Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2009.1482.2
Drupal Third Party Modules: Multiple Vulnerabilities
10 November 2009
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: User Protect
Node Hierarchy
Presentation Player
Temporary Invitation
NGP COO/CWP Integration
Smartqueues for Organic Groups
Link
Organic Groups Vocabulary
Zoomify
Publisher: Drupal
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Unauthorised Access -- Remote/Unauthenticated
Cross-site Scripting -- Remote/Unauthenticated
Cross-site Request Forgery -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2009-3914 CVE-2009-3915 CVE-2009-3916
CVE-2009-3917 CVE-2009-3918 CVE-2009-3919
CVE-2009-3920 CVE-2009-3921 CVE-2009-3922
Original Bulletin:
http://drupal.org/node/623162
http://drupal.org/node/623490
http://drupal.org/node/623508
http://drupal.org/node/623526
http://drupal.org/node/623546
http://drupal.org/node/623554
http://drupal.org/node/623562
http://drupal.org/node/623674
http://drupal.org/node/623678
Comment: This bulletin contains nine (9) Drupal Security Advisories.
Drupal core is not affected by any of these vulnerabilities.
Revision History: November 10 2009: Added CVE References
November 5 2009: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
* Advisory ID: SA-CONTRIB-2009-09-090
* Project: User Protect (third-party module)
* Version: 5.x, 6.x
* Date: 2009-November-04
* Security risk: Moderate
* Exploitable from: Remote
* Vulnerability: Cross site request forgery
- -------- DESCRIPTION ---------------------------------------------------------
User Protect provides various editing protection for users. The protections
can be specific to a user, or applied to all users in a role. User
administrators can be individually configured to be allowed to bypass the
protections. The Drupal Forms API protects against cross site request
forgeries (CSRF [1]), where a malicious site can cause a user to
unintentionally submit a form to a site where he is authenticated. The link
for deleting user protections and administrator bypasses does not follow the
standard Forms API submission model and is therefore not protected against
this type of attack. A CSRF [2] attack may result in the deletion of
protections for users, or administrator bypass settings for user
administrators.
- -------- VERSIONS AFFECTED ---------------------------------------------------
* User Protect for Drupal 5.x before User Protect 5.x-1.4
* User Protect for Drupal 6.x before User Protect 6.x-1.3
Drupal core is not affected. If you do not use the contributed User Protect
module, there is nothing you need to do.
- -------- SOLUTION ------------------------------------------------------------
Install the latest version:
* If you use Drupal 5.x upgrade to User Protect 5.x-1.4 [3].
* If you use Drupal 6.x upgrade to User Protect 6.x-1.3 [4].
Please note that update.php *must* be run as part of this upgrade in order
for the issue to be fully fixed. See also the User Protect project page [5].
- -------- REPORTED BY ---------------------------------------------------------
Chad Phillips [6].
- -------- FIXED BY ------------------------------------------------------------
Chad Phillips [7].
- -------- CONTACT -------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Csrf
[2] http://en.wikipedia.org/wiki/Csrf
[3] http://drupal.org/node/623180
[4] http://drupal.org/node/623186
[5] http://drupal.org/project/userprotect
[6] http://drupal.org/user/22079
[7] http://drupal.org/user/22079
* Advisory ID: DRUPAL-SA-CONTRIB-2009-091
* Project: Node Hierarchy (third-party module)
* Version: 6.x, 5.x
* Date: 2009 November 4
* Security risk: Less critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
- -------- DESCRIPTION ---------------------------------------------------------
The Node Hierarchy module enables a site administrator to arrange their site
into a tree-like structure. When displaying the list of children for a node
the module does not properly sanitize the titles of the child nodes before
outputting them, leading to a cross-site scripting [1] (XSS) vulnerability
which would allow a user with the ability to edit the nodes to gain full
administrative access.
- -------- VERSIONS AFFECTED ---------------------------------------------------
* Node Hierarchy versions for Drupal 6.x prior to 6.x-1.3
* Node Hierarchy versions for Drupal 5.x prior to 5.x-1.3
Drupal core is not affected. If you do not use the contributed Node Hierarchy
module, there is nothing you need to do.
- -------- SOLUTION ------------------------------------------------------------
Upgrade to the latest version:
* If you use Node Hierarchy for Drupal 6.x upgrade to version 6.x-1.3 [2]
* If you use Node Hierarchy for Drupal 5.x upgrade to version 5.x-1.3 [3]
See also the Node Hierarchy [4] project page.
