Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2010.0380 A number of vulnerabilities have been identified in Drupal third-party modules 19 April 2010 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Internationalization (Drupal third-party module) Smileys (Drupal third-party module) Publisher: Drupal Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Cross-site Scripting -- Existing Account Cross-site Request Forgery -- Remote with User Interaction Resolution: Patch/Upgrade Original Bulletin: http://drupal.org/node/764998 http://drupal.org/node/765000 Comment: This bulletin contains two (2) Drupal security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- SA-CONTRIB-2010-034 - Internationalization - Cross Site Scripting Security advisories for contributed projects Drupal 6.x Drupal Security Team - April 7, 2010 - 22:01 * Advisory ID: DRUPAL-SA-CONTRIB-2010-034 * Project: Internationalization (third-party module) * Version: 6.x * Date: 2010-April-7 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting Description The Internationalization module enables translation of user defined strings using Drupal's locale interface. Some of these user defined strings have Input formats associated with them and some of the strings used for translating blocks were not properly filtered before display. Additionally all strings translated using this module were not checked for potential malicious HTML and script code as regular Drupal string translations are. Both issues would allow a user with the 'translate interface' or the 'administer blocks' permissions to attempt a cross site scripting (XSS) attack which may lead to the user gaining full administrative access. Versions affected * Internationalization 6.x prior to 6.x-1.4 Drupal core is not affected. If you do not use the contributed Internationalization module, there is nothing you need to do. Also if you are not using Internationalization's 'String translation' (i18nstrings) module you don't need to update. Solution Install the latest version: * If you use Internationalization module for Drupal 6.x, update to Internationalization 6.x-1.4 and run the Drupal database update. See also the Internationalization project page Reported by * Antonio Ospite Fixed by * Jose Reyero, the module maintainer. Contact The Security Team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. - -------------------------------------------------------------------------------- SA-CONTRIB-2010-035: Smileys - Cross Site Request Forgery Security advisories for contributed projects Drupal 5.x Drupal Security Team - April 7, 2010 - 22:04 * Advisory ID: DRUPAL-SA-CONTRIB-2010-035 * Project: Smileys (third-party module) * Versions: 5.x * Date: 2010-April-07 * Security risk: Less Critical * Exploitable from: Remote * Vulnerability: Cross-site Request Forgery Description The Smileys module provides a text filter that substitutes emoticons with images. The module is vulnerable to cross-site request forgeries (CSRF) via the URL used to delete smileys. A user with "administer smileys" permission could be tricked into visiting the smiley delete URL and unwittingly remove smileys from the site. Versions affected * Smileys module for Drupal 5.x version prior to 5.x-1.2. Note that Smileys version 6.x-1.0-alpha5 and earlier versions for Drupal 6.x are also affected. However, the security team does not provide support for alpha releases. Drupal core is not affected. If you do not use the contributed Smileys module, there is nothing you need to do. Solution Install the latest version. * If you use the Smileys module for Drupal 5.x-1.x upgrade to Smileys 5.x-1.2 See also the Smileys project page. Reported by * Andrey Tretyakov Fixed by * Gurpartap Singh, the module maintainer * mr.baileys of the Drupal security team. Contact The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFLy8Mx/iFOrG6YcBERAqq/AJ942ljixnvalGgH2f1xEjD6TYq4VQCcC6n9 Q6/4ATlPwP41C5IOgGPECBg= =Mic/ -----END PGP SIGNATURE-----