack [6] - -------- FIXED BY ------------------------------------------------------------ * Amitaibu [7], the module maintainer - -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/621960 [3] http://drupal.org/node/621960 [4] http://drupal.org/project/og_vocab [5] http://drupal.org/user/52142 [6] http://drupal.org/user/96647 [7] http://drupal.org/user/57511 * Advisory ID: DRUPAL-SA-CONTRIB-2009-098 * Project: Zoomify (third-party module) * Version: 5.x, 6.x * Date: 2009-November-4 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting - -------- DESCRIPTION --------------------------------------------------------- The Zoomify module integrates the Zoomify Flash applet into Drupal which can be used to pan and zoom on large images. Images are first preprocessed in order for Zoomify to work. The module fails to sanitize a value in the node title, leading to a Cross Site Scripting (XSS [1]) vulnerability. - -------- VERSIONS AFFECTED --------------------------------------------------- * Zoomify module for Drupal 6.x prior to Zoomify 6.x-1.4 [2] * Zoomify module for Drupal 5.x prior to Zoomify 5.x-2.2 [3] Drupal core is not affected. If you do not use the contributed Zoomify module [4], there is nothing you need to do. - -------- SOLUTION ------------------------------------------------------------ Upgrade to the latest version: * If you use Zoomify module for Drupal 6.x upgrade to Zoomify 6.x-1.4 [5] * If you use Zoomify module for Drupal 5.x upgrade to Zoomify 5.x-2.2 [6] - -------- REPORTED BY --------------------------------------------------------- * Reported by Dylan Wilder-Tack [7], the module maintainer - -------- FIXED BY ------------------------------------------------------------ * Fixed by Karim Ratib [8], the module maintainer - -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/623434 [3] http://drupal.org/node/623436 [4] http://drupal.org/project/zoomify [5] http://drupal.org/node/623434 [6] http://drupal.org/node/623436 [7] http://drupal.org/user/96647 [8] http://drupal.org/user/48424 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFK+OOwNVH5XJJInbgRArSIAJ0f2wrK0ZtyT3s9L1/+3wX8rX1enwCfcW7j 2ghTS+LJnq2Gq6bEGhe6c14= =PsoC -----END PGP SIGNATURE-----