- -------- REPORTED BY ---------------------------------------------------------
* mr.baileys [5].
- -------- FIXED BY ------------------------------------------------------------
* Ronan Dowling [6], the module maintainer.
- -------- CONTACT -------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/622092
[3] http://drupal.org/node/622100
[4] http://drupal.org/project/nodehierarchy
[5] http://drupal.org/user/383424
[6] http://drupal.org/user/72815
* Advisory ID: DRUPAL-SA-CONTRIB-2009-092
* Project: S5 Presentation Player (third-party module)
* Version: 6.x
* Date: 2009 November 4
* Security risk: Less critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
- -------- DESCRIPTION ---------------------------------------------------------
The S5 Presentation Player module enables the creation of an S5 slideshow
using content from the site. The module does not properly sanitize user
supplied text it includes in the HTML HEAD section, leading to a cross-site
scripting (XSS [1]) vulnerability. Such an attack may lead to a malicious
user gaining full administrative access.
- -------- VERSIONS AFFECTED ---------------------------------------------------
* S5 Presentation Player 6.x-1.x prior to 6.x-1.1
Drupal core is not affected. If you do not use the contributed S5
Presentation Player module, there is nothing you need to do.
- -------- SOLUTION ------------------------------------------------------------
Install the latest version:
* If you use the S5 Presentation Player for Drupal 6.x-1.x upgrade to S5
Presentation Player 6.x-1.1 [2]
See also the S5 Presentation Player module project page [3].
- -------- REPORTED BY ---------------------------------------------------------
* Gábor Hojtsy [4] of the Drupal Security team
- -------- FIXED BY ------------------------------------------------------------
* Greg Knaddison [5], the module maintainer, of the Drupal Security team
- -------- CONTACT -------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/617136
[3] http://drupal.org/project/s5
[4] http://drupal.org/user/4166
[5] http://drupal.org/user/36762
* Advisory ID: DRUPAL-SA-CONTRIB-2009-093
* Project: Temporary Invitation (third-party module)
* Version: 5.x
* Date: 2009 November 4
* Security risk: Less Critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
- -------- DESCRIPTION ---------------------------------------------------------
The Temporary Invitation module enables site users to invite guests for a
limited timespan. For each invitation, a new user is created, together with a
login code (e.g. "EbN2F3") that the user can use to log in. The module fails
to sanitize a value in Name field which is included in the invitation,
leading to a Cross Site Scripting (XSS [1]) vulnerability.
- -------- VERSIONS AFFECTED ---------------------------------------------------
* Temporary Invitation module for Drupal 5.x prior to Temporary Invitation
5.x-2.3 [2]
Drupal core is not affected. If you do not use the contributed Temporary
invitation module [3], there is nothing you need to do.
- -------- SOLUTION ------------------------------------------------------------
Upgrade to the latest version:
* If you use Temporary Invitation module for Drupal 5.x upgrade to version
5.x-2.3 [4]
- -------- REPORTED BY ---------------------------------------------------------
* Reported by Wolfgang Ziegler [5], the module maintainer.
- -------- FIXED BY ------------------------------------------------------------
* Fixed by Wolfgang Ziegler [6], the module maintainer.
- -------- CONTACT -------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/623018
[3] http://drupal.org/project/temporary_invitation
[4] http://drupal.org/node/623018
[5] http://drupal.org/user/16747
[6] http://drupal.org/user/16747
* Advisory ID: DRUPAL-SA-CONTRIB-2009-094
* Project: NGP COO/CWP Integration (crmngp) (third-party module)
* Version: 6.x
* Date: 2009-November-4
* Security risk: Less critical
* Exploitable from: Remote
* Vulnerability: Cross-site scripting and Access bypass
- -------- DESCRIPTION ---------------------------------------------------------
The NGP COO/CWP Integration module provides Drupal integration with the NGP
Software API for efficient campaign management. An administration page did
not properly implement access control thereby allowing untrusted users to
view module log information. User-supplied information was not filtered on
output allowing a cross-site scripting (XSS [1]) attack.
- -------- VERSIONS AFFECTED ---------------------------------------------------
* NGP COO/CWP Integration versions for Drupal 6.x prior to 6.x-1.12
Drupal core is not affected. If you do not use the contributed NGP COO/CWP
Integration module, there is nothing you need to do.
