Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2011.0112.2 A number of vulnerabilities have been found in Drupal third-party modules 8 February 2011 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: OG Forum (Drupal third-party module) Open Legislation (Drupal third-party module) PowerSQL (Drupal third-party module) AES (Drupal third-party module) Flag page (Drupal third-party module) Userpoints (Drupal third-party module) Chatroom (Drupal third-party module) Droptor (Drupal third-party module) Publisher: Drupal Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Access Confidential Data -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Cross-site Request Forgery -- Remote with User Interaction Execute Arbitrary Code/Commands -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2011-0899 Original Bulletin: http://drupal.org/node/1048906 http://drupal.org/node/1048998 http://drupal.org/node/1049042 http://drupal.org/node/1048944 http://drupal.org/node/1048990 http://drupal.org/node/1049126 Comment: This bulletin contains six (6) Drupal security advisories. Note: There are no safe versions of the modules - OG Forum, Open Legislation and PowerSQL - these should be disabled. Revision History: February 8 2011: CVE reference added February 3 2011: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- * Advisory ID: DRUPAL-SA-CONTRIB-2011-004 * Projects: Multiple third party modules - OG Forum, Open Legislation, PowerSQL * Version: 6.x * Date: 2011-February-02 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Multiple (Information disclosure, Cross Site Scripting, Cross Site Request Forgery, SQL injection) - -------- VERSIONS AFFECTED AND PROPOSED SOLUTIONS ---------------------------- OG Forum [1] for Drupal 6.x OG Forum creates a forum per organic group and restricts viewing forum nodes by group membership. OG Forum does not properly implement access controls on private forums it creates, which can lead to a private group's forums becoming public via Cross Site Request Forgeries (CSRF [2]). Additionally, OG Forum stores private group and forum information in a global vocabulary, which can lead to information such as group and forum names being disclosed to members not part of the private group. *Solution:* Disable the module. There is no safe version of the module to use. Open Legislation [3] for Drupal 6.x This module provides integation for OpenLegislation, the open legislation database and web service of the New York State Senate. The module is vulnerable to a Cross Site Scripting [4] (XSS) attack via content consumed from remote web services. *Solution:* Disable the module. There is no safe version of the module to use. PowerSQL [5] for Drupal 6.x This module provides implements additional database API functions which are not secure. Use of this module may make your site vulnerable to a SQL Injection attack [6] *Solution:* Disable the module. There is no safe version of the module to use. Drupal core is not affected. If you do not use any of the module releases above there is nothing you need to do. - -------- ONGOING MAINTENANCE OF THESE MODULES -------------------------------- If you are interested in taking over maintenance of a module, or branch of a module, that is no longer supported, and are capable of fixing security vulnerabilities, you may apply to do so using the abandoned project takeover process [7]. - -------- REPORTED BY --------------------------------------------------------- * OG Forum issues: * The information disclosure vulnerability was reported by Tim_O [8] * The access bypass vulnerability was reported by Michael Hao (qmhao99 [9]) * Open Legislation issue reported by Stéphane Corlosquet [10] of the Drupal Security Team * PowerSQL issue reported by Jakub Suchy [11] of the Drupal Security Team - -------- CONTACT ------------------------------------------------------------- The security team for Drupal [12] can be reached at security at drupal.org or via the form at http://drupal.org/contact. Read more about the Security Team and Security Advisories at http://drupal.org/security. [1] http://drupal.org/project/og_forum [2] http://en.wikipedia.org/wiki/Csrf [3] http://drupal.org/project/openleg [4] http://en.wikipedia.org/wiki/Cross_Site_Scripting [5] http://drupal.org/project/vitzo_powersql [6] http://en.wikipedia.org/wiki/Sql_injection [7] http://drupal.org/node/251466 [8] http://drupal.org/user/111066 [9] http://drupal.org/user/855110 [10] http://drupal.org/user/52142 [11] http://drupal.org/user/31977 [12] http://drupal.org/security-team _______________________________________________ * Advisory ID: SA-CONTRIB-2011-005 * Project: AES (third-party module) * Version: 7.x * Date: 2011-February-02 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Information Disclosure - -------- DESCRIPTION --------------------------------------------------------- Due to a piece of code used for debugging mistakenly left in the release, the plain text password of the user who last logged in is written to a text file in the Drupal root directory. This file is remotely accessible, thus an attacker with the knowledge of which user last logged in may access that user's account. - -------- VERSIONS AFFECTED --------------------------------------------------- * AES module for Drupal 7.x-1.4 Drupal core is not affected. If you do not use the contributed AES [1] module there is nothing you need to do. - -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the AES module for Drupal 7.x upgrade to AES 7.x-1.5 [2] See also the AES project page. [3] - -------- REPORTED BY --------------------------------------------------------- * Shawn Smiley [4] - -------- FIXED BY ------------------------------------------------------------ * Johan Lindskog [5], module maintainer - -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact [6]. Learn more about the team and their policies [7], writing secure code for Drupal [8], and secure configuration [9] of your site. [1] http://drupal.org/project/aes [2] http://drupal.org/node/1040728 [3] http://drupal.org/project/aes [4] http://drupal.org/user/317704 [5] http://drupal.org/user/123038 [6] http://drupal.org/contact [7] http://drupal.org/security-team [8] http://drupal.org/writing-secure-code [9] http://drupal.org/security/secure-configuration _______________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2011-006 * Project: Flag page (third-party module) * Version: 6.x * Date: 2011-February-02 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting - -------- DESCRIPTION --------------------------------------------------------- The contributed flag page module provides an additional flag type to allow you to flag pages so you can bookmark any URL on your site including views, panels, administration pages or site contact page. The module does not sanitize the flag titles when displayed in blocks, leading to a Cross-Site Scripting (XSS [1]) vulnerability that may lead to a malicious user gaining full administrative access. This vulnerability is mitigated by the fact that the user must have the "administer flags" permission in order to create and edit flags and enter the XSS. - -------- VERSIONS AFFECTED -------------------------------------------------- * Flag page module 6.x-2.x versions prior to 6.x-2.2 * Flag page module 6.x-1.x versions prior to 6.x-1.3 Note: If you do not use the contributed flag_page [2] module, there is nothing you need to do. - -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Flag page module for Drupal 6.x-2.x upgrade to Flag Page 6.x-2.2 [3] * If you use the Flag page module for Drupal 6.x-1.x upgrade to Flag Page 6.x-1.3 [4] See also the Flag page project page [5]. - -------- REPORTED BY --------------------------------------------------------- * Balazs Dianiska (snufkin) [6] - -------- FIXED BY ------------------------------------------------------------ * Balazs Dianiska (snufkin) [7] * Alex Pott [8], module maintainer - -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact. Learn more about the team and their policies [9], writing secure code for Drupal [10], and secure configuration [11] of your site. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/project/flag_page [3] http://drupal.org/node/1046704 [4] http://drupal.org/node/1046706 [5] http://drupal.org/project/flag_page [6] http://drupal.org/user/58645 [7] http://drupal.org/user/58645 [8] http://drupal.org/user/157725 [9] http://drupal.org/security-team [10] http://drupal.org/writing-secure-code [11] http://drupal.org/security/secure-configuration _______________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2011-007 * Project: Userpoints (third-party module) * Version: 6.x * Date: 2011-February-02 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting - -------- DESCRIPTION --------------------------------------------------------- The Userpoints module allows users to gain points through specific actions like contributing content. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting (XSS [1]) vulnerability that may lead to a malicious user gaining full administrative access. This vulnerability is mitigated by the fact that the attacker must have a role with the "administer userpoints" permission. - -------- VERSIONS AFFECTED --------------------------------------------------- * Userpoints module for Drupal 6.x versions prior to 6.x-1.2 Drupal core is not affected. If you do not use the contributed Userpoints [2] module, there is nothing you need to do. - -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Userpoints module for Drupal 6.x upgrade to Userpoints 6.x-1.2 [3] See also the Userpoints project page [4]. - -------- REPORTED BY --------------------------------------------------------- * Sascha Grossenbacher (Berdir) [5], Userpoints module maintainer - -------- FIXED BY ------------------------------------------------------------ * Sascha Grossenbacher (Berdir) [6], Userpoints module maintainer - -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org [7] or via the form at http://drupal.org/contact [8]. Learn more about the team and their policies [9], writing secure code for Drupal [10], and secure configuration [11] of your site. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/project/userpoints [3] http://drupal.org/node/1048946 [4] http://drupal.org/project/userpoints [5] http://drupal.org/user/214652 [6] http://drupal.org/user/214652 [7] http://drupal.org [8] http://drupal.org/contact [9] http://drupal.org/security-team [10] http://drupal.org/writing-secure-code [11] http://drupal.org/security/secure-configuration _______________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2011-008 * Project: Chatroom (third-party module) * Version: 6.x * Date: 2011-February-02 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting and Cross Site Request Forgery - -------- DESCRIPTION --------------------------------------------------------- The Chatroom module provides real-time chat capabilities to Drupal. .... Vulnerability: Cross Site Scripting The module does not properly escape the contents of chat messages in pages listing the chats contained in a chatroom, leading to a Cross Site Scripting (XSS [1]) vulnerability. Any user with permission to view chatroom summary pages is vulnerable to attack. .... Vulnerability: Cross Site Request Forgery The module does not properly check for valid form tokens, leading to a Cross Site Request Forgery(XSS [2]) vulnerability. Users with administrative privileges are vulnerable to replay attacks. - -------- VERSIONS AFFECTED --------------------------------------------------- * Chatroom module for Drupal 6.x versions prior to 6.x-2.13. Drupal core is not affected. If you do not use the contributed Chatroom [3] module, there is nothing you need to do. - -------- SOLUTION ----------------------------------------------------------- Install the latest version: * Upgrade to Chatroom 6.x-2.13 [4] See also the Chatroom project page [5]. - -------- REPORTED BY --------------------------------------------------------- * XSS reported by Steffen Schüssler [6] * CSRF reported by Greg Knaddison [7] of the Drupal Security Team - -------- FIXED BY ------------------------------------------------------------ * Justin Randell [8], module maintainer - -------- CONTACT ------------------------------------------------------------- The Drupal security team [9] can be reached at security at drupal.org [10] or via the form at http://drupal.org/contact [11]. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://en.wikipedia.org/wiki/Cross-site_request_forgery [3] http://drupal.org/project/chatroom [4] http://drupal.org/node/1045716 [5] http://drupal.org/project/chatroom [6] http://drupal.org/user/107190 [7] http://drupal.org/user/36762 [8] http://drupal.org/user/38580 [9] http://drupal.org/security-team [10] http://drupal.org [11] http://drupal.org/contact _______________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2011-009 * Project: Droptor (third-party module) * Version: 6.x * Date: 2011-February-02 * Security risk: Critical * Exploitable from: Remote * Vulnerability: SQL Injection - -------- DESCRIPTION --------------------------------------------------------- The Droptor module connects a Drupal site to Droptor.com, a Drupal monitoring and management solution. When capturing memory logging information the module does not filter the value input from the current page request variable. This vulnerability can be exploited to perform an SQL Injection attack [1]. This vulnerability is mitigated by the fact that memory monitoring must be enabled, which is not the default configuration. - -------- VERSIONS AFFECTED --------------------------------------------------- * Droptor module for Drupal 6.x before version 6.x-2.8 Only sites that have "memory monitoring" enabled in their Droptor settings page are affected. The Drupal 7 version of this module is not affected. Drupal core is not affected. If you do not use the contributed Droptor [2] module, there is nothing you need to do. - -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Droptor module for Drupal 6.x before version 6.x-2.8 upgrade to Droptor 6.x-2.8 [3]. See also the Droptor project page [4]. - -------- REPORTED BY --------------------------------------------------------- * Heine Deelstra [5] and Peter Wolanin [6], of the Drupal Security Team - -------- FIXED BY ------------------------------------------------------------ * Justin Emond (jemond [7]), module maintainer - -------- CONTACT ------------------------------------------------------------- The Drupal security team [8] can be reached at security at drupal.org [9] or via the form at http://drupal.org/contact [10]. [1] http://en.wikipedia.org/wiki/Sql_injection [2] http://drupal.org/project/droptor [3] http://drupal.org/node/1049098 [4] http://drupal.org/project/droptor [5] http://drupal.org/user/17943 [6] http://drupal.org/user/ [7] http://drupal.org/user/186334 [8] http://drupal.org/security-team [9] http://drupal.org [10] http://drupal.org/contact _______________________________________________ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFNUKVN/iFOrG6YcBERApciAJ9w6Di55e05wpnIX2vUYqRNsPhiTwCgrMaf ERTr6+hp/hzmGAUgXsWuNpY= =8py5 -----END PGP SIGNATURE-----