Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2011.0894
A number of vulnerabilities have been identified in Drupal
third-party modules
1 September 2011
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Node Invite (Drupal third-party module)
Taxonomy Views Integrator (Drupal third-party module)
Bot Alarm (Drupal third-party module)
Publisher: Drupal
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Cross-site Scripting -- Remote with User Interaction
Cross-site Request Forgery -- Remote with User Interaction
Resolution: Patch/Upgrade
Original Bulletin:
http://drupal.org/node/1265424
http://drupal.org/node/1265430
http://drupal.org/node/1265750
Comment: This bulletin contains three (3) Drupal security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
* Advisory ID: DRUPAL-SA-CONTRIB-2011-037
* Project: Node Invite [1] (third-party module)
* Version: 6.x
* Date: 2011-Augest-31
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
- -------- DESCRIPTION ---------------------------------------------------------
The Node Invite module allows you to invite users (with existing accounts or
otherwise) to specified nodes on a Drupal site.
This module does not properly use t() strings to ensure all text was
sanitized when data was output through a form_set_error message, thus
creating a Cross Site Scripting (XSS) vulnerability.
- -------- VERSIONS AFFECTED ---------------------------------------------------
* Node invite 6.x versions prior to 6.x-2.3 [3].
Drupal core is not affected. If you do not use the contributed Node Invite
[4] module, there is nothing you need to do.
- -------- SOLUTION ------------------------------------------------------------
Install the latest version:
* If you use the Node Invite module for Drupal 6.x, upgrade to
node_invite-6.x-2.3
See also the Node Invite [5] project page.
- -------- REPORTED BY ---------------------------------------------------------
* Richard Kapolnai [6]
- -------- FIXED BY ------------------------------------------------------------
* Scott Hadfield [7] the module maintainer
- -------- RELEASE COORDINATED BY ----------------------------------------------
* Michael Hess [8] of the Drupal Security Team
- -------- CONTACT AND MORE INFORMATION ----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [9].
Learn more about the Drupal Security team and their policies [10], writing
secure code for Drupal [11], and securing your site [12].
[1] http://drupal.org/project/node_invite
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/node/1265334
[4] http://drupal.org/project/node_invite
[5] http://drupal.org/project/node_invite
[6] http://drupal.org/user/277970
[7] http://drupal.org/user/67093
[8] http://drupal.org/user/102818
[9] http://drupal.org/contact
[10] http://drupal.org/security-team
[11] http://drupal.org/writing-secure-code
[12] http://drupal.org/security/secure-configuration
_______________________________________________
* Advisory ID: DRUPAL-SA-CONTRIB-2011-038
* Project: Taxonomy Views Integrator [1] (third-party module)
* Version: 6.x
* Date: 2011-Augest-31
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
- -------- DESCRIPTION ---------------------------------------------------------
This module enables you to override whole vocabularies or individual terms
with the View of your choice. The module did not filter user entered term
descriptions for Cross Site Scripting (XSS) injections. This vulnerability is
mitigated by the fact that an attacker must have a role with the permission
"administer taxonomy".
- -------- VERSIONS AFFECTED ---------------------------------------------------
* Taxonomy Views Integrator 6.x-1.x versions prior to 6.x-1.2.
Drupal core is not affected. If you do not use the contributed Taxonomy Views
Integrator [3] module, there is nothing you need to do.
- -------- SOLUTION ------------------------------------------------------------
Install the latest version:
* If you use the Taxonomy Views Integrator module for Drupal 6.x, upgrade to
6.x-1.2 [4]
See also the Taxonomy Views Integrator [5] project page.
- -------- REPORTED BY ---------------------------------------------------------
* Owen Barton [6] of the Drupal Security Team
- -------- FIXED BY ------------------------------------------------------------
* Derek Webb [7] one of the module's maintainers
- -------- RELEASE COORDINATED BY ----------------------------------------------
* Michael Hess [8] of the Drupal Security Team
- -------- CONTACT AND MORE INFORMATION ----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [9].
Learn more about the Drupal Security team and their policies [10], writing
secure code for Drupal [11], and securing your site [12].
[1] http://drupal.org/project/tvi
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/project/tvi
[4] http://drupal.org/node/1264776
[5] http://drupal.org/project/tvi
[6] http://drupal.org/user/19668
[7] http://drupal.org/user/64114
[8] http://drupal.org/user/102818
[9] http://drupal.org/contact
[10] http://drupal.org/security-team
[11] http://drupal.org/writing-secure-code
[12] http://drupal.org/security/secure-configuration
_______________________________________________
* Advisory ID: DRUPAL-SA-CONTRIB-2011-039
* Project: Bot Alarm [1] (third-party module)
* Version: 6.x
* Date: 2011-August-31
* Security risk: Critical [2]
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting, Cross Site Request Forgery
- -------- DESCRIPTION ---------------------------------------------------------
This module enables you to set alarms for your IRC bot. The module does not
properly escape the message and channels of alarms in pages listing the
alarms, leading to a Cross Site Scripting (XSS) vulnerability. This
vulnerability is mitigated by the fact that an attacker must have a role with
the permission 'administer bot'. The module does not check for any
one-time-use tokens when deleting an alarm, leading to a Cross Site Request
Forgery (CSRF ) vulnerability. This vulnerability is mitigated by the fact
that an attacker must have a role with the permission 'administer bot'.
- -------- VERSIONS AFFECTED ---------------------------------------------------
* Bot Alarm 6.x-1.0
Drupal core is not affected. If you do not use the contributed Bot Alarm [3]
module, there is nothing you need to do.
- -------- SOLUTION ------------------------------------------------------------
Install the latest version:
* If you use the bot_alarm module for Drupal 6.x, upgrade to 6.x-1.2 [4]
See also the Bot Alarm [5] project page.
- -------- REPORTED BY ---------------------------------------------------------
* CSÃ\x{137}CSY László [6]
- -------- FIXED BY ------------------------------------------------------------
* Aaron Forsander [7] the module maintainer
- -------- RELEASE COORDINATED BY ----------------------------------------------
* Michael Hess [8], Greg Knaddison [9] and Ben Jeavons [10] of the Drupal
Security Team
- -------- CONTACT AND MORE INFORMATION ----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
[1] http://drupal.org/project/bot_alarm
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/project/bot_alarm
[4] http://drupal.org/node/1265642
[5] http://drupal.org/project/bot_alarm
[6] http://drupal.org/user/199303
[7] http://drupal.org/user/737486
[8] http://drupal.org/user/102818
[9] http://drupal.org/user/36762
[10] http://drupal.org/user/91990
[11] http://drupal.org/contact
[12] http://drupal.org/security-team
[13] http://drupal.org/writing-secure-code
[14] http://drupal.org/security/secure-configuration
_______________________________________________
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBTl7bpO4yVqjM2NGpAQKU8Q//QYkYccbuO3okFVj3uSdkxBe9Ehzawgsh
pP97HJk6WdEXYoNA/4E53qnaC/Wf2trzeStKCMw6YXHJpMMIDTc8IUa0yP3cENAV
pPSZ5Of7hMAB4siyt2qKSjFAUc3YB0cAizaNv1eBVQezDjCNxB2HtZp/e71nQdBx
zn2YZQANX0RBUHXnJBjmukUf0b7iO37w+SGcqFz/gC1hanOQbD1Kf9LxpxEjaN8l
R01aV3Z8kSRxVVQMu88ho1BbUIqvhn7Y/NLt0L3WEVJMfFRGOz8/UL8h8ReR5LYe
4WSs3bQhd+mFkOjTDDoiXx42E1Nc6EBkXbyoHez9BGbeUI9FrI6R4tigO39rw+wM
rHDlExh/Ea5OKJvtN2HPqC6T3Df3g1d9HPMduKA5u8KRcyEx7L0MKAAqQvOZIQYJ
dFNxg/ZplhJuvexIK+C/QWSbOJRwWuIXFipCGFj5YPNVwfVzC3ye4ZqfLZb4BA8X
5XkmGestOdhRiQdBmDZNTKpt4VRfFlQg9/MZ6H6xmEcYkX8uN3hr74Qj2slkSTzt
UntSibTZzaAC/TlvCjX+1SHuke3ZMxsf61F63giTs3YJgX3foMzuQgbB89cphH+2
eQi9yJXvF/+5nn+b3w5DgD/pCEdst9/BxAB/gfh8I8u8dZGkB+gLaLmPnZkc906X
Nbpvj0YjDV8=
=etxT
-----END PGP SIGNATURE-----