- -------- SOLUTION ------------------------------------------------------------
Upgrade to the latest version:
* If you use NGP COO/CWP Integration for Drupal 6.x upgrade to version
6.x-1.13 [2]
See also the NGP COO/CWP Integration [3] project page.
- -------- REPORTED BY ---------------------------------------------------------
* Access bypass reported by Dylan Wilder-Tack [4]
* Cross-site scripting reported by Benjamin Jeavons [5]
- -------- FIXED BY ------------------------------------------------------------
* XSS vulnerability fixed by Sean Robertson [6], the module maintainer
* Access bypass vulnerability fixed by Dylan Wilder-Tack [7]
- -------- CONTACT -------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/623506
[3] http://drupal.org/project/crmngp
[4] http://drupal.org/user/96647
[5] http://drupal.org/user/91990
[6] https://drupal.org/user/7074
[7] http://drupal.org/user/96647
* Advisory ID: SA-CONTRIB-2009-095
* Project: Smartqueues for Organic Groups (smartqueue_og) (third-party
module)
* Version: 6.x
* Date: 2009 November 4
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Access bypass
- -------- DESCRIPTION ---------------------------------------------------------
The Smartqueue_og [1] module uses Nodequeue's Smartqueue API to provide a
Nodequeue [2] for organic groups which is editable by members of that group
or the group's administrators. Users with the "administer nodequeue"
permission have the option to batch create subqueues (individual instances of
a queue) for all eligible organic group nodes. For each subqueue that is
created, a confirmation message is displayed containing the name of the
organic group. The displayed message does not check that the current user has
permission to view the group node. A similar message is also displayed when
an eligible group node is submitted. Smartqueue_og users should also note:
Subqueue titles contain the title of the organic group node to which the
subqueue is related. Users with the 'manipulate all queues' or 'manipulate
all og queues' permissions will be able to view all smartqueue_og subqueue
titles, and therefore the node titles of all groups that have a subqueue,
regardless of node access restrictions. This is by design and is not changed
in the latest version.
- -------- VERSIONS AFFECTED ---------------------------------------------------
* Smartqueue_og module for Drupal 6.x prior to Smartqueue_og 6.x-1.0-rc3 [3]
* Smartqueue_og module for Drupal 5.x prior to Smartqueue_og 5.x-1.3 [4]
Drupal core is not affected. If you do not use the contributed Smartqueue_og
module, there is nothing you need to do.
- -------- SOLUTION ------------------------------------------------------------
Install the latest version.
* If you use the Smartqueue_og module for Drupal 6.x upgrade to
Smartqueue_og module 6.x-1.0-rc3 [5]
* If you use the Smartqueue_og module for Drupal 5.x upgrade to
Smartqueue_og module 5.x-1.3 [6].
See also the Smartqueue_og [7] module project page.
- -------- REPORTED BY ---------------------------------------------------------
* Ezra Barnett Gildesgame [8], the module maintainer.
- -------- FIXED BY ------------------------------------------------------------
* Ezra Barnett Gildesgame [9], the module maintainer.
- -------- CONTACT -------------------------------------------------------------
The security team for Drupal can be reached at security@drupal.org [10] or
via the form at http://drupal.org/contact.
[1] http://drupal.org/project/smartqueue_og
[2] http://drupal.org/project/nodequeue
[3] http://drupal.org/node/617496
[4] http://drupal.org/node/617500
[5] http://drupal.org/node/617496
[6] http://drupal.org/node/617500
[7] http://drupal.org/project/smartqueue_og
[8] http://drupal.org/user/69959
[9] http://drupal.org/user/69959
[10] mailto:security@drupal.org
* Advisory ID: DRUPAL-SA-CONTRIB-2009-096
* Project: Link (third-party module)
* Version: 5.x, 6.x
* Date: 2009-November-4
* Security risk: Moderately Critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
- -------- DESCRIPTION ---------------------------------------------------------
The Link module provides a CCK field which enables links to be added to
content types, that can include a URL, title, and target attribute. When
using the "Separate title and URL" formatter supplied by the module, the link
title field is not sanitized before being displayed, leading to a Cross Site
Scripting (XSS [1]) vulnerability.
- -------- VERSIONS AFFECTED ---------------------------------------------------
* Link module for Drupal 6.x prior to Link 6.x-2.7 [2]
* Link module for Drupal 5.x prior to Link 5.x-2.6 [3]
Drupal core is not affected. If you do not use the contributed Link module
[4], there is nothing you need to do.
- -------- SOLUTION ------------------------------------------------------------
Upgrade to the latest version:
* If you use Link module for Drupal 6.x upgrade to version 6.x-2.7 [5]
* If you use Link module for Drupal 5.x upgrade to version 5.x-2.6 [6]
- -------- REPORTED BY ---------------------------------------------------------
* Reported by mr.baileys [7]
- -------- FIXED BY ------------------------------------------------------------
* Fixed by dropcube [8], Link module co-maintainer, and mr.baileys [9]
- -------- CONTACT -------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/620668
[3] http://drupal.org/node/620662
[4] http://drupal.org/project/link
[5] http://drupal.org/node/620668
[6] http://drupal.org/node/620662
[7] http://drupal.org/user/383424
[8] http://drupal.org/user/37031
[9] http://drupal.org/user/383424
* Advisory ID: DRUPAL-SA-CONTRIB-2009-097
* Project: Organic Groups Vocabulary (third-party module)
* Version: 6.x
* Date: 2009-November-4
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
- -------- DESCRIPTION ---------------------------------------------------------
The Organic Groups Vocabulary module enables a vocabulary to be restricted
for use to a specific Organic Group. The module does not sanitize before
outputting the group title in some cases, resulting in a cross-site scripting
(XSS [1]) vulnerability. Such an attack may lead to a malicious user gaining
full administrative access.
- -------- VERSIONS AFFECTED ---------------------------------------------------
* Organic Groups Vocabulary versions for Drupal 6.x prior to Organic Groups
Vocabulary 6.x-1.1 [2]
Drupal core is not affected. If you do not use the contributed Organic Groups
Vocabulary module, there is nothing you need to do.
- -------- SOLUTION ------------------------------------------------------------
Upgrade to the latest version:
* If you use Organic Groups Vocabulary for Drupal 6.x upgrade to version
6.x-1.1 [3]
See also the Organic Groups Vocabulary module project page [4].
- -------- REPORTED BY ---------------------------------------------------------
* Stéphane Corlosquet [5] of the Drupal Security Team and Dylan Wilder-Tack
[6]
- -------- FIXED BY ------------------------------------------------------------
* Amitaibu [7], the module maintainer
- -------- CONTACT -------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/621960
[3] http://drupal.org/node/621960
[4] http://drupal.org/project/og_vocab
[5] http://drupal.org/user/52142
[6] http://drupal.org/user/96647
[7] http://drupal.org/user/57511
* Advisory ID: DRUPAL-SA-CONTRIB-2009-098
* Project: Zoomify (third-party module)
* Version: 5.x, 6.x
* Date: 2009-November-4
* Security risk: Moderately Critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
- -------- DESCRIPTION ---------------------------------------------------------
The Zoomify module integrates the Zoomify Flash applet into Drupal which can
be used to pan and zoom on large images. Images are first preprocessed in
order for Zoomify to work. The module fails to sanitize a value in the node
title, leading to a Cross Site Scripting (XSS [1]) vulnerability.
- -------- VERSIONS AFFECTED ---------------------------------------------------
* Zoomify module for Drupal 6.x prior to Zoomify 6.x-1.4 [2]
* Zoomify module for Drupal 5.x prior to Zoomify 5.x-2.2 [3]
Drupal core is not affected. If you do not use the contributed Zoomify module
[4], there is nothing you need to do.
- -------- SOLUTION ------------------------------------------------------------
Upgrade to the latest version:
* If you use Zoomify module for Drupal 6.x upgrade to Zoomify 6.x-1.4 [5]
* If you use Zoomify module for Drupal 5.x upgrade to Zoomify 5.x-2.2 [6]
- -------- REPORTED BY ---------------------------------------------------------
* Reported by Dylan Wilder-Tack [7], the module maintainer
- -------- FIXED BY ------------------------------------------------------------
* Fixed by Karim Ratib [8], the module maintainer
- -------- CONTACT -------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/623434
[3] http://drupal.org/node/623436
[4] http://drupal.org/project/zoomify
[5] http://drupal.org/node/623434
[6] http://drupal.org/node/623436
[7] http://drupal.org/user/96647
[8] http://drupal.org/user/48424
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFK+OOwNVH5XJJInbgRArSIAJ0f2wrK0ZtyT3s9L1/+3wX8rX1enwCfcW7j
2ghTS+LJnq2Gq6bEGhe6c14=
=PsoC
-----END PGP SIGNATURE-----