Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2011.0894 A number of vulnerabilities have been identified in Drupal third-party modules 1 September 2011 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Node Invite (Drupal third-party module) Taxonomy Views Integrator (Drupal third-party module) Bot Alarm (Drupal third-party module) Publisher: Drupal Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Cross-site Scripting -- Remote with User Interaction Cross-site Request Forgery -- Remote with User Interaction Resolution: Patch/Upgrade Original Bulletin: http://drupal.org/node/1265424 http://drupal.org/node/1265430 http://drupal.org/node/1265750 Comment: This bulletin contains three (3) Drupal security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- * Advisory ID: DRUPAL-SA-CONTRIB-2011-037 * Project: Node Invite [1] (third-party module) * Version: 6.x * Date: 2011-Augest-31 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting - -------- DESCRIPTION --------------------------------------------------------- The Node Invite module allows you to invite users (with existing accounts or otherwise) to specified nodes on a Drupal site. This module does not properly use t() strings to ensure all text was sanitized when data was output through a form_set_error message, thus creating a Cross Site Scripting (XSS) vulnerability. - -------- VERSIONS AFFECTED --------------------------------------------------- * Node invite 6.x versions prior to 6.x-2.3 [3]. Drupal core is not affected. If you do not use the contributed Node Invite [4] module, there is nothing you need to do. - -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Node Invite module for Drupal 6.x, upgrade to node_invite-6.x-2.3 See also the Node Invite [5] project page. - -------- REPORTED BY --------------------------------------------------------- * Richard Kapolnai [6] - -------- FIXED BY ------------------------------------------------------------ * Scott Hadfield [7] the module maintainer - -------- RELEASE COORDINATED BY ---------------------------------------------- * Michael Hess [8] of the Drupal Security Team - -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/node_invite [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/node/1265334 [4] http://drupal.org/project/node_invite [5] http://drupal.org/project/node_invite [6] http://drupal.org/user/277970 [7] http://drupal.org/user/67093 [8] http://drupal.org/user/102818 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration _______________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2011-038 * Project: Taxonomy Views Integrator [1] (third-party module) * Version: 6.x * Date: 2011-Augest-31 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting - -------- DESCRIPTION --------------------------------------------------------- This module enables you to override whole vocabularies or individual terms with the View of your choice. The module did not filter user entered term descriptions for Cross Site Scripting (XSS) injections. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer taxonomy". - -------- VERSIONS AFFECTED --------------------------------------------------- * Taxonomy Views Integrator 6.x-1.x versions prior to 6.x-1.2. Drupal core is not affected. If you do not use the contributed Taxonomy Views Integrator [3] module, there is nothing you need to do. - -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Taxonomy Views Integrator module for Drupal 6.x, upgrade to 6.x-1.2 [4] See also the Taxonomy Views Integrator [5] project page. - -------- REPORTED BY --------------------------------------------------------- * Owen Barton [6] of the Drupal Security Team - -------- FIXED BY ------------------------------------------------------------ * Derek Webb [7] one of the module's maintainers - -------- RELEASE COORDINATED BY ---------------------------------------------- * Michael Hess [8] of the Drupal Security Team - -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/tvi [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/tvi [4] http://drupal.org/node/1264776 [5] http://drupal.org/project/tvi [6] http://drupal.org/user/19668 [7] http://drupal.org/user/64114 [8] http://drupal.org/user/102818 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration _______________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2011-039 * Project: Bot Alarm [1] (third-party module) * Version: 6.x * Date: 2011-August-31 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting, Cross Site Request Forgery - -------- DESCRIPTION --------------------------------------------------------- This module enables you to set alarms for your IRC bot. The module does not properly escape the message and channels of alarms in pages listing the alarms, leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission 'administer bot'. The module does not check for any one-time-use tokens when deleting an alarm, leading to a Cross Site Request Forgery (CSRF ) vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission 'administer bot'. - -------- VERSIONS AFFECTED --------------------------------------------------- * Bot Alarm 6.x-1.0 Drupal core is not affected. If you do not use the contributed Bot Alarm [3] module, there is nothing you need to do. - -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the bot_alarm module for Drupal 6.x, upgrade to 6.x-1.2 [4] See also the Bot Alarm [5] project page. - -------- REPORTED BY --------------------------------------------------------- * CSÃ\x{137}CSY László [6] - -------- FIXED BY ------------------------------------------------------------ * Aaron Forsander [7] the module maintainer - -------- RELEASE COORDINATED BY ---------------------------------------------- * Michael Hess [8], Greg Knaddison [9] and Ben Jeavons [10] of the Drupal Security Team - -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/bot_alarm [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/bot_alarm [4] http://drupal.org/node/1265642 [5] http://drupal.org/project/bot_alarm [6] http://drupal.org/user/199303 [7] http://drupal.org/user/737486 [8] http://drupal.org/user/102818 [9] http://drupal.org/user/36762 [10] http://drupal.org/user/91990 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration _______________________________________________ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBTl7bpO4yVqjM2NGpAQKU8Q//QYkYccbuO3okFVj3uSdkxBe9Ehzawgsh pP97HJk6WdEXYoNA/4E53qnaC/Wf2trzeStKCMw6YXHJpMMIDTc8IUa0yP3cENAV pPSZ5Of7hMAB4siyt2qKSjFAUc3YB0cAizaNv1eBVQezDjCNxB2HtZp/e71nQdBx zn2YZQANX0RBUHXnJBjmukUf0b7iO37w+SGcqFz/gC1hanOQbD1Kf9LxpxEjaN8l R01aV3Z8kSRxVVQMu88ho1BbUIqvhn7Y/NLt0L3WEVJMfFRGOz8/UL8h8ReR5LYe 4WSs3bQhd+mFkOjTDDoiXx42E1Nc6EBkXbyoHez9BGbeUI9FrI6R4tigO39rw+wM rHDlExh/Ea5OKJvtN2HPqC6T3Df3g1d9HPMduKA5u8KRcyEx7L0MKAAqQvOZIQYJ dFNxg/ZplhJuvexIK+C/QWSbOJRwWuIXFipCGFj5YPNVwfVzC3ye4ZqfLZb4BA8X 5XkmGestOdhRiQdBmDZNTKpt4VRfFlQg9/MZ6H6xmEcYkX8uN3hr74Qj2slkSTzt UntSibTZzaAC/TlvCjX+1SHuke3ZMxsf61F63giTs3YJgX3foMzuQgbB89cphH+2 eQi9yJXvF/+5nn+b3w5DgD/pCEdst9/BxAB/gfh8I8u8dZGkB+gLaLmPnZkc906X Nbpvj0YjDV8= =etxT -----END PGP SIGNATURE-----