Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2009.1548.2
Mutliple vulnerabilities in multiple third party modules for Drupal
24 November 2009
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: PHPList Inegration Module (Drupal third-party module)
Strongarm (Drupal third-party module)
Feed Element Mapper (Drupal third-party module)
Subgroups for Organic Groups (Drupal third-party module)
Agreement (Drupal third-party module)
Ubercart (Drupal third-party module)
Gallery Assist (Drupal third-party module)
Printfriendly (Drupal third-party module)
Publisher: Drupal
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Cross-site Request Forgery -- Remote with User Interaction
Cross-site Scripting -- Remote with User Interaction
Access Privileged Data -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2009-4066 CVE-2009-4065 CVE-2009-4064
CVE-2009-4063 CVE-2009-4062 CVE-2009-4061
Original Bulletin:
http://drupal.org/node/636412
http://drupal.org/node/636462
http://drupal.org/node/636518
http://drupal.org/node/636562
http://drupal.org/node/636568
http://drupal.org/node/636576
http://drupal.org/node/636660
http://drupal.org/node/636678
Comment: This bulletin contains eight (8) Drupal security advisories.
Revision History: November 24 2009: Added CVE References
November 19 2009: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
* Advisory ID: DRUPAL-SA-CONTRIB-2009-102
* Project: PHPList Inegration Module (third-party module)
* Version: 5.x, 6.x
* Date: 2009-November-18
* Security risk: Less Critical
* Exploitable from: Remote
* Vulnerability: Cross site request forgery
- -------- DESCRIPTION
- ---------------------------------------------------------
The PHPList module provides a basic level of integration between Drupal and
the PHPList mailing list application. The Drupal Forms API protects against
cross site request forgeries (CSRF), where a malicious site can cause a user
to unintentionally submit a form to a site where they are authenticated. The
links for subscribing and un-subscribing to and from mailing lists in "My
Account" do not follow the standard Forms API submission model and are
therefore not protected against this type of attack. A CSRF attack may result
in unintentional subscription or un-subscription of site users to PHPList
mailing lists.
- -------- VERSIONS AFFECTED
- ---------------------------------------------------
* PHPList Integration Module for Drupal 5 before 5.x-1.2
* PHPList Integration Module for Drupal 6 before 6.x-1.1
Drupal core is not affected. If you do not use the contributed PHPList
Integration module, there is nothing you need to do.
- -------- SOLUTION
- ------------------------------------------------------------
Install the latest version: If you use Drupal 5.x upgrade to PHPList
Integration Module 5.x-1.2 [1]. If you use Drupal 6.x upgrade to PHPList
Integration Module 6.x-1.1 [2]. See also the PHPList Integration Module [3]
project page.
- -------- REPORTED BY
- ---------------------------------------------------------
Peter Wolanin [4] of the Drupal Security Team
- -------- FIXED BY
- ------------------------------------------------------------
Paul Beaney [5] the module maintainer.
- -------- CONTACT
- -------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.
[1] http://drupal.org/node/636400
[2] http://drupal.org/node/636398
[3] http://drupal.org/project/phplist
[4] http://drupal.org/user/49851
[5] http://drupal.org/user/204611
_______________________________________________
* Advisory ID: DRUPAL-SA-CONTRIB-2009-103
* Project: Strongarm (third-party module)
* Version: 6.x
* Date: 2009 November 18
* Security risk: Moderately Critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
- -------- DESCRIPTION
- ---------------------------------------------------------
The Strongarm module enables other modules to enforce variable settings
programmatically. It can also be used to override any of these variables, and
lets the administrator see which variables have been overridden, along with
their current values. When using the settings page to see overridden
variables, the value field is not sanitized before being displayed, leading
to a Cross Site Scripting (XSS [1]) vulnerability.
- -------- VERSIONS AFFECTED
- ---------------------------------------------------
* Strongarm module for Drupal 6.x prior to Strongarm 6.x-1.1 [2]
Drupal core is not affected. If you do not use the contributed Strongarm [3]
module, there is nothing you need to do.
- -------- SOLUTION
- ------------------------------------------------------------
Upgrade to the latest version:
* If you use Strongarm module for Drupal 6.x upgrade to version 6.x-1.1 [4]
- -------- REPORTED BY
- ---------------------------------------------------------
* Reported by bengtan [5]
- -------- FIXED BY
- ------------------------------------------------------------
* Fixed by jmiccolis [6], the module maintainer
- -------- CONTACT
- -------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/636474
[3] http://drupal.org/project/strongarm
[4] http://drupal.org/node/636474
[5] http://drupal.org/user/132729
[6] http://drupal.org/user/31731
_______________________________________________
* Advisory ID: DRUPAL-SA-CONTRIB-2009-104
* Project: Feed Element Mapper (third-party module)
* Version: 5.x, 6.x
* Date: 2009-November-18
* Security risk: Moderately Critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
- -------- DESCRIPTION
- ---------------------------------------------------------
Feed Element Mapper is an add-on module for FeedAPI that maps elements on a
feed item such as tags, or the author name, to taxonomy or CCK fields. These
mappings are configurable by a point and click interface. When configuring
the mapping, some values coming from external feeds are not sanitized before
they are displayed, leading to a Cross Site Scripting (XSS [1])
- -------- VERSIONS AFFECTED
- ---------------------------------------------------
* Feed Element Mapper module for Drupal 6.x prior to Feed Element Mapper
6.x-1.3 [2]
* Feed Element Mapper module for Drupal 5.x prior to Feed Element Mapper
5.x-1.3 [3]
Drupal core is not affected. If you do not use the contributed Feed Element
Mapper [4] module, there is nothing you need to do.
- -------- SOLUTION
- ------------------------------------------------------------
Upgrade to the latest version:
* If you use Feed Element Mapper module for Drupal 6.x upgrade to version
6.x-1.3 [5]
* If you use Feed Element Mapper module for Drupal 5.x upgrade to version
5.x-1.3 [6]
If you use one of the unsupported Feed element mapper 6.x-2.0 alpha versions,
upgrade to Feed Element Mapper 6.x-1.0-alpha4 [7].
- -------- REPORTED BY
- ---------------------------------------------------------
* Reported by Jose Reyero [8], from the Drupal Security Team
- -------- FIXED BY
- ------------------------------------------------------------
* Fixed by alex_b [9], the module maintainer
- -------- CONTACT
- -------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/636498
[3] http://drupal.org/node/636496
[4] http://drupal.org/project/feedapi_mapper
[5] http://drupal.org/node/636498
[6] http://drupal.org/node/636496
[7] http://drupal.org/node/636500
[8] http://drupal.org/user/4299
[9] http://drupal.org/user/53995
_______________________________________________
* Advisory ID: DRUPAL-SA-CONTRIB-2009-105
* Project: Subgroups for Organic Groups (third-party module)
* Version: 5.x
* Date: 2009-November-18
* Security risk: Less Critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
- -------- DESCRIPTION
- ---------------------------------------------------------
The Subgroups For Organic Groups module enables users to set group hierarchy.
The module does not filter the titles of some nodes before output, leading to
a cross-site scripting (XSS [1]) vulnerability.
- -------- VERSIONS AFFECTED
- ---------------------------------------------------
* Subgroups For Organic Groups versions for Drupal 5.x prior to 5.x-4.0
Drupal core is not affected. If you do not use the contributed Subgroups For
Organic Groups module, there is nothing you need to do.
- -------- SOLUTION
- ------------------------------------------------------------
Upgrade to the latest version:
* If you use the Subgroups For Organic Groups 3.3 release for Drupal 5.x
upgrade to version 5.x-3.4 [2]
* If you use the Subgroups For Organic Groups 2.0 release for Drupal 5.x
upgrade to versions 5.x-3.4 [3] or 5.x-4.0 [4]
See also the Subgroups For Organic Groups [5] project page.
- -------- REPORTED BY
- ---------------------------------------------------------
* The vulnerability was reported by Greg Knaddison [6]
- -------- FIXED BY
- ------------------------------------------------------------
* XSS vulnerability fixed by Ezra Barnett Gildesgame [7], Subgroups For
Organic Groups module maintainer
- -------- CONTACT
- -------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross_Site_Scripting
[2] http://drupal.org/node/630004
[3] http://drupal.org/node/630004
[4] http://drupal.org/node/270602
[5] http://drupal.org/project/og_subgroups
[6] http://drupal.org/user/36762
[7] http://drupal.org/user/69959
_______________________________________________
* Advisory ID: DRUPAL-SA-CONTRIB-2009-106
* Project: Agreement (third-party module)
* Version: 6.x
* Date: 2009-November-18
* Security risk: Moderately Critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
- -------- DESCRIPTION
- ---------------------------------------------------------
The Agreement module enables the display of a text-based agreement (think
"Terms of Service") that users of a particular role must accept before they
are given access to the site. The module does not sanitize some of the
user-supplied fields, leading to a Cross Site Scripting (XSS [1])
vulnerability.
- -------- VERSIONS AFFECTED
- ---------------------------------------------------
* Agreement module for Drupal 6.x prior to Agreement 6.x-1.2 [2]
Drupal core is not affected. If you do not use the contributed Agreement
module [3], there is nothing you need to do.
- -------- SOLUTION
- ------------------------------------------------------------
Upgrade to the latest version:
* If you use the Agreement module for Drupal 6.x upgrade to Agreement
6.x-1.2 [4]
- -------- REPORTED BY
- ---------------------------------------------------------
* Reported by Dylan Wilder-Tack [5]
- -------- FIXED BY
- ------------------------------------------------------------
* Fixed by Yuriy Babenko [6], the module maintainer.
- -------- CONTACT
- -------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/631538
[3] http://drupal.org/project/agreement
[4] http://drupal.org/node/631538
[5] http://drupal.org/user/96647
[6] http://drupal.org/user/212855
_______________________________________________
* Advisory ID: DRUPAL-SA-CONTRIB-2009-107
* Project: Ubercart (third-party module)
* Version: 5.x, 6.x
* Date: 2009-November-18
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Access bypass, Cross-site request forgery
- -------- DESCRIPTION
- ---------------------------------------------------------
Ubercart's PayPal Website Payments Standard integration exposes a path for
completed orders without properly checking that the order is valid for the
current user. In the event that the order has already been processed for
checkout, this can result in duplicate actions taking place inadvertently.
Furthermore, if the checkout completion message has been modified to include
order details, information disclosure can happen. The Ubercart order
management was also affected by a minor cross-site request forgery
vulnerability.
- -------- VERSIONS AFFECTED
- ---------------------------------------------------
* Ubercart module for Drupal 6.x prior to Ubercart 6.x-2.1 [1]
* Ubercart module for Drupal 5.x prior to Ubercart 5.x-1.9 [2]
Drupal core is not affected. If you do not use the contributed Ubercart [3]
module, there is nothing you need to do.
- -------- SOLUTION
- ------------------------------------------------------------
Upgrade to the latest version:
* If you use Ubercart module for Drupal 6.x upgrade to version 6.x-2.1 [4]
* If you use Ubercart module for Drupal 5.x upgrade to version 5.x-1.9 [5]
- -------- REPORTED BY
- ---------------------------------------------------------
* Reported by Daniel Duvall [6]
- -------- FIXED BY
- ------------------------------------------------------------
* Fixed by Ryan Szrama [7], the module maintainer
- -------- CONTACT
- -------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://drupal.org/node/636616
[2] http://drupal.org/node/636614
[3] http://drupal.org/project/ubercart
[4] http://drupal.org/node/636616
[5] http://drupal.org/node/636614
[6] http://drupal.org/user/584298
[7] http://drupal.org/user/49344
_______________________________________________
* Advisory ID: DRUPAL-SA-CONTRIB-2009-108
* Project: Gallery Assist (third-party module)
* Version: 6.x
* Date: 2009-November-18
* Security risk: Moderately Critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
- -------- DESCRIPTION
- ---------------------------------------------------------
The Gallery Assist module provides a simple way to create image galleries on
a site. The module does not sanitize node titles, leading to a Cross Site
Scripting (XSS [1]) vulnerability.
- -------- VERSIONS AFFECTED
- ---------------------------------------------------
* Gallery Assist module for Drupal 6.x prior to Gallery Assist 6.x-1.7 [2]
Drupal core is not affected. If you do not use the contributed Gallery Assist
module [3], there is nothing you need to do.
- -------- SOLUTION
- ------------------------------------------------------------
Upgrade to the latest version:
* If you use the Gallery Assist module for Drupal 6.x upgrade to Gallery
Assist 6.x-1.7 [4]
- -------- REPORTED BY
- ---------------------------------------------------------
* Reported by Dylan Wilder-Tack [5]
- -------- FIXED BY
- ------------------------------------------------------------
* Fixed by Juan Carlos Morejon Carabajo [6], the module maintainer.
- -------- CONTACT
- -------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/636488
[3] http://drupal.org/project/gallery_assist
[4] http://drupal.org/node/636488
[5] http://drupal.org/user/96647
[6] http://drupal.org/user/320731
_______________________________________________
* Advisory ID: DRUPAL-SA-CONTRIB-2009-109
* Project: Printfriendly (third-party module)
* Version: 6.x
* Date: 2009-November-18
* Security risk: Moderately Critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
- -------- DESCRIPTION
- ---------------------------------------------------------
The Printfriendly module integrates with printfriendly.com's print service.
The module does not sanitize some of the user-supplied data before displaying
it, leading to a Cross Site Scripting (XSS [1]) vulnerability.
- -------- VERSIONS AFFECTED
- ---------------------------------------------------
* Printfriendly module for Drupal 6.x prior to Printfriendly 6.x-1.6 [2]
Drupal core is not affected. If you do not use the contributed Printfriendly
module [3], there is nothing you need to do.
- -------- SOLUTION
- ------------------------------------------------------------
Upgrade to the latest version:
* If you use the Printfriendly module for Drupal 6.x upgrade to
Printfriendly 6.x-1.6 [4]
- -------- REPORTED BY
- ---------------------------------------------------------
* Reported by Dylan Wilder-Tack [5]
- -------- FIXED BY
- ------------------------------------------------------------
* Fixed by Emil Stjerneman [6], the module maintainer.
- -------- CONTACT
- -------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/636670
[3] http://drupal.org/project/printfriendly
[4] http://drupal.org/node/636670
[5] http://drupal.org/user/96647
[6] http://drupal.org/user/464598
_______________________________________________
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFLC1luNVH5XJJInbgRAqDzAJ9zm14D7EyJ0CLvSFO55DZ2FOU6CACfd8yT
S690KsvySeg8ZqIZtJrxbBI=
=F1ZC
-----END PGP SIGNATURE-----