Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2009.1548.2 Mutliple vulnerabilities in multiple third party modules for Drupal 24 November 2009 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: PHPList Inegration Module (Drupal third-party module) Strongarm (Drupal third-party module) Feed Element Mapper (Drupal third-party module) Subgroups for Organic Groups (Drupal third-party module) Agreement (Drupal third-party module) Ubercart (Drupal third-party module) Gallery Assist (Drupal third-party module) Printfriendly (Drupal third-party module) Publisher: Drupal Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Cross-site Request Forgery -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Access Privileged Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2009-4066 CVE-2009-4065 CVE-2009-4064 CVE-2009-4063 CVE-2009-4062 CVE-2009-4061 Original Bulletin: http://drupal.org/node/636412 http://drupal.org/node/636462 http://drupal.org/node/636518 http://drupal.org/node/636562 http://drupal.org/node/636568 http://drupal.org/node/636576 http://drupal.org/node/636660 http://drupal.org/node/636678 Comment: This bulletin contains eight (8) Drupal security advisories. Revision History: November 24 2009: Added CVE References November 19 2009: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- * Advisory ID: DRUPAL-SA-CONTRIB-2009-102 * Project: PHPList Inegration Module (third-party module) * Version: 5.x, 6.x * Date: 2009-November-18 * Security risk: Less Critical * Exploitable from: Remote * Vulnerability: Cross site request forgery - -------- DESCRIPTION - --------------------------------------------------------- The PHPList module provides a basic level of integration between Drupal and the PHPList mailing list application. The Drupal Forms API protects against cross site request forgeries (CSRF), where a malicious site can cause a user to unintentionally submit a form to a site where they are authenticated. The links for subscribing and un-subscribing to and from mailing lists in "My Account" do not follow the standard Forms API submission model and are therefore not protected against this type of attack. A CSRF attack may result in unintentional subscription or un-subscription of site users to PHPList mailing lists. - -------- VERSIONS AFFECTED - --------------------------------------------------- * PHPList Integration Module for Drupal 5 before 5.x-1.2 * PHPList Integration Module for Drupal 6 before 6.x-1.1 Drupal core is not affected. If you do not use the contributed PHPList Integration module, there is nothing you need to do. - -------- SOLUTION - ------------------------------------------------------------ Install the latest version: If you use Drupal 5.x upgrade to PHPList Integration Module 5.x-1.2 [1]. If you use Drupal 6.x upgrade to PHPList Integration Module 6.x-1.1 [2]. See also the PHPList Integration Module [3] project page. - -------- REPORTED BY - --------------------------------------------------------- Peter Wolanin [4] of the Drupal Security Team - -------- FIXED BY - ------------------------------------------------------------ Paul Beaney [5] the module maintainer. - -------- CONTACT - ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/node/636400 [2] http://drupal.org/node/636398 [3] http://drupal.org/project/phplist [4] http://drupal.org/user/49851 [5] http://drupal.org/user/204611 _______________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2009-103 * Project: Strongarm (third-party module) * Version: 6.x * Date: 2009 November 18 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting - -------- DESCRIPTION - --------------------------------------------------------- The Strongarm module enables other modules to enforce variable settings programmatically. It can also be used to override any of these variables, and lets the administrator see which variables have been overridden, along with their current values. When using the settings page to see overridden variables, the value field is not sanitized before being displayed, leading to a Cross Site Scripting (XSS [1]) vulnerability. - -------- VERSIONS AFFECTED - --------------------------------------------------- * Strongarm module for Drupal 6.x prior to Strongarm 6.x-1.1 [2] Drupal core is not affected. If you do not use the contributed Strongarm [3] module, there is nothing you need to do. - -------- SOLUTION - ------------------------------------------------------------ Upgrade to the latest version: * If you use Strongarm module for Drupal 6.x upgrade to version 6.x-1.1 [4] - -------- REPORTED BY - --------------------------------------------------------- * Reported by bengtan [5] - -------- FIXED BY - ------------------------------------------------------------ * Fixed by jmiccolis [6], the module maintainer - -------- CONTACT - ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/636474 [3] http://drupal.org/project/strongarm [4] http://drupal.org/node/636474 [5] http://drupal.org/user/132729 [6] http://drupal.org/user/31731 _______________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2009-104 * Project: Feed Element Mapper (third-party module) * Version: 5.x, 6.x * Date: 2009-November-18 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting - -------- DESCRIPTION - --------------------------------------------------------- Feed Element Mapper is an add-on module for FeedAPI that maps elements on a feed item such as tags, or the author name, to taxonomy or CCK fields. These mappings are configurable by a point and click interface. When configuring the mapping, some values coming from external feeds are not sanitized before they are displayed, leading to a Cross Site Scripting (XSS [1]) - -------- VERSIONS AFFECTED - --------------------------------------------------- * Feed Element Mapper module for Drupal 6.x prior to Feed Element Mapper 6.x-1.3 [2] * Feed Element Mapper module for Drupal 5.x prior to Feed Element Mapper 5.x-1.3 [3] Drupal core is not affected. If you do not use the contributed Feed Element Mapper [4] module, there is nothing you need to do. - -------- SOLUTION - ------------------------------------------------------------ Upgrade to the latest version: * If you use Feed Element Mapper module for Drupal 6.x upgrade to version 6.x-1.3 [5] * If you use Feed Element Mapper module for Drupal 5.x upgrade to version 5.x-1.3 [6] If you use one of the unsupported Feed element mapper 6.x-2.0 alpha versions, upgrade to Feed Element Mapper 6.x-1.0-alpha4 [7]. - -------- REPORTED BY - --------------------------------------------------------- * Reported by Jose Reyero [8], from the Drupal Security Team - -------- FIXED BY - ------------------------------------------------------------ * Fixed by alex_b [9], the module maintainer - -------- CONTACT - ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/636498 [3] http://drupal.org/node/636496 [4] http://drupal.org/project/feedapi_mapper [5] http://drupal.org/node/636498 [6] http://drupal.org/node/636496 [7] http://drupal.org/node/636500 [8] http://drupal.org/user/4299 [9] http://drupal.org/user/53995 _______________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2009-105 * Project: Subgroups for Organic Groups (third-party module) * Version: 5.x * Date: 2009-November-18 * Security risk: Less Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting - -------- DESCRIPTION - --------------------------------------------------------- The Subgroups For Organic Groups module enables users to set group hierarchy. The module does not filter the titles of some nodes before output, leading to a cross-site scripting (XSS [1]) vulnerability. - -------- VERSIONS AFFECTED - --------------------------------------------------- * Subgroups For Organic Groups versions for Drupal 5.x prior to 5.x-4.0 Drupal core is not affected. If you do not use the contributed Subgroups For Organic Groups module, there is nothing you need to do. - -------- SOLUTION - ------------------------------------------------------------ Upgrade to the latest version: * If you use the Subgroups For Organic Groups 3.3 release for Drupal 5.x upgrade to version 5.x-3.4 [2] * If you use the Subgroups For Organic Groups 2.0 release for Drupal 5.x upgrade to versions 5.x-3.4 [3] or 5.x-4.0 [4] See also the Subgroups For Organic Groups [5] project page. - -------- REPORTED BY - --------------------------------------------------------- * The vulnerability was reported by Greg Knaddison [6] - -------- FIXED BY - ------------------------------------------------------------ * XSS vulnerability fixed by Ezra Barnett Gildesgame [7], Subgroups For Organic Groups module maintainer - -------- CONTACT - ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross_Site_Scripting [2] http://drupal.org/node/630004 [3] http://drupal.org/node/630004 [4] http://drupal.org/node/270602 [5] http://drupal.org/project/og_subgroups [6] http://drupal.org/user/36762 [7] http://drupal.org/user/69959 _______________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2009-106 * Project: Agreement (third-party module) * Version: 6.x * Date: 2009-November-18 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting - -------- DESCRIPTION - --------------------------------------------------------- The Agreement module enables the display of a text-based agreement (think "Terms of Service") that users of a particular role must accept before they are given access to the site. The module does not sanitize some of the user-supplied fields, leading to a Cross Site Scripting (XSS [1]) vulnerability. - -------- VERSIONS AFFECTED - --------------------------------------------------- * Agreement module for Drupal 6.x prior to Agreement 6.x-1.2 [2] Drupal core is not affected. If you do not use the contributed Agreement module [3], there is nothing you need to do. - -------- SOLUTION - ------------------------------------------------------------ Upgrade to the latest version: * If you use the Agreement module for Drupal 6.x upgrade to Agreement 6.x-1.2 [4] - -------- REPORTED BY - --------------------------------------------------------- * Reported by Dylan Wilder-Tack [5] - -------- FIXED BY - ------------------------------------------------------------ * Fixed by Yuriy Babenko [6], the module maintainer. - -------- CONTACT - ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/631538 [3] http://drupal.org/project/agreement [4] http://drupal.org/node/631538 [5] http://drupal.org/user/96647 [6] http://drupal.org/user/212855 _______________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2009-107 * Project: Ubercart (third-party module) * Version: 5.x, 6.x * Date: 2009-November-18 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Access bypass, Cross-site request forgery - -------- DESCRIPTION - --------------------------------------------------------- Ubercart's PayPal Website Payments Standard integration exposes a path for completed orders without properly checking that the order is valid for the current user. In the event that the order has already been processed for checkout, this can result in duplicate actions taking place inadvertently. Furthermore, if the checkout completion message has been modified to include order details, information disclosure can happen. The Ubercart order management was also affected by a minor cross-site request forgery vulnerability. - -------- VERSIONS AFFECTED - --------------------------------------------------- * Ubercart module for Drupal 6.x prior to Ubercart 6.x-2.1 [1] * Ubercart module for Drupal 5.x prior to Ubercart 5.x-1.9 [2] Drupal core is not affected. If you do not use the contributed Ubercart [3] module, there is nothing you need to do. - -------- SOLUTION - ------------------------------------------------------------ Upgrade to the latest version: * If you use Ubercart module for Drupal 6.x upgrade to version 6.x-2.1 [4] * If you use Ubercart module for Drupal 5.x upgrade to version 5.x-1.9 [5] - -------- REPORTED BY - --------------------------------------------------------- * Reported by Daniel Duvall [6] - -------- FIXED BY - ------------------------------------------------------------ * Fixed by Ryan Szrama [7], the module maintainer - -------- CONTACT - ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/node/636616 [2] http://drupal.org/node/636614 [3] http://drupal.org/project/ubercart [4] http://drupal.org/node/636616 [5] http://drupal.org/node/636614 [6] http://drupal.org/user/584298 [7] http://drupal.org/user/49344 _______________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2009-108 * Project: Gallery Assist (third-party module) * Version: 6.x * Date: 2009-November-18 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting - -------- DESCRIPTION - --------------------------------------------------------- The Gallery Assist module provides a simple way to create image galleries on a site. The module does not sanitize node titles, leading to a Cross Site Scripting (XSS [1]) vulnerability. - -------- VERSIONS AFFECTED - --------------------------------------------------- * Gallery Assist module for Drupal 6.x prior to Gallery Assist 6.x-1.7 [2] Drupal core is not affected. If you do not use the contributed Gallery Assist module [3], there is nothing you need to do. - -------- SOLUTION - ------------------------------------------------------------ Upgrade to the latest version: * If you use the Gallery Assist module for Drupal 6.x upgrade to Gallery Assist 6.x-1.7 [4] - -------- REPORTED BY - --------------------------------------------------------- * Reported by Dylan Wilder-Tack [5] - -------- FIXED BY - ------------------------------------------------------------ * Fixed by Juan Carlos Morejon Carabajo [6], the module maintainer. - -------- CONTACT - ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/636488 [3] http://drupal.org/project/gallery_assist [4] http://drupal.org/node/636488 [5] http://drupal.org/user/96647 [6] http://drupal.org/user/320731 _______________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2009-109 * Project: Printfriendly (third-party module) * Version: 6.x * Date: 2009-November-18 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting - -------- DESCRIPTION - --------------------------------------------------------- The Printfriendly module integrates with printfriendly.com's print service. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting (XSS [1]) vulnerability. - -------- VERSIONS AFFECTED - --------------------------------------------------- * Printfriendly module for Drupal 6.x prior to Printfriendly 6.x-1.6 [2] Drupal core is not affected. If you do not use the contributed Printfriendly module [3], there is nothing you need to do. - -------- SOLUTION - ------------------------------------------------------------ Upgrade to the latest version: * If you use the Printfriendly module for Drupal 6.x upgrade to Printfriendly 6.x-1.6 [4] - -------- REPORTED BY - --------------------------------------------------------- * Reported by Dylan Wilder-Tack [5] - -------- FIXED BY - ------------------------------------------------------------ * Fixed by Emil Stjerneman [6], the module maintainer. - -------- CONTACT - ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/636670 [3] http://drupal.org/project/printfriendly [4] http://drupal.org/node/636670 [5] http://drupal.org/user/96647 [6] http://drupal.org/user/464598 _______________________________________________ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFLC1luNVH5XJJInbgRAqDzAJ9zm14D7EyJ0CLvSFO55DZ2FOU6CACfd8yT S690KsvySeg8ZqIZtJrxbBI= =F1ZC -----END PGP SIGNATURE-----