Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2011.0112.2
A number of vulnerabilities have been found in Drupal third-party modules
8 February 2011
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: OG Forum (Drupal third-party module)
Open Legislation (Drupal third-party module)
PowerSQL (Drupal third-party module)
AES (Drupal third-party module)
Flag page (Drupal third-party module)
Userpoints (Drupal third-party module)
Chatroom (Drupal third-party module)
Droptor (Drupal third-party module)
Publisher: Drupal
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Access Confidential Data -- Remote with User Interaction
Cross-site Scripting -- Remote with User Interaction
Cross-site Request Forgery -- Remote with User Interaction
Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2011-0899
Original Bulletin:
http://drupal.org/node/1048906
http://drupal.org/node/1048998
http://drupal.org/node/1049042
http://drupal.org/node/1048944
http://drupal.org/node/1048990
http://drupal.org/node/1049126
Comment: This bulletin contains six (6) Drupal security advisories.
Note: There are no safe versions of the modules - OG Forum, Open
Legislation and PowerSQL - these should be disabled.
Revision History: February 8 2011: CVE reference added
February 3 2011: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
* Advisory ID: DRUPAL-SA-CONTRIB-2011-004
* Projects: Multiple third party modules - OG Forum, Open Legislation,
PowerSQL
* Version: 6.x
* Date: 2011-February-02
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Multiple (Information disclosure, Cross Site Scripting,
Cross Site Request Forgery, SQL injection)
- -------- VERSIONS AFFECTED AND PROPOSED SOLUTIONS ----------------------------
OG Forum [1] for Drupal 6.x
OG Forum creates a forum per organic group and restricts viewing forum
nodes by group membership. OG Forum does not properly implement access
controls on private forums it creates, which can lead to a private
group's forums becoming public via Cross Site Request Forgeries (CSRF
[2]). Additionally, OG Forum stores private group and forum information
in a global vocabulary, which can lead to information such as group and
forum names being disclosed to members not part of the private group.
*Solution:* Disable the module. There is no safe version of the module to
use.
Open Legislation [3] for Drupal 6.x
This module provides integation for OpenLegislation, the open legislation
database and web service of the New York State Senate. The module is
vulnerable to a Cross Site Scripting [4] (XSS) attack via content
consumed from remote web services. *Solution:* Disable the module. There
is no safe version of the module to use.
PowerSQL [5] for Drupal 6.x
This module provides implements additional database API functions which
are not secure. Use of this module may make your site vulnerable to a SQL
Injection attack [6] *Solution:* Disable the module. There is no safe
version of the module to use.
Drupal core is not affected. If you do not use any of the module releases
above there is nothing you need to do.
- -------- ONGOING MAINTENANCE OF THESE MODULES --------------------------------
If you are interested in taking over maintenance of a module, or branch of a
module, that is no longer supported, and are capable of fixing security
vulnerabilities, you may apply to do so using the abandoned project takeover
process [7].
- -------- REPORTED BY ---------------------------------------------------------
* OG Forum issues:
* The information disclosure vulnerability was reported by Tim_O [8]
* The access bypass vulnerability was reported by Michael Hao (qmhao99
[9])
* Open Legislation issue reported by Stéphane Corlosquet [10] of the Drupal
Security Team
* PowerSQL issue reported by Jakub Suchy [11] of the Drupal Security Team
- -------- CONTACT -------------------------------------------------------------
The security team for Drupal [12] can be reached at security at drupal.org or
via the form at http://drupal.org/contact.
Read more about the Security Team and Security Advisories at
http://drupal.org/security.
[1] http://drupal.org/project/og_forum
[2] http://en.wikipedia.org/wiki/Csrf
[3] http://drupal.org/project/openleg
[4] http://en.wikipedia.org/wiki/Cross_Site_Scripting
[5] http://drupal.org/project/vitzo_powersql
[6] http://en.wikipedia.org/wiki/Sql_injection
[7] http://drupal.org/node/251466
[8] http://drupal.org/user/111066
[9] http://drupal.org/user/855110
[10] http://drupal.org/user/52142
[11] http://drupal.org/user/31977
[12] http://drupal.org/security-team
_______________________________________________
* Advisory ID: SA-CONTRIB-2011-005
* Project: AES (third-party module)
* Version: 7.x
* Date: 2011-February-02
* Security risk: Critical
* Exploitable from: Remote
* Vulnerability: Information Disclosure
- -------- DESCRIPTION ---------------------------------------------------------
Due to a piece of code used for debugging mistakenly left in the release, the
plain text password of the user who last logged in is written to a text file
in the Drupal root directory. This file is remotely accessible, thus an
attacker with the knowledge of which user last logged in may access that
user's account.
- -------- VERSIONS AFFECTED ---------------------------------------------------
* AES module for Drupal 7.x-1.4
Drupal core is not affected. If you do not use the contributed AES [1] module
there is nothing you need to do.
- -------- SOLUTION ------------------------------------------------------------
Install the latest version:
* If you use the AES module for Drupal 7.x upgrade to AES 7.x-1.5 [2]
See also the AES project page. [3]
- -------- REPORTED BY ---------------------------------------------------------
* Shawn Smiley [4]
- -------- FIXED BY ------------------------------------------------------------
* Johan Lindskog [5], module maintainer
- -------- CONTACT AND MORE INFORMATION ----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
form at http://drupal.org/contact [6].
Learn more about the team and their policies [7], writing secure code for
Drupal [8], and secure configuration [9] of your site.
[1] http://drupal.org/project/aes
[2] http://drupal.org/node/1040728
[3] http://drupal.org/project/aes
[4] http://drupal.org/user/317704
[5] http://drupal.org/user/123038
[6] http://drupal.org/contact
[7] http://drupal.org/security-team
[8] http://drupal.org/writing-secure-code
[9] http://drupal.org/security/secure-configuration
_______________________________________________
* Advisory ID: DRUPAL-SA-CONTRIB-2011-006
* Project: Flag page (third-party module)
* Version: 6.x
* Date: 2011-February-02
* Security risk: Moderately Critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
- -------- DESCRIPTION ---------------------------------------------------------
The contributed flag page module provides an additional flag type to allow
you to flag pages so you can bookmark any URL on your site including views,
panels, administration pages or site contact page. The module does not
sanitize the flag titles when displayed in blocks, leading to a Cross-Site
Scripting (XSS [1]) vulnerability that may lead to a malicious user gaining
full administrative access. This vulnerability is mitigated by the fact that
the user must have the "administer flags" permission in order to create and
edit flags and enter the XSS.
- -------- VERSIONS AFFECTED --------------------------------------------------
* Flag page module 6.x-2.x versions prior to 6.x-2.2
* Flag page module 6.x-1.x versions prior to 6.x-1.3
Note: If you do not use the contributed flag_page [2] module, there is
nothing you need to do.
- -------- SOLUTION ------------------------------------------------------------
Install the latest version:
* If you use the Flag page module for Drupal 6.x-2.x upgrade to Flag Page
6.x-2.2 [3]
* If you use the Flag page module for Drupal 6.x-1.x upgrade to Flag Page
6.x-1.3 [4]
See also the Flag page project page [5].
- -------- REPORTED BY ---------------------------------------------------------
* Balazs Dianiska (snufkin) [6]
- -------- FIXED BY ------------------------------------------------------------
* Balazs Dianiska (snufkin) [7]
* Alex Pott [8], module maintainer
- -------- CONTACT AND MORE INFORMATION ----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
form at http://drupal.org/contact. Learn more about the team and their
policies [9], writing secure code for Drupal [10], and secure configuration
[11] of your site.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/project/flag_page
[3] http://drupal.org/node/1046704
[4] http://drupal.org/node/1046706
[5] http://drupal.org/project/flag_page
[6] http://drupal.org/user/58645
[7] http://drupal.org/user/58645
[8] http://drupal.org/user/157725
[9] http://drupal.org/security-team
[10] http://drupal.org/writing-secure-code
[11] http://drupal.org/security/secure-configuration
_______________________________________________
* Advisory ID: DRUPAL-SA-CONTRIB-2011-007
* Project: Userpoints (third-party module)
* Version: 6.x
* Date: 2011-February-02
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
- -------- DESCRIPTION ---------------------------------------------------------
The Userpoints module allows users to gain points through specific actions
like contributing content. The module does not sanitize some of the
user-supplied data before displaying it, leading to a Cross Site Scripting
(XSS [1]) vulnerability that may lead to a malicious user gaining full
administrative access. This vulnerability is mitigated by the fact that the
attacker must have a role with the "administer userpoints" permission.
- -------- VERSIONS AFFECTED ---------------------------------------------------
* Userpoints module for Drupal 6.x versions prior to 6.x-1.2
Drupal core is not affected. If you do not use the contributed Userpoints [2]
module, there is nothing you need to do.
- -------- SOLUTION ------------------------------------------------------------
Install the latest version:
* If you use the Userpoints module for Drupal 6.x upgrade to Userpoints
6.x-1.2 [3]
See also the Userpoints project page [4].
- -------- REPORTED BY ---------------------------------------------------------
* Sascha Grossenbacher (Berdir) [5], Userpoints module maintainer
- -------- FIXED BY ------------------------------------------------------------
* Sascha Grossenbacher (Berdir) [6], Userpoints module maintainer
- -------- CONTACT AND MORE INFORMATION ----------------------------------------
The Drupal security team can be reached at security at drupal.org [7] or via
the form at http://drupal.org/contact [8].
Learn more about the team and their policies [9], writing secure code for
Drupal [10], and secure configuration [11] of your site.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/project/userpoints
[3] http://drupal.org/node/1048946
[4] http://drupal.org/project/userpoints
[5] http://drupal.org/user/214652
[6] http://drupal.org/user/214652
[7] http://drupal.org
[8] http://drupal.org/contact
[9] http://drupal.org/security-team
[10] http://drupal.org/writing-secure-code
[11] http://drupal.org/security/secure-configuration
_______________________________________________
* Advisory ID: DRUPAL-SA-CONTRIB-2011-008
* Project: Chatroom (third-party module)
* Version: 6.x
* Date: 2011-February-02
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting and Cross Site Request Forgery
- -------- DESCRIPTION ---------------------------------------------------------
The Chatroom module provides real-time chat capabilities to Drupal.
.... Vulnerability: Cross Site Scripting
The module does not properly escape the contents of chat messages in pages
listing the chats contained in a chatroom, leading to a Cross Site Scripting
(XSS [1]) vulnerability. Any user with permission to view chatroom summary
pages is vulnerable to attack.
.... Vulnerability: Cross Site Request Forgery
The module does not properly check for valid form tokens, leading to a Cross
Site Request Forgery(XSS [2]) vulnerability. Users with administrative
privileges are vulnerable to replay attacks.
- -------- VERSIONS AFFECTED ---------------------------------------------------
* Chatroom module for Drupal 6.x versions prior to 6.x-2.13.
Drupal core is not affected. If you do not use the contributed Chatroom [3]
module, there is nothing you need to do.
- -------- SOLUTION -----------------------------------------------------------
Install the latest version:
* Upgrade to Chatroom 6.x-2.13 [4]
See also the Chatroom project page [5].
- -------- REPORTED BY ---------------------------------------------------------
* XSS reported by Steffen Schüssler [6]
* CSRF reported by Greg Knaddison [7] of the Drupal Security Team
- -------- FIXED BY ------------------------------------------------------------
* Justin Randell [8], module maintainer
- -------- CONTACT -------------------------------------------------------------
The Drupal security team [9] can be reached at security at drupal.org [10] or
via the form at http://drupal.org/contact [11].
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://en.wikipedia.org/wiki/Cross-site_request_forgery
[3] http://drupal.org/project/chatroom
[4] http://drupal.org/node/1045716
[5] http://drupal.org/project/chatroom
[6] http://drupal.org/user/107190
[7] http://drupal.org/user/36762
[8] http://drupal.org/user/38580
[9] http://drupal.org/security-team
[10] http://drupal.org
[11] http://drupal.org/contact
_______________________________________________
* Advisory ID: DRUPAL-SA-CONTRIB-2011-009
* Project: Droptor (third-party module)
* Version: 6.x
* Date: 2011-February-02
* Security risk: Critical
* Exploitable from: Remote
* Vulnerability: SQL Injection
- -------- DESCRIPTION ---------------------------------------------------------
The Droptor module connects a Drupal site to Droptor.com, a Drupal monitoring
and management solution. When capturing memory logging information the module
does not filter the value input from the current page request variable. This
vulnerability can be exploited to perform an SQL Injection attack [1]. This
vulnerability is mitigated by the fact that memory monitoring must be
enabled, which is not the default configuration.
- -------- VERSIONS AFFECTED ---------------------------------------------------
* Droptor module for Drupal 6.x before version 6.x-2.8
Only sites that have "memory monitoring" enabled in their Droptor settings
page are affected. The Drupal 7 version of this module is not affected.
Drupal core is not affected. If you do not use the contributed Droptor [2]
module, there is nothing you need to do.
- -------- SOLUTION ------------------------------------------------------------
Install the latest version:
* If you use the Droptor module for Drupal 6.x before version 6.x-2.8
upgrade to Droptor 6.x-2.8 [3].
See also the Droptor project page [4].
- -------- REPORTED BY ---------------------------------------------------------
* Heine Deelstra [5] and Peter Wolanin [6], of the Drupal Security Team
- -------- FIXED BY ------------------------------------------------------------
* Justin Emond (jemond [7]), module maintainer
- -------- CONTACT -------------------------------------------------------------
The Drupal security team [8] can be reached at security at drupal.org [9] or
via the form at http://drupal.org/contact [10].
[1] http://en.wikipedia.org/wiki/Sql_injection
[2] http://drupal.org/project/droptor
[3] http://drupal.org/node/1049098
[4] http://drupal.org/project/droptor
[5] http://drupal.org/user/17943
[6] http://drupal.org/user/
[7] http://drupal.org/user/186334
[8] http://drupal.org/security-team
[9] http://drupal.org
[10] http://drupal.org/contact
_______________________________________________
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFNUKVN/iFOrG6YcBERApciAJ9w6Di55e05wpnIX2vUYqRNsPhiTwCgrMaf
ERTr6+hp/hzmGAUgXsWuNpY=
=8py5
-----END PGP SIGNATURE